The Barbie doll seems to be among the most benign toys on the planet. One of its new incarnations is not. The Hello Barbie, made by Mattel Inc. (NYSE: MAT), could be the target of hackers.
Barbie first appeared in 1959. Since then, Mattel has sold tens of millions of the dolls in dozens of incarnations, ranging from ones that can talk to ones which eat Oreos. Very modern technology allowed Mattel to create a Barbie with advanced voice recognition. The Hello Barbie toy has a microphone and speaker in its necklace and power button on its belt. Mattel says the doll cannot be used without parental approval. It comes with an app that allows conversation via Wi-Fi. It is this Wi-Fi application that makes Hello Barbie a target for malicious hackers.
Wi-Fi security expert Andrew Blaich wrote at tech site BlueBox:
For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it. Along with independent security researcher Andrew Hay, Bluebox Labs has examined the security of the mobile components of Hello Barbie. This joint research covers the mobile app, both iOS and Android versions, developed by Mattel partner ToyTalk as well as communications between the app and cloud-based servers.
We discovered several issues with the Hello Barbie app including:
It utilizes an authentication credential that can be re-used by attackers
It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers.
The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
Barbie has become a sort of dangerous, portable, crude smartphone device priced at $79.44, its innocence destroyed.
24/7 Wall St.Get Ready To Retire (Sponsored)
Start by taking a quick retirement quiz from SmartAsset that will match you with up to 3 financial advisors that serve your area and beyond in 5 minutes, or less.
Each advisor has been vetted by SmartAsset and is held to a fiduciary standard to act in your best interests.
Here’s how it works:
1. Answer SmartAsset advisor match quiz
2. Review your pre-screened matches at your leisure. Check out the advisors’ profiles.
3. Speak with advisors at no cost to you. Have an introductory call on the phone or introduction in person and choose whom to work with in the future
Get started right here.
Thank you for reading! Have some feedback for us?
Contact the 24/7 Wall St. editorial team.
Latest from 24/7
