Toy manufacturers are learning a hard lesson about Wi-Fi-enabled dolls, action figures, and building sets: They can be hacked pretty easily.
A security researcher successfully hacked Mattel’s Wi-Fi-enabled Hello Barbie doll, gaining access to “system information, Wi-Fi network names, its internal MAC address, account IDs, and MP3 files.” This information could feasibly be used by a hacker to figure out which house the doll belongs to, allowing someone to breach the Wi-Fi network and retrieve any recorded information. The much-touted Hello Barbie employs technology developed by the startup ToyTalk, which uses machine learning to carry on a two-way conversation between the doll and its owner–in other words, a child’s version of Siri or Cortana.
“I was able to get some information out of it that I probably shouldn’t have,” Matt Jakubowski, the security researcher who hacked Hello Barbie, told NBC Chicago. “You can take that information and find out a person’s house or business… It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
While ToyTalk did not contest claims that Hello Barbie could be hacked, it insisted that it wasn’t cause for concern. A spokesperson told NBC Chicago that “the information that was discovered does not identify a child, nor does it compromise any audio of a child speaking… “We think parents should feel confident about their child’s privacy with Hello Barbie.” Still, this isn’t likely to be the case: Following Hello Barbie’s debut at the Toy Fair trade show in New York, an advocacy group deemed the technology “seriously creepy” and started a petition to shelve the toy. As Fast Company wrote earlier this year, people worried that the Barbie would “always be on, always listening.”
Oren Jacob, ToyTalk’s CEO, told Fast Company in an emailed statement that “The researcher in question found a convoluted way to get access to the information the doll and the Hello Barbie Companion App already share with each other, which is available directly to parents directly within that app. No major security features of the doll, or the online service, have been compromised.”
Mattel and ToyTalk aren’t the only toy companies charged with placating concerned parents this week. Hong Kong-based toymaker VTech suffered a major data breach early in November, and the news was made public over the Thanksgiving weekend. Hackers broke into the company’s app store and stole data from more than 5 million customer accounts. Stolen information included usernames, encrypted passwords, email contact informations, the download histories of specific accounts, and the answers to users’ security questions.
[via NBC Chicago]
Update: This article has been updated with a statement from ToyTalk.