Security Firm Finds New Hello Barbie Vulnerabilities

Girls use computers at the Barbie Dreamhouse Experience in Berlin. Some psychologists are concerned about how children interact with new technology and its privacy issues. Pierre Adenis/laif/Redux

Not all toys are created equal. In fact, Mattel's recently released Wi-Fi-connected Barbie is said to be one of the most technologically advanced toys to date. But with increased connectivity comes the greater likelihood of vulnerabilities, and San Diego–based security firm Somerset Recon has found quite a few.

Hello Barbie, which launched late last year, may not be able to change outfits, but she is state of the art and fully connected. Owners can chat with Barbie, but first a guardian must download a mobile application and connect the doll to a wireless network. Children speak to Barbie while holding a press-to-talk button on her belt, and their words are transmitted over a Wi-Fi connection to the servers of ToyTalk, a San Francisco–based startup that Mattel partnered with to give Barbie her digital makeover. Speech recognition software then converts audio into text, and artificial intelligence software plucks keywords from what a child says, triggering Barbie to deliver a response from her arsenal of 8,000 pre-written lines.

In a new report published Monday, Somerset Recon found some significant security lapses in ToyTalk's Web services—14, to be exact—four of which were of medium severity, while 10 were deemed low.

The "nastiest" vulnerability, according to the report, allows attackers to give an unlimited number of password guesses without triggering account lockouts. Once attackers find their way into a parental account, they have access to a treasure trove of personal information, namely recordings of a child's responses to Barbie, which parents can play, delete or share on social media with the click of a button.

To add insult to injury, according to the report, ToyTalk's website allows users to choose weak passwords, making an attacker's guessing game simpler. "The password policy only stipulates that you must use eight characters," the firm's lead security researcher tells Newsweek, wishing to remain anonymous, "and doesn't require any other numbers or special characters."

In November, when Somerset Recon first unpacked the doll's innards to analyze her hardware, the firm was pleasantly surprised by Barbie's security. In fact, it found that the Wi-Fi credentials stored on Barbie's chips were encrypted, making it much harder for the average adversary to extract, though not impossible. But the second round of investigation and testing yielded much less positive results.

According to the new report, the firm also found that customers could be sent malicious ToyTalk links, redirecting them to phishing websites. Somerset Recon also found that several domains associated with Hello Barbie allowed for unencrypted communication, among other issues.

Soon after the product's release, ToyTalk set up a bounty program, looking to have skilled security researchers from around the globe help the company find vulnerabilities. Though the lead researcher praises ToyTalk for quickly fixing security issues raised through its bounty program, the report had a different takeaway.

"Companies need to understand that a bug bounty program is a last resort," the firm typed in bold, "not a replacement for proper security analysis before a product's release."

The lead researcher adds: "When we first looked at the website, some of the vulnerabilities we noticed were low-hanging fruit—vulnerabilities that a penetration tester or security expert could easily spot. They probably could have done a lot more before the product was released."