Will Barbie Be Hackers’ New Plaything?

Using an Internet connection and speech-recognition technology, Hello Barbie, the latest iteration of Mattel’s 56-year-old franchise, does more than speak at the press of a button: [...] the makers of the doll face a much bigger challenge, albeit one they’ve created — protecting children’s safety and privacy when they’ve essentially put a WiFi-enabled computer in their hands. Hello Barbie is a part of the Internet of Things: a rapidly expanding market including light bulbs, security cameras and refrigerators all connected to the Web. Researchers and vandals have proven as much by remotely shutting off Web-connected cars, demonstrating they can take over hospital drug-infusion pumps, and commandeering baby monitors to scream at toddlers. Earlier this year, hackers proved they could take control of the Internet-connected doll My Friend Cayla and make it ignore its “bad words list” — reportedly causing it to curse. If Hello Barbie succeeds in the marketplace, other toy makers will take that as a sign that they, too, should employ similar tactics. All of them rely on what the company insists is consumer-grade artificial intelligence — a type of high-tech decision tree that allows Barbie to respond with one of thousands of prerecorded statements. To make that happen in seconds, data is sent to and from ToyTalk’s servers, where conversations are stored for two years from the time a child last interacted with the doll or a parent accessed a ToyTalk account, according to the company. Data from those recordings might be shared with ToyTalk’s vendors in order to conduct speech-recognition research and process information, according to the company’s privacy policy. Even if parents choose not to snoop, Hello Barbie data might eventually become public — perhaps in court proceedings as common as divorce cases. “No device is 100 percent secure, but what we have done is given a lot of thought to the security and we’ve done all we can to make it as unattractive as possible” for people to crack into it. The information travels through a secure tunnel, protected at each end by cryptographic protocols and digital certificates intended to make sure that even if a child’s conversation is intercepted, the data will be gibberish to eavesdroppers. Hello Barbie, for instance, stores WiFi credentials — everything a hacker would need to gain access to a network — on its chipset. If a bad actor can gain access to a network — whether it’s home WiFi or at a parent’s workplace — he or she can intercept information moving across it. If mom or dad worked at a bank, “you could [potentially] grab credit card numbers, or other personally identifiable information,” Hay said. In June, Hay led an OpenDNS study that cataloged numerous inconspicuous devices often overlooked by office IT folks — including children’s LeapFrog laptops — found on workplace networks. “We need to stop blindly assuming that putting software and connectivity into everything is a good idea,” said Josh Corman, co-founder of I Am The Cavalry, an industry group urging carmakers and others to focus on cybersecurity. [...] if they don’t, outside security researchers will have no formal way to alert ToyTalk or Mattel about bugs, and little incentive. Shutting the door on the goodwill of security researchers wouldn’t stop them from testing out the device to keep it safe from criminals, said Brian Martin, the director of vulnerability intelligence at Risk Based Security. In the early ’90s, the Barbie Liberation Organization swapped Barbie’s voice boxes with G.I.