Hello Barbie could say more than ‘Hello’

helllo_barbieMattel recently announced that it is partnering with US start-up ToyTalk to develop Hello Barbie, a doll that will be able to have two-way conversations with children, thanks to a speech-recognition platform connected across the Internet.

Most talking toys rely on a set of built-in phrases and responses, and conversation is limited to whatever the designers programmed it to say. By opening this process up to the Internet, Hello Barbie’s designers clearly hope to provide a much more immersive experience, with off-site computer power enabling Barbie to hold much more realistic conversations. It’s a novel idea, and will almost certainly be a popular toy for the modern age – but there are concerns.

Any communication across the Internet runs the risk of being insecure – Barbie’s communications with the server providing her dialogue could be intercepted and modified, giving an attacker control over her chat. The implications are obvious: could Barbie be used to abuse or groom children?

Embedded platforms are often limited in their ability to deploy strong countermeasures such as encryption because of their reduced processing power. Although modern processors are becoming more powerful, stronger encryption algorithms requiring higher levels of computational resources are constantly being introduced to counter improved brute-forcing and other attacks on the encryption. Embedded platforms are also difficult to update if vulnerabilities are discovered in their firmware.

The ability to abuse children through insecure Internet-connected devices was recently demonstrated when a baby monitor was hacked and abuse was shouted at an infant. The device from Foscam has now been patched to fix the vulnerability, but a search of Shodan – a search engine that identifies Internet-connected devices – shows that many devices are still susceptible because owners have failed to update them. A similar toy to Hello Barbie, Vivid Toys’ ‘Cayla’, was found to be vulnerable to hacking earlier this year by security researcher Ken Munro from Pen Test Partners.

Hello Barbie will listen to the child’s conversation and adapt to it over time, according to the manufacturer. If a child mentions that they like to dance, for instance, the doll may refer to this in a future chat. The device relies on a Wi-Fi connection and its speech is likely to be processed by a remote facility. The doll is not likely to have a sophisticated control panel, so the connection to Wi-Fi may be via Wi-Fi Protected Setup (WPS), which has already been the subject of attacks.

I think someone will learn how to hack Hello Barbie, and it won’t take long. Whether the doll will be used for abuse is another matter, but the impact is such that I hope security has been designed in from the start.

What could be done?

Mattel has not released many details about the security measures deployed to protect the toy and the information it records. This information could be considered personally identifiable information (PII) and therefore subject to data protection laws, but, as data breaches over the last year or so demonstrate, that’s not always a guarantee that the company will treat the information with necessary care.

The larger question is whether there should be a mandatory level of protection that manufacturers will have to meet to protect Internet-connected devices if they are to be used by children or potential pick up sensitive information. Should a Kitemark scheme be introduced to show that the manufacturer has met the minimum levels of due care and diligence? It’s a question that will need to be addressed as the Internet of Things expands and becomes more pervasive, and it’s better to get that out of the way sooner rather than later.