Hello Barbie’s POODLE problem, and other security issues with internet-connected doll


Hello Barbie, the internet-connected talking doll from toymaker Mattel, isn’t receiving the best publicity at the moment.

We have had concerns raised by privacy advocates about Hello Barbie, and now more researchers are uncovering security problems.

Hello barbie

Bluebox Labs has published a report uncovering that the toy’s smartphone app is not only vulnerable to hackers intercepting communications as they are sent up to its internet servers, but also that those servers were vulnerable to the POODLE attack disclosed in October 2014:

We discovered several issues with the Hello Barbie app including:

  • It utilizes an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox Labs says it informed Hello Barbie app developer ToyTalk about the issues prior to publication, and “a number of the issues have already been resolved.”

As I described in a video at the time, the POODLE vulnerability provides a way for hackers to trick your browser into using a weaker form of encryption (SSL 3.0) which contains bugs that can be exploited to snoop upon your communications.

What’s good is that ToyTalk appears to have fixed the bugs, including the POODLE vulnerability on its website.

What’s bad is that if BlueBox Labs had never told ToyTalk about the problems, maybe they would never have been fixed.

Too many manufacturers are rushing to create products that are internet-enabled, without taking security seriously.

It’s understandable that consumers should be particularly concerned when the risky products are entering their households under the disguise of being harmless kids’ toys - such as the VTech early learning tools found lacking last week.

If you would like to see more videos from me in future, subscribe to my YouTube channel.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

One Response

  1. Simon

    December 8, 2015 at 10:58 am #

    When will manufactures learn to secure all facets as best as possible at the point of release? Furthermore, have the ability to patch/remedy such weaknesses afterwards?

    It must simply come down to cost cutting measures, poor Q/A, or ease of use/accessibility for their customers so it ‘just’s work’.

    You have to give some marks to Mattel for at least attempting to use (if vulnerable) some form of SSL.

    Not only did VTech lack any SSL, they were using a deprecated version of ASP and their database fall victim to a SQL injection over the internet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.