The newest Barbie from Mattel–Hello Barbie– features internet connectivity, allowing the doll to use voice recognition technology to have “real” conversations with kids, even adapting to the child’s likes and dislikes. These conversations are held in the cloud, enabling Mattel to update or alter conversations in case they need to be changed or updated. For this toy Mattel partnered with software developer ToyTalk in order to create a myriad of realistic conversations for the new doll.
The bad news right now, however, is that a few security holes have been revealed, meaning that hackers could potentially pinpoint the location of a doll’s home, or could access recordings of a child’s conversations with the doll. Security firm Bluebox revealed the holes on Friday, December 4th.
Of course this drove Mattel to scramble to fix these holes in time for the holiday shopping season, urging customers that security is of the utmost concern. Thankfully it was a security firm who unearthed these zero day flaws before a hacker did. Despite these flaws, the toymaker said that they did in fact have a cybersecurity company audit the toy and the software before it hit the shelves. It’s known that any software released will never be 100% perfect, and Mattel and software designer ToyTalk have set up “bug bounty” programs for people to report flaws and bugs.
ToyTalk has been very fast in their turnaround time on fixing many of the bugs, as noted in the Bluebox blog post as well as ToyTalk’s own blog. Further, they said that:
no children’s audio was accessed, no passwords were compromised, and no dolls were made to say anything unintended.
This is only the latest hacking scandal involved in the ever-growing “internet of things”–internet connected or enabled common household devices such as home security systems, lighting systems, and more. Despite the benign nature of these objects, their connectivity to the internet leaves them vulnerable to be hacked. Unfortunately anything that is written by humans can also be hacked by humans. However if the strongest security settings are put in place the hacking vulnerability drops to a very small amount. Just a few months ago in a Wired story it was proven that a Jeep could be taken control of while being driven using the car’s internet connected features. Even more recently it has been discussed about the potential dangers of terrorists taking over planes using the plane’s wifi and internet connectivity.
For now the risk associated with Hello Barbie is extremely low. Parents can be assured that the company appears to be very quick to respond when holes do pop up. But they should also be aware that no company can ever ensure that an internet connected toy can ever be 100% safe – that is just the nature of software and hacking. It’s a small risk to take, and parents can do their due diligence in researching the issues before purchasing the toy with proper knowledge of the risks at hand.