Hello Barbie Doll Can Be Hacked

By Douglas A. McIntyre Updated Jan 13, 4:26PM EST · Published Dec 5, 9:15AM EST

Follow 24/7 Wall St. on Google

This post may contain links from our sponsors and affiliates, and Flywheel Publishing may receive compensation for actions taken through them.

The Barbie doll seems to be among the most benign toys on the planet. One of its new incarnations is not. The Hello Barbie, made by Mattel Inc. (NYSE: MAT), could be the target of hackers.

Barbie first appeared in 1959. Since then, Mattel has sold tens of millions of the dolls in dozens of incarnations, ranging from ones that can talk to ones which eat Oreos. Very modern technology allowed Mattel to create a Barbie with advanced voice recognition. The Hello Barbie toy has a microphone and speaker in its necklace and power button on its belt. Mattel says the doll cannot be used without parental approval. It comes with an app that allows conversation via Wi-Fi. It is this Wi-Fi application that makes Hello Barbie a target for malicious hackers.

Wi-Fi security expert Andrew Blaich wrote at tech site BlueBox:

For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it. Along with independent security researcher Andrew Hay, Bluebox Labs has examined the security of the mobile components of Hello Barbie. This joint research covers the mobile app, both iOS and Android versions, developed by Mattel partner ToyTalk as well as communications between the app and cloud-based servers.

We discovered several issues with the Hello Barbie app including:

It utilizes an authentication credential that can be re-used by attackers
It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:

Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers.
The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Barbie has become a sort of dangerous, portable, crude smartphone device priced at $79.44, its innocence destroyed.

[recirclink id=300763]

About the Author Douglas A. McIntyre →

Douglas A. McIntyre is the co-founder, chief executive officer and editor in chief of 24/7 Wall St. and 24/7 Tempo. He has held these jobs since 2006.

McIntyre has written thousands of articles for 24/7 Wall St. He is an expert on corporate finance, the automotive industry, media companies and international finance. He has edited articles on national demographics, sports, personal income and travel.

His work has been quoted or mentioned in The New York Times, The Wall Street Journal, Los Angeles Times, The Washington Post, NBC News, Time, The New Yorker, HuffPost USA Today, Business Insider, Yahoo, AOL, MarketWatch, The Atlantic, Bloomberg, New York Post, Chicago Tribune, Forbes, The Guardian and many other major publications. McIntyre has been a guest on CNBC, the BBC and television and radio stations across the country.

A magna cum laude graduate of Harvard College, McIntyre also was president of The Harvard Advocate. Founded in 1866, the Advocate is the oldest college publication in the United States.

TheStreet.com, Comps.com and Edgar Online are some of the public companies for which McIntyre served on the board of directors. He was a Vicinity Corporation board member when the company was sold to Microsoft in 2002. He served on the audit committees of some of these companies.

McIntyre has been the CEO of FutureSource, a provider of trading terminals and news to commodities and futures traders. He was president of Switchboard, the online phone directory company. He served as chairman and CEO of On2 Technologies, the video compression company that provided video compression software for Adobe’s Flash. Google bought On2 in 2009.