Skip to content
Biz & IT

Internet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bug

Internet-of-Things security comes to children’s toys. What could possibly go wrong?

Dan Goodin | 51
Story text

The dreaded Hello Barbie. Credit: Mattel
A recent review of the Internet-connected Hello Barbie doll from toymaker Mattel uncovered several red flags. Not only did the toy use a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but those servers were also vulnerable to POODLE, an attack disclosed 14 months ago that breaks HTTPS encryption.

The vulnerabilities, laid out in a report published Friday by security firm Bluebox Labs, are the latest black eye for so-called “Internet of Things” devices. The term is applied to appliances and other everyday devices that are connected to the Internet, supposedly to give them a wider range of capabilities. The Hello Barbie doll is able to hold real-time conversations by uploading the words a child says to a server. Instant processing on the server then allows the doll to provide an appropriate response.

Bluebox researchers uncovered a variety of weaknesses in the iOS and Android app developed by Mattel partner ToyTalk. The apps are used to connect the doll to a nearby Wi-Fi networks. The researchers also reported vulnerabilities in the remote server used to communicate with the doll.

From Friday’s report:

We discovered several issues with the Hello Barbie app including:

  • It utilizes an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox said that several of the vulnerabilities, including the POODLE weakness, were closed after they were privately reported. ToyTalk should be commended for moving quickly, but the bigger point is that a third party was able to find these problems at all rather than ToyTalk proactively finding them on its own.

Today, nowhere is the Internet of Things more of a potential landmine than with devices marketed to children. The Bluebox report comes on the heels of the server breach of VTech, the toy manufacturer whose weak server security and lax privacy practices leaked personal information for tens of millions of parents and children, including gigabytes worth of kids’ headshots. Earlier this year, some privacy advocates had misgivings about Hello Barbie sending children’s utterances to a server for processing. Until manufacturers bake robust security and privacy into their products from the beginning, consumers should remain highly skeptical.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
51 Comments
Prev story
Next story