Barbie_Logo1

Hello Barbie, Hackers Calling

December 10, 2024         By: Steven Anderson

One of the biggest toys of the 2015 holiday shopping season is Hello Barbie, a connected toy that offers its users plenty of fun.

The doll uses a combination of Wi-Fi connectivity and speech recognition technology to allow Barbie to essentially talk to its users, holding conversations, playing various games, and even sharing stories and jokes back and forth.

Sounds like the kind of thing some girls would have loved to have back when they were young, but a new report finds that Hello Barbie may be the perfect access point for hackers.

With Barbie now serving as what amounts to a Wi-Fi hub, hackers of the more ethical variety turned attention to how much security Barbie was packing, and the response wasn’t good. Essentially, the app that drives Barbie would allow for any connection between a user’s phone and a network with the word “Barbie” in the name.

This in turn means it wouldn’t take much for more malicious users to create their own Barbie Wi-Fi hub, get full access to a device, and start plundering data while the user believe he or she was setting up a Hello Barbie system.

Worse, connectivity between the doll and its parent servers, found with ToyTalk, was found to be problematic as well. All Hello Barbie units, as it turns out, use the same built-in password to authenticate the app with the doll, making it that much easier to make an unauthorized connection. Also of concern is what’s known as a POODLE attack, or a kind of interception of traffic between the doll and its intended target, the ToyTalk servers.

To ToyTalk’s credit, it seems to have addressed many of the issues found by the various ethical hackers, and many of the issues may have been overblown anyway. As ToyTalk’s CTO and cofounder Martin Reddy notes, any hacking that could have taken place really only could have hit in the few minutes that users take to connect a doll to a Wi-Fi network.

Many of the objections with Hello Barbie seem to be similar to those seen throughout the development of the Internet of Things. Every new potential access point for a network is a new potential access point for hackers. Protecting against such things is therefore deeply important, and the kind of thing we can’t take too seriously.

While admittedly the dangers posed by Hello Barbie are slim and already being fixed in many cases, it simply reinforces all the old saws about protecting against online threats. Change passwords regularly or use a password manager, watch accounts carefully for unusual spending, and so on.

While some may feel the best solution is to stay away from Hello Barbie altogether, such a plan will only go so far. Connected appliances in general are increasingly available, and any of these points may be an access point for hackers.

It’s worth considering, therefore, that mobile payments data should be relegated to a special device, used only for such purposes and otherwise unconnected to the network. A headache, granted, but better security.

Whether it’s a fridge or a television or a particularly bright Barbie doll, connected devices can deliver impressive values for users. These devices can also deliver trouble, so for those planning to buy a Hello Barbie for Christmas, don’t forget to consider the security measures such a toy will need as well