ENGINEERING MIRACLE BARBIE is even more damaging to your security and privacy than we thought.
Hello Barbie, a semi-intelligent creation that can converse in a limited manner with unattended children and send their communications direct to a range of third parties and let them take control and open up their own stream of access, is an issue.
Bluebox Security has been picking apart the plastic princess for the last couple of weeks, and has fresh warnings for us, well perhaps not us but some parents.
We have already covered the Barbie atrocity, and we thought it was bad enough. Bluebox has made it look a whole lot worse, claiming that it can give hackers a direct line to your kid. We asked Mattell to talk about this before. It did not respond, presumably the Barbie works better.
Bluebox says that there are problems with the doll, the software and the client side of the experience. Pretty much everything then. Bite sized samples of the warnings, probably all that she could manage, suggest that the Barbie app uses servers that smell like a Poodle attack and has a lot of pointless code that serves just one purpose, which is, reportedly, to "increase the overall attack surface".
The firm has spoken to the people that caused this, the software outfit ToyTalk, and it reckons that many of the issues have already been fixed.
However, it added that this problem is bigger than Barbie - so are most twigs, and pretty much runs across the whole of the internet of things.
"All of the issues discovered highlighted point to the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie," it said.
"Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority."
Hello Barbie, or Hell Barbie depending on your privacy stance, is likely to be heading for the underside of fir trees that are wondering why they are suddenly in urban living rooms. But parents beware: it has already raised a lot of privacy and security hackles.
First to complain was the Campaign for a Commercial-Free Childhood (CCFC), which launched with a Hell No Barbie banner and a hard line on the privacy problems associated with e-enabled waif-life entities. Barbie already goes with technology like oil goes with water.
"This holiday season, Mattel hopes to make Hello Barbie, a doll that records and analyses children's private conversations, a must-have toy. But experts agree: it's a threat to children's privacy, wellbeing and creativity," the CCFC warned.
"Children confide in dolls and reveal intimate details about their lives, but Hello Barbie won't keep those secrets. When Barbie's belt buckle is held down, everything your child says is transmitted to cloud servers where it will be stored and analysed by ToyTalk, Mattel's technology partner. Employees of ToyTalk and their partner corporations listen to recordings of children's conversations, and ToyTalk won't even say who their partners are."
Shipped: Your Amazon package with Hello Barbie will be delivered Thu, Nov 12. Never before have I been so excited for a Barbie.— Matt Jakubowski (@Jaku) November 10, 2015
Whether the doll is a friend of the child or an ally of the merchandiser is the question with that campaign. The most recent concern is how open to persuasion it is when it is connected to WiFi. 'Very' is the answer, according to US security researcher Matt Jakubowski who took his concerns to local news service NBC.
It's here!! pic.twitter.com/1amDnzKOyI— Matt Jakubowski (@Jaku) November 13, 2015
Jakubowski told reporters that a relatively easy hack opens the Barbie doll to abuse, and could make the doll say anything that a hacker might want it to. This could go badly for kids.
We have asked Mattel to comment. µ
Presumably 'Richard' is your next security worry
Good news if the kids need a summer job
Welcome back, Zoinkerberg
That's another good reason not to see it