Barbie might look all wide-eyed and trust-worthy, but she could be inviting hackers into your home. California researchers say they discovered new "vulnerabilities" in the Internet services that support the high-tech talking Barbie.
Hello Barbie, released in November 2015, uses voice recognition to identify sentences and phrases spoken to the doll. It responds with lines of pre-recorded dialogue. The interchange mostly happens in the cloud, on remote servers. No audio is stored on the toy.
The talking doll initially sparked fears that hackers could hijack the toy and spy on homes. In fact, researchers previously found that they could intercept and decrypt communications between the doll and ToyTalk's servers. But the problem has since been fixed.
This time around security experts in San Diego found that the toy itself was relatively secure, employing encryption and keeping sensitive information off the doll's hardware. But the company "failed to ... properly harden their web services" linked to Hello Barbie, noted a blog post at the firm Somerset Recon. Most of the vulnerabilities existed in web services or in ToyTalk's web site.
Researchers were able to break into a user's system by guessing passwords multiple times without being locked out of the system. Password requirements were relatively simple, making them easier to break. They also claim they could determine if an email had a Hello Barbie account. In addition, investigators could redirect users to potentially malicious sites, and were able to take control of accounts — but ToyTalk says both of those problems have since been fixed, and engineers are working to fix others.
The company says it welcomes such information so bugs can be fixed. But Somerset Recon managers believe if their researchers found the flaws, other hackers could have gotten there first.
ToyTalk has launched a "bug bounty" program, offering rewards to hackers who find flaws. "ToyTalk openly engages with the security community and actively encourages feedback from it, which we take very seriously," ToyTalk spokesman Tom Sarris told Vice's Motherboard.
The Somerset Recon researchers suggest that parents use a strong password to access a Hello Barbie account, only use the doll on a trusted, password-protected wireless network and to understand the risks of storing any personal information on a remote server.