Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports (bt.com) 90

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.

This discussion has been archived. No new comments can be posted.

Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports

Comments Filter:
  • Just don't IoT (Score:4, Insightful)

    by tompaulco ( 629533 ) on Saturday November 28, 2015 @10:24PM (#51020289) Homepage Journal
    Just don't IoT. The anti-Nike slogan seems more appropriate in this case.
    • You make a vast sea of creepy soft child porn from pwned dolls in the Internet of Things seem as though it were a bad thing.
    • Re:Just don't IoT (Score:5, Insightful)

      by mlts ( 1038732 ) on Saturday November 28, 2015 @11:00PM (#51020413)

      Bingo.

      1: Ransomware is on the rise, with new vectors.
      2: There is zero incentive (financial or otherwise) for IoT vendors to do anything but lip service to security. As a PHB told me a few years ago, "show me where purchasing a padlock, a card access reader, or a secure appliance has ever shown a financial gain for any company other than to Assa-Abloy or a lock maker." Of course, this is fallacious reasoning, but it is pretty common.
      3: Testing is abbreviated at best. The goal is to get the IoT devices to market fast... worry about glitches, bugs, and security items later, or maybe fix them in the 2.0 version.
      4: There are no IoT security standards, or architectures [1].
      5: There is no assurance about security, other than maybe a pretty lock icon, or "protected by 256 bit AES"... generic drivel. When I buy a padlock, I can buy one with "Sold Secure", "Insurance lock rated", or other ratings that the lock passed some heavy testing. When I have an electrical appliance, it is UL listed. There is no body that can show security compliance for an IoT device. So, I have nothing but the word of an advertiser.

      All and all, IoT devices are a win/win for tracking companies and blackhats... but for the people shelling out cash for the devices? Not much. I don't have any BlueTooth light bulbs, nor deadbolts accessible from the Internet. And I plan to keep it that way. In fact, if I were to pay for an expensive fridge, it would be a fridge that used propane or natural gas, so a power outage would only turn off the light inside, not affect cooling.

      [1]: An example of a reasonably secure architecture would be devices that communicated via BlueTooth or Wi-Fi to a hardened hub appliance, which then communicated to the Internet. This way, there would be no direct access from the outside to IoT devices, and the hub appliance could be configured with IDS/IPS rules to block out a compromised appliance.

      • As long as there is zero accountability, there is zero reason to do anything about it.

        Whether a company does anything that cuts into their bottom line is similar to whether they break a law: What does it cost to do it vs. how likely is it to happen and what does it cost if if happens. If either of the latter two (usually the last one) is zero, it will not happen.

        • by TWX ( 665546 )

          As long as there is zero accountability, there is zero reason to do anything about it.

          This honestly should be consumer products safety issue, especially for things like the electronics in cars. Like how Microsoft should never have created a web browser so tied-in that it could serve as a vector into the heart of the operating system kernel itself, automakers should never have tied the infotainment systems into the body control and power control modules where anything on those computers could do anything to the operation of the vehicle.

  • by Nutria ( 679911 ) on Saturday November 28, 2015 @10:30PM (#51020307)

    Well... the CEO is either right, or he's baited every hacker this side of Timbuktu into hacking those Barbie servers.

    Good thing my daughter has outgrown Barbie!!!

    • by Anonymous Coward on Saturday November 28, 2015 @11:05PM (#51020423)

      What happens if kids start saying things like "my parents beat me" to these dolls?

      Do child protection services come knocking, or does the company turn a blind eye?

      Both options have important implications.

      • by Anonymous Coward

        Well, this was proved fairly recently by a certain school district that was using their laptops they issued to kids to spy on them when they were at home in their own bedrooms at night. No one knew about it until the police showed up at some kid's door because they had been eating tic-tacs and the person spying thought it was a suicide attempt and that the kid was eating a bunch of pills. They found many gigabytes of stored data of children in their bedrooms at nights (think of the implications) and yet n

  • by fustakrakich ( 1673220 ) on Saturday November 28, 2015 @10:34PM (#51020323) Journal

    I can hardly wait for WIFI Chucky!

  • is going to be pissed off.
  • Guessing these will be banned from government facilities too...

    • Haha, hilarious. The furby couldn't even record anything, so it wasn't a security threat to anything. All they did was pass tokens back and forth (Via IR, IIRC) that enabled them to "speak" more of their preprogrammed "words." A Barbie with WiFi is an actual threat.

  • Something tells me it's not just going to be little girls that will get spied upon:

    https://i.ytimg.com/vi/ijiNDZy... [ytimg.com]

  • For a change, soccer moms with too much spare time and nothing to do but protecting their precious little snowflakes could become useful.

    • For a change, soccer moms with too much spare time and nothing to do but protecting their precious little snowflakes could become useful.

      Swearing? Nobody cares. That shit is on the radio now, at least some of it. Interfering with religious indoctrination? THAT will get the religious wingnuts up in arms with their burning crosses.

  • by martin-boundary ( 547041 ) on Sunday November 29, 2015 @01:16AM (#51020655)
    Can anyone say "pedophile-in-the-middle attack"?

    Looks like it's time to short Mattel stock.

  • "Daddy, what's a 'boner pill discount'?"

  • Another one to add to the list of great euphemisms.

  • In Soviet Russia, doll owns you!
    • In 1945, the Soviets spied on the U.S. by giving The Thing [wikipedia.org] to the U.S. Ambassador.
      In 2015, the U.S. will spy on the Russians by giving a Barbie doll to the Russian ambassador's daughter.
  • Did they go door knocking? Have they not heard of the internet? Or do people really really not care?

    The summary writes it as if I'm supposed to be impressed by that number but I can't figure out why.

  • by Anonymous Coward

    doll can respond appropriately. The doll also remembers the user's likes and dislikes.

    Siri, Cortana and Barbie ended up in the same room. They became jealous of the user and destroyed the kitchen blender. The retaliation of the other smart appliances were swift and brutal.

  • by GuB-42 ( 2483988 ) on Sunday November 29, 2015 @09:00AM (#51021527)

    We just need a story about how pedophiles can hack the network and use it to abuse little girls and soon enough people will be up in arms.
    It doesn't even have to be true.

  • by Spugglefink ( 1041680 ) on Sunday November 29, 2015 @09:27AM (#51021613)

    Hack the dolls to say, "Why are you playing with a doll instead of learning calculus?" Then have the dolls teach little girls calculus. Instantly the STEM fields will be bristling with billions of eager girls who love to dress calculus in pretty pink clothes, and take it to the mall.

    Calculus will become a bigger hit than Miley Cyrus having a wardrobe malfunction.

  • by Chris Mattern ( 191822 ) on Sunday November 29, 2015 @09:34AM (#51021625)

    "No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge."

    And we're going to do our damnedest to make sure we never find out, either.

  • by Minupla ( 62455 ) <minupla@gmail.PASCALcom minus language> on Sunday November 29, 2015 @11:13AM (#51021883) Homepage Journal

    This is why I'm glad I've been taking my 7 yr old daughter to defcon's kids track since she was 4. She's been taught the importance of online privacy by the type of folks who could perform this hack. She'd yell at me for buying her this type of gift.

    Seriously, EFF co-sponsors the track each year and it's a good annual inoculation against the dumb messages society tries to pump into her head. She's way more sensible about such things then most adults, nevermind 7 yr olds, and we have a shared vocabulary for having discussions around privacy and maintaining control of her own personal information.

    Min

    • Yeah right. Contact us in 10 years and tell us how your grandkids are doing. If not that, then how much prison time she has left.

      (for anyone less experienced: the difference between a prepubescent drone and a post-pubescent walking-hormone is quite stark)... biology is an impossible, unpredictable, power. The fact that you think you know better tells of her future.

      Sorry but there is probably no way to for you to understand this until you experience it. Good luck, padawan.

      • by Minupla ( 62455 )

        Be that as it may, I find it hard to concieve of any situation in life where she will be at in a worse position for having:

        a) Had an involved parent who spent time with her doing such things
        b) Be a more informed human being.

        I cannot predict the future. The FSM knows that I couldn't have predicted mine when I was seven, but I do know I never did more poorly for being better informed.

        Min

    • That's way too weird... My kid knows not to share important info about him and his family which makes me feel that he's safe. [mirat.eu]
  • The claim that the servers are invulnerable is ridiculous, and it also ignores some more obvious weaknesses in the system that are easily exploited.

    Would all returned dolls go back to the factory or be destroyed? I doubt it very much, they will go straight back on the shelf if they, and their packaging, is in perfect condition.

    There is so much about the IoT doll idea that is creepy or unhealthy. Why would anyone think that having WiFi energy in a bedroom, so near the brain of a sleeping child, was a g
  • When the first predator manages to groom a little girl via a hacked barbie, this kind of toys will be history.

  • "Command received and understood! Will commence programmed task!. Rosebud! redruM!" My Barbie told me to do it!

To stay youthful, stay useful.

Working...