Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.

Just don't IoT

[tompaulco]

Just don't IoT. The anti-Nike slogan seems more appropriate in this case.

Re:

[smittyoneeach]

You make a vast sea of creepy soft child porn from pwned dolls in the Internet of Things seem as though it were a bad thing.

Re:Just don't IoT

[mlts]

Bingo.

1: Ransomware is on the rise, with new vectors.
2: There is zero incentive (financial or otherwise) for IoT vendors to do anything but lip service to security. As a PHB told me a few years ago, "show me where purchasing a padlock, a card access reader, or a secure appliance has ever shown a financial gain for any company other than to Assa-Abloy or a lock maker." Of course, this is fallacious reasoning, but it is pretty common.
3: Testing is abbreviated at best. The goal is to get the IoT devices to market fast... worry about glitches, bugs, and security items later, or maybe fix them in the 2.0 version.
4: There are no IoT security standards, or architectures [1].
5: There is no assurance about security, other than maybe a pretty lock icon, or "protected by 256 bit AES"... generic drivel. When I buy a padlock, I can buy one with "Sold Secure", "Insurance lock rated", or other ratings that the lock passed some heavy testing. When I have an electrical appliance, it is UL listed. There is no body that can show security compliance for an IoT device. So, I have nothing but the word of an advertiser.

All and all, IoT devices are a win/win for tracking companies and blackhats... but for the people shelling out cash for the devices? Not much. I don't have any BlueTooth light bulbs, nor deadbolts accessible from the Internet. And I plan to keep it that way. In fact, if I were to pay for an expensive fridge, it would be a fridge that used propane or natural gas, so a power outage would only turn off the light inside, not affect cooling.

[1]: An example of a reasonably secure architecture would be devices that communicated via BlueTooth or Wi-Fi to a hardened hub appliance, which then communicated to the Internet. This way, there would be no direct access from the outside to IoT devices, and the hub appliance could be configured with IDS/IPS rules to block out a compromised appliance.

Re:

[Opportunist]

As long as there is zero accountability, there is zero reason to do anything about it.

Whether a company does anything that cuts into their bottom line is similar to whether they break a law: What does it cost to do it vs. how likely is it to happen and what does it cost if if happens. If either of the latter two (usually the last one) is zero, it will not happen.

Re:

[TWX]

As long as there is zero accountability, there is zero reason to do anything about it.

This honestly should be consumer products safety issue, especially for things like the electronics in cars. Like how Microsoft should never have created a web browser so tied-in that it could serve as a vector into the heart of the operating system kernel itself, automakers should never have tied the infotainment systems into the body control and power control modules where anything on those computers could do anything to the operation of the vehicle.

Re:Just don't IoT

[Opportunist]

And as soon as you find a judge who actually understands enough of the matter to make such a decision we might see improvement.

Re:

[Zontar The Mindless]

IoT is useful. Imagine for example using your smartphone to heat up food on your commute home...

I already have [slashdot.org], and I didn't like what I imagined very much [slashdot.org].

Re:

[Chris Mattern]

Imagine for example using your smartphone to heat up food on your commute home

Cooking by remote control? Honestly, doesn't sound too practical. I'd have to have everything set up beforehand and it'd be just a simple to do it when I get there.

using it at the store to see what's low in your fridge so you know what to buy.

I have the latest tech on that. It's called a "grocery list." Only requires a pen and paper and it's abolutely unhackable!

Re:

[Chris Mattern]

No, don't be "that guy" [1d4chan.org]!

We should all strive to be like this guy. [1d4chan.org]

Re:

[Anonymous Coward]

Imagine for example using your smartphone to heat up food on your commute home, or using it at the store to see what's low in your fridge so you know what to buy.

You must be very lazy and have a terrible memory.

Re:

[Anonymous Coward]

Luddites? A lot of people replying to this IT people who know what it is like to get cut by the bleeding edge of tech.

Because there is little to no security in place, the same app that allows food to be heated up will be used by a bad guy to start a fire. The inventory in the fridge? Sold to the insurance companies as an excuse to jack up rates.

IoT allows an attacker from anywhere in the world to attack you personally; a punch in the nose. Your thermostat can be turned off while you are out on vacation,

Re:

[kheldan]

No, see, YOU are the one who is stupid. I'll bet cash money that you've lived your entire life without anything bad ever happening to you, and as a result you firmly believe that The World Is Your Oyster, never a single serious thought for what could go wrong, skating through life with Rose Colored Glasses on. Chances are you're under 30. In your opinion, 'bad things' are what happen to other people, and it's due to something they did wrong, so they get what they deserve, isn't that right Mister AC? Well I

Re:

[mlts]

That precedent is an uphill battle. Most devices will come with some type of EULA to use the "software" on the item, which has been proven in court to make software makers sue-proof.

The fact that there are EULAs that allow IoT devices to have unfettered access info, and allow third parties to have it is another reason those devices need to remain at the store.

Re:

[mlts]

In the UK, "Insurance lock rated" means something. It means that a bike or moped that was secured with the lock would be covered as a condition of the insurance policy.

Here in the US, it doesn't mean that much, as there are fewer third party testers, so the next best thing is to use Europe's, which do mean something other than advertising hype.

"finding some device data and called that a hack."

[Nutria]

Well... the CEO is either right, or he's baited every hacker this side of Timbuktu into hacking those Barbie servers.

Good thing my daughter has outgrown Barbie!!!

Re:

[Opportunist]

Thank god, mine's more into MLP.

That's not a line you can use often, so I could not resist.

Re: "finding some device data and called that a ha

[Mal-2]

Are you sure it's so much better to be pwnied?

Re:

[Opportunist]

I don't judge people, what they do in the privacy of their bedroom is their own thing.

Just PLEASE keep it out of my view. The mental images alone are enough to keep me awake at night.

Social Services monitoring?

[Anonymous Coward]

What happens if kids start saying things like "my parents beat me" to these dolls?

Do child protection services come knocking, or does the company turn a blind eye?

Both options have important implications.

Re:

[Anonymous Coward]

Well, this was proved fairly recently by a certain school district that was using their laptops they issued to kids to spy on them when they were at home in their own bedrooms at night. No one knew about it until the police showed up at some kid's door because they had been eating tic-tacs and the person spying thought it was a suicide attempt and that the kid was eating a bunch of pills. They found many gigabytes of stored data of children in their bedrooms at nights (think of the implications) and yet n

This is so cool!

[fustakrakich]

I can hardly wait for WIFI Chucky!

Colonel Steve Austin

[zenlessyank]

is going to be pissed off.

Barbie, the new Furby?

[Chas]

Guessing these will be banned from government facilities too...

Re:

[drinkypoo]

Haha, hilarious. The furby couldn't even record anything, so it wasn't a security threat to anything. All they did was pass tokens back and forth (Via IR, IIRC) that enabled them to "speak" more of their preprogrammed "words." A Barbie with WiFi is an actual threat.

Step away from the Barbie

[PopeRatzo]

Something tells me it's not just going to be little girls that will get spied upon:

https://i.ytimg.com/vi/ijiNDZy... [ytimg.com]

Re:

[Opportunist]

I start to pity the eavesdroppers.

Also a line that you don't get to use too often...

Oh PLEASE make them swear

[Opportunist]

For a change, soccer moms with too much spare time and nothing to do but protecting their precious little snowflakes could become useful.

HAIL SATAN

[drinkypoo]

For a change, soccer moms with too much spare time and nothing to do but protecting their precious little snowflakes could become useful.

Swearing? Nobody cares. That shit is on the radio now, at least some of it. Interfering with religious indoctrination? THAT will get the religious wingnuts up in arms with their burning crosses.

Re:

[Zontar The Mindless]

I couldn't care less about a fucking Barbie doll getting owned.

People who get them for their kids might care. But, wait--

These things scream of bad parenting - people who buy those spend 75 dollars to avoid talking to their children. If you find yourself buying one of these things, you have much bigger problems to worry about than someone getting your SSID.

Seems to me you're the one with the issues. Kids, can you say, "False dichotomy"?

Re:

[Zontar The Mindless]

I don't think so [nytimes.com]:

...Mr. Dear [shooter] was raised as a Baptist, Ms. Ross [ex-wife] said in an interview in Goose Creek, S.C., where she now lives. He was religious but not a regular churchgoer, a believer but not one to harp on religion. “He believed wholeheartedly in the Bible,” she said. “That’s what he always said; he read it cover to cover to cover.”

Great!

[martin-boundary]

Can anyone say "pedophile-in-the-middle attack"?

Looks like it's time to short Mattel stock.

The birds and bees

[Tablizer]

"Daddy, what's a 'boner pill discount'?"

"An enthusiastic researcher"

[fremsley471]

Another one to add to the list of great euphemisms.

Obligatory joke

[fph il quozientatore]

In Soviet Russia, doll owns you!

Re:

[Solandri]

In 1945, the Soviets spied on the U.S. by giving The Thing [wikipedia.org] to the U.S. Ambassador.
In 2015, the U.S. will spy on the Russians by giving a Barbie doll to the Russian ambassador's daughter.

6000 signatures!

[thegarbz]

Did they go door knocking? Have they not heard of the internet? Or do people really really not care?

The summary writes it as if I'm supposed to be impressed by that number but I can't figure out why.

The future of toys

[Anonymous Coward]

doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Siri, Cortana and Barbie ended up in the same room. They became jealous of the user and destroyed the kitchen blender. The retaliation of the other smart appliances were swift and brutal.

But, pedophiles...

[GuB-42]

We just need a story about how pedophiles can hack the network and use it to abuse little girls and soon enough people will be up in arms.
It doesn't even have to be true.

STEM problem solved

[Spugglefink]

Hack the dolls to say, "Why are you playing with a doll instead of learning calculus?" Then have the dolls teach little girls calculus. Instantly the STEM fields will be bristling with billions of eager girls who love to dress calculus in pretty pink clothes, and take it to the mall.

Calculus will become a bigger hit than Miley Cyrus having a wardrobe malfunction.

Exact words...

[Chris Mattern]

"No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge."

And we're going to do our damnedest to make sure we never find out, either.

R00tz Asylum @ defcon FTW

[Minupla]

This is why I'm glad I've been taking my 7 yr old daughter to defcon's kids track since she was 4. She's been taught the importance of online privacy by the type of folks who could perform this hack. She'd yell at me for buying her this type of gift.

Seriously, EFF co-sponsors the track each year and it's a good annual inoculation against the dumb messages society tries to pump into her head. She's way more sensible about such things then most adults, nevermind 7 yr olds, and we have a shared vocabulary for having discussions around privacy and maintaining control of her own personal information.

Min

Re:

[Cthefuture]

Yeah right. Contact us in 10 years and tell us how your grandkids are doing. If not that, then how much prison time she has left.

(for anyone less experienced: the difference between a prepubescent drone and a post-pubescent walking-hormone is quite stark)... biology is an impossible, unpredictable, power. The fact that you think you know better tells of her future.

Sorry but there is probably no way to for you to understand this until you experience it. Good luck, padawan.

Re:

[Minupla]

Be that as it may, I find it hard to concieve of any situation in life where she will be at in a worse position for having:

a) Had an involved parent who spent time with her doing such things
b) Be a more informed human being.

I cannot predict the future. The FSM knows that I couldn't have predicted mine when I was seven, but I do know I never did more poorly for being better informed.

Min

Re:

[LittleDarkElf]

That's way too weird... My kid knows not to share important info about him and his family which makes me feel that he's safe. [mirat.eu]

Buy, hack, return to store.. sure they are secure.

[Daniel Matthews]

The claim that the servers are invulnerable is ridiculous, and it also ignores some more obvious weaknesses in the system that are easily exploited.

Would all returned dolls go back to the factory or be destroyed? I doubt it very much, they will go straight back on the shelf if they, and their packaging, is in perfect condition.

There is so much about the IoT doll idea that is creepy or unhealthy. Why would anyone think that having WiFi energy in a bedroom, so near the brain of a sleeping child, was a g

When the first predator

[treczoks]

When the first predator manages to groom a little girl via a hacked barbie, this kind of toys will be history.

Rosebud!

[martinfb]

"Command received and understood! Will commence programmed task!. Rosebud! redruM!" My Barbie told me to do it!