Hello Barbie’s POODLE problem, and other security issues with internet-connected doll

Graham Cluley

Hello Barbie's POODLE problem, and other security issues with internet-connected doll

Hello Barbie, the internet-connected talking doll from toymaker Mattel, isn’t receiving the best publicity at the moment.

We have had concerns raised by privacy advocates about Hello Barbie, and now more researchers are uncovering security problems.

Hello barbie

Bluebox Labs has published a report uncovering that the toy’s smartphone app is not only vulnerable to hackers intercepting communications as they are sent up to its internet servers, but also that those servers were vulnerable to the POODLE attack disclosed in October 2014:

We discovered several issues with the Hello Barbie app including:

  • It utilizes an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox Labs says it informed Hello Barbie app developer ToyTalk about the issues prior to publication, and “a number of the issues have already been resolved.”

As I described in a video at the time, the POODLE vulnerability provides a way for hackers to trick your browser into using a weaker form of encryption (SSL 3.0) which contains bugs that can be exploited to snoop upon your communications.

What’s good is that ToyTalk appears to have fixed the bugs, including the POODLE vulnerability on its website.

What’s bad is that if BlueBox Labs had never told ToyTalk about the problems, maybe they would never have been fixed.

Too many manufacturers are rushing to create products that are internet-enabled, without taking security seriously.

It’s understandable that consumers should be particularly concerned when the risky products are entering their households under the disguise of being harmless kids’ toys – such as the VTech early learning tools found lacking last week.

If you would like to see more videos from me in future, subscribe to my YouTube channel.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Hello Barbie’s POODLE problem, and other security issues with internet-connected doll”

  1. When will manufactures learn to secure all facets as best as possible at the point of release? Furthermore, have the ability to patch/remedy such weaknesses afterwards?

    It must simply come down to cost cutting measures, poor Q/A, or ease of use/accessibility for their customers so it 'just's work'.

    You have to give some marks to Mattel for at least attempting to use (if vulnerable) some form of SSL.

    Not only did VTech lack any SSL, they were using a deprecated version of ASP and their database fall victim to a SQL injection over the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.