back to article Hello Barbie controversy re-ignited with insecurity claims

Back in February, The Register queried the security and privacy implications of Mattel's “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy. After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski ( …

Page:

  1. Steven Roper

    The whole problem is the cloud mentality

    Everything has to be connected to "the cloud" these days. In the wake of the Snowden revelations there are very many valid reasons why cloud storage should never be trusted. Nor is the possibility of spying, monitoring and profiling the only concern; "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data.

    And for those who say "but it's only $5 a month!" - yes, it's only $5 a month now, while you're sucking everyone in, but what will it rise to once millions of people are dependent on your service and the beancounters start leaning, knowing the service has become indispensable?

    Not only that, so your service is only $5 a month, but so is John's, and so is Harry's, and so is Tom's, and before you know it you're paying out $300 a month in nickel-and-dime bills for all the little must-haves that society expects you to use to get by in daily life.

    Back to the toy: I realise that the little Raspberry-pi type board in this doll isn't capable of parsing a kid's spoken commands. But a decently-powered desktop PC is, so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?

    No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.

    1. Shadow Systems Silver badge

      Re: The whole problem is the cloud mentality

      *Applause*

      Enjoy a Pint & an UpVote on me.

      I wonder if there's a market for "Faraday Clothes" for such toys?

      Dress up little Suzie's BlabberMouthBarbie in material-encased Faraday Cage mesh to block all the WiFi, a little hat on her head to keep the signals from probing her little brain, gloves & socks, and render the little pile o' plastic essentially harmless.

      Zillions of different designs, colours, patterns, & materials, just like real life full sized people, but sized for the dolls that include such "enhancements".

      Then again, I'd just not buy such crap for a child in the first place.

      Suzie can have just as much fun with the control codes to the WHOPR & playing games of Global ThermoNuclear War.

      *Cough*

      1. John Brown (no body) Silver badge
        Gimp

        Re: The whole problem is the cloud mentality

        "Dress up little Suzie's BlabberMouthBarbie in material-encased Faraday Cage mesh to block all the WiFi"

        I've been told there are already places which sell clothes like that but they may result in awkward questions from children. See icon.

      2. roytrubshaw
        Coat

        Re: The whole problem is the cloud mentality

        ... a little hat on her head to keep the signals from probing her little brain ...

        Paranoid Barbie!

        I love it.

        And I'm fairly sure it's possible to implement a version of "Parry" in the gargantuan 2Mbytes of firmware which would eliminate the need for communications of any sort...

      3. adnim Silver badge

        Re: The whole problem is the cloud mentality

        Things are getting bad when toy doll has to wear a tinfoil hat.

      4. Anonymous Coward
        Anonymous Coward

        Re: The whole problem is the cloud mentality

        "a little hat on her head to keep the signals from probing her little brain,"

        Benefits of RF-proof hats

      5. ProperDave
        Facepalm

        Re: The whole problem is the cloud mentality

        Maybe I'm seeing the obvious answer and perhaps the point is already made elsewhere, but isn't the answer there to vote with your wallet and just not buy this toy?

        Are kids really going to ask their parents for a doll they can talk to for $5 a month? I'd be sending my kids to therapy if they asked me that...

      6. JCitizen
        Devil

        Re: The whole problem is the cloud mentality

        You could make a mint modifying bird cages and calling it "Jail House Barbie" or maybe get a license to put an orange jump suit on it along the lines of a popular TV show we all know.

    2. Mark 85 Silver badge

      @Steven Roper -- Re: The whole problem is the cloud mentality

      so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?

      You've answered your own question. I agree with you on the "why" but the answer is what will win... Profit!!!! Companies see customers/users as cash cows to be milked, and the milked some more until dry. I'm waiting to hear the Barbie has been monetized to deliver advertising to the kids. Of course it's all about broadening the user experience, right?

    3. Kanhef

      Re: The whole problem is the cloud mentality

      Another problem: I'll bet the URI the voice data is sent to is hard-coded in that firmware. Hack the home router (and frequent Reg readers will know how secure those are), set a rogue DNS, and a malicious server can intercept everything it transmits. Knowing how well IoT devices are designed, there probably isn't any attempt to verify the identity of the server it's talking to.

      The manual says it will automatically download and install software updates. Hopefully that process isn't vulnerable to the same sort of MITM attack.

    4. VinceH Silver badge

      Re: The whole problem is the cloud mentality

      " "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data."

      I've been calling that the Data as a Protection Racket model for quite a while now.

      And while an increasing number of people seem to be falling for it, I've also been standing in front of a bedroom mirror, practising: "I told you so. I told you so. Well, who the hell else did I tell? I told you so!"

    5. Zog_but_not_the_first Silver badge
      Thumb Up

      Re: The whole problem is the cloud mentality

      Have another upvote from me. People who "embrace the cloud" and the service model without thinking about it are idiots. Sorry if you're one of them - I woke up grumpy.

      When toys start data mining children's actions this is abuse - no two ways about it.

    6. Terry 6 Silver badge

      Re: The whole problem is the cloud mentality

      No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.

      We all have only a certain amount of money to spend. So this sort of stuff just diverts cash away from real businesses that exchange real goods and services for money and into the coffers of these cloudware scam merchants. Snake oil.

      1. TRT Silver badge

        Re: The whole problem is the cloud mentality

        A Man in the Middle is going to upset Ken. Or maybe not, thinking about it, given his Toy Story 3 personification.

        1. x 7

          Re: The whole problem is the cloud mentality

          "A Man in the Middle is going to upset Ken"

          depends on which Ken......those named Livingstone or Moore might appreciate a man in the middle

    7. als1232

      Re: The whole problem is the cloud mentality

      Why can't we just trade? Two reasons. First, without the monthly milking and assorted additions, it wouldn't pay to develop the doll. If this was a single trade, nobody would buy it, it would be too expensive. The only way to rip people off is with small, hardly noticed, amounts combined with information sales to companies.

      Secondly, if the single trade model was made, people would realize how poor they really are and either stop buying like crazy or start trying to get richer at the expense of the already rich. I get the feeling that the only thing which makes life as a debt/wage slave workable is the still slightly rising standard of living combined with the fact that one can, though only just, keep paying for it on credit with interest, of

      course.

  2. Charles Manning

    The Great Unwashed are not so paranoid

    "However, in the wake of the weekend's breach of toymaker VTech, the question of children's privacy is now on a few million minds."

    Really? They're going to post videos of their kid talking to Barbie all over FB/youtube anyway.

    1. dan1980

      Re: The Great Unwashed are not so paranoid

      @Charles Manning

      You have a point, but largely it's the same point as made by law enforcement agencies who say they don't understand what all the fuss is about surveillance and slurping communications because people share personal and private information on Facebook all the time.

      1. Mark 85 Silver badge

        Re: The Great Unwashed are not so paranoid

        There's been a couple of interesting articles floating around (news media pieces) I'll have to find some links for. It states that while those of us in the Baby Boom generation are worried about slurping and privacy, the millennials aren't. They freely share passwords and data with any and all. Maybe not all of the millennials but enough to raise eyebrows and concerns.

        Indeed, I think companies hire staff of this age group and the mindset pervades. At some point, that will make it easier for the TLA's and FLA's to do what they want. This toy will go a long way to helping with that mindset about privacy.

        1. Ben Tasker Silver badge

          Re: The Great Unwashed are not so paranoid

          > The great unwashed are too careless with their personal information. They do not realize that hackers are looking for easy targets and they paint a bulls-eye on their backs.

          The problem is it's not just hackers or truly 'personal' information either

          There's plenty of stuff that I did as a teen that I'm fucking glad isn't available online. Like everyone else, I'm happy to talk about some of the antics I got up to, but there are other things that are best left buried. I'm sure most people my age probably have at least a few things they feel that way about.

          The "great unwashed" though, are posting their antics on facebook, and then complaining when they become a meme. In a decade or so, someone's going to go onto goofacetwat.er and search for their name and dredge it all up again.

          I know people who are against the IPB, but don't think twice about letting their social media 'friends' know every time they take a shit. Of course, the latter is their choice, but it still seems bizzare

        2. Adam 52 Silver badge

          Re: The Great Unwashed are not so paranoid

          Those same millennials are now in decision making positions, which goes some way to explain why we have all this trouble.

          Now join a few news stories together and ponder if you will the scenario where a former member of Microsoft/Google/Matel's data collection team takes direct entry to the Police and becomes superintendent in charge of authorising RIPA requests.

      2. a_yank_lurker Silver badge

        Re: The Great Unwashed are not so paranoid

        Our overlords have not made the distinction between what information one voluntary, if stupidly, releases about oneself and electronic snooping. This distinction is important to many.

    2. a_yank_lurker Silver badge

      Re: The Great Unwashed are not so paranoid

      @Charles Manning - The great unwashed are too careless with their personal information. They do not realize that hackers are looking for easy targets and they paint a bulls-eye on their backs.

    3. Stoneshop Silver badge
      Holmes

      Re: The Great Unwashed are not so paranoid

      There may well be children's privacy on a few million minds, but the, what is it now, one and a half billion or so farcebook users simply outnumber them several hundred to one.

    4. JCitizen
      Stop

      Re: The Great Unwashed are not so paranoid

      It doesn't take removing your tin foil cap to realize that perverts will be highly motivated to cruise the neighborhoods looking for the SSID of these things; or for that matter breaking into the cloud data base to sift for data regarding local customers.

  3. Anonymous Coward
    Anonymous Coward

    Do those innards count as...

    ...silicon implants?

    I guess I always knew it, but I never wanted to believe it.

    Damn.

  4. dan1980

    What I love is when companies questioned on security say that they:

    “[C]onform[s] to applicable government standards”.

    Bully for you. The problem is that "government standards" when it comes to data protection are generally anything but strict or comprehensive. So saying that your product/company/application/website conforms to "government"standards" is not really reassuring.

    Remember that TalkTalk followed the required regulations.

    1. John Brown (no body) Silver badge
      Childcatcher

      ...and as we learned from Police Scotland recently, they are "only guidelines", not hard and fast rules, never mind law.

    2. a_yank_lurker Silver badge

      So did the White Star Line when they sent the RMS Titanic on her maiden voyage. In fact, they exceeded the requirements for lifeboat capacity. That did not turn out very well for ~1500 people.

      1. Suricou Raven

        Be fair to them: They didn't take a full stock of lifeboats because they believed that lifeboats would never be needed, instead designing a ship that was supposed to be unsinkable. A double-walled hull design was almost impervious to breaches, and even if a section did breach there was a system for sealing off entire sections - the ship could float even with multiple compartments flooded. Unsinkable wasn't just an idle boast - it was a design specification. It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid.

        1. Anonymous Coward
          Anonymous Coward

          Titanic

          "It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid."

          The point was that for commercial reasons (®) the Titanic took a dangerous route, and there was evidence that technical errors were made which caused the collision. The Titanic story exactly mirrors these hacking cases: Something is constructed according to out of date/inadequate regulations, giving a false sense of security, and then somebody does something stupid which contributes to the disaster.

    3. Jagged

      Indeed. Probably the only "government standard" in this case, is that they hand over all data when asked.

      "I am sorry little girl, Barbie heard your parent criticising the government, so off to GitMo for them and off to social services for you. Don't cry, you can keep the doll."

      Does Barbie have an informant costume?

      1. LaeMing Silver badge
        Pirate

        Snitches get stiches

        Get the needle-craft kit down.

  5. Anonymous Coward
    Anonymous Coward

    It depends...

    From ToyTalk's point of view – and Vulture South's – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child's doll?

    Depends on the child in question.

    If it's the child(ren) of someone you want to manipulate - say, an exec of major firm or president of some nation - then it may be worth the effort to do so. :(

    1. Grikath

      Re: It depends...

      Yes, and there are many, many other ways in which to do that in that scenario. This is why high-profile people tend to have high-profile security measures, often including their families.

      Personally I wish Vulture Central would become a bit more ...resistant.. to publishing "Security!!" stories, or at least be more critical about the next release from the tinfoil hat brigade.

      Security is important, but most readers here will probably be aware of the fact that anything made up of electronics and programming is ultimately hackable, under the right set of circumstances. And quite often, the "articles" , often rehacked press releases nowadays, gloss over the fact that the Next Scare really isn't all that practical, or even likely.

      There's a bit of a Publish or Perish race going on in the Security business, and, pardon my french, every damn geek OCD tinfoil hatter is looking for his 5 Minutes of Fame, because the issue is "hot" at the moment. And quite a lot of the guff published about it contains "could", "would", "possibly", and "under the right conditions" , and ever more frequently the dreaded "leverage(ing)" which shows who the article really is aimed at: the Boss, instead of the BOFH.

      And the latter....saddens.. me.

  6. harmjschoonhoven
    1. David Roberts Silver badge

      Re: FTFY

      I would have upvoted you for the classic ScFi reference if you had just indicated that it was a bloody PDF.

      1. frank ly

        Re: FTFY

        When I placed the cursor over that link, it showed me the URL, with '.pdf' at the end. Doesn't your browser do that?

        1. Michael Habel Silver badge

          Re: FTFY

          Not if your iin the glorious Tablet Race.

        2. dajames Silver badge

          Re: FTFY

          When I placed the cursor over that link, it showed me the URL, with '.pdf' at the end. Doesn't your browser do that?

          It's a bit backward, I know, but placing a cursor over a link is a trick that the browsers on phones and tablets haven't caught up with yet!

          (Even when I connect an actual USB mouse to the USB port of my phone with an OTG adaptor and get an honest-to-goodness pointer that I can place over a link the browser does not see fit to show me the destination of that link. Not with Chrome on Android Lollipop, anyway.)

          1. LaeMing Silver badge
            Black Helicopters

            Re: Teddy

            I vaguely recall a short story about a rogue AI in a Teddy Bear that eventually was dealt with via a spin in the washer.

            Might be time to take Barbie for a swim!

    2. Graham Marsden
      Flame

      @harmjschoonhoven - Re: FTFY

      Exactly what I was thinking.

      How long before Barbie starts delivering "Important messages from carefully chosen suppliers"?

      "Hey, kids, have you heard of this great new accessory set? Builds week-by-week into a complete package, only £1.99 for the first part! Just say 'Yes Please' to buy! (allsubsequentpartsare£9.99comesin104weeklyinstallmentsnorefundspermitted)"

    3. dajames Silver badge

      Re: FTFY

      I Always Do What Teddy Barbie Says

      Upvoted (but, a PDF link with no warning? Shame on you) ... but it reminds me rather more of the Young Lady's Illustrated Primer from Neal Stephenson's The Diamond Age.

  7. Anonymous Coward
    Anonymous Coward

    Creepy

    That is all

  8. Anonymous Coward
    Anonymous Coward

    Come on Barbie ...

    ... :Let's go Stasi.

    1. LDS Silver badge
      Joke

      Re: Come on Barbie ...

      Just wait they add the same technology to inflatable dolls...

  9. Seajay#

    Physical security

    If an adversary has physical access to your children's toys and all they do is dump your SSID, you have got away very lightly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Physical security

      I would assume the hack affords them getting your bank details and money from MITM attacks. That is the easy target, especially if the toy is sold in hundreds and thousands. If two rich people buy the toy, then yes, other more expensive and dangerous means might happen. But thieves tend to go for the easy pickings.

      1. Seajay#

        Re: Physical security

        Why would you assume that? The article tells you what they can get, your SSID, your barbie username, and an mp3 saying "Hi, I'm barbie".

        You don't get any passwords and even if you did get the passwords, the only passwords Barbie knows are for your wifi and your Barbie account. How is that going to give away your bank details? How is that going to allow MITM attacks to get your money?

        I'm not sure that internet connected toys are a good idea, you certainly want to be very very careful about what sensitive information you provide to them and there have been and will be security problems (see VTECH) but this is not one of those times.

        1. JCitizen
          FAIL

          Re: Physical security

          The local pervert doesn't care about that - he(or she) only cares that a Barbie SSID is in the neighborhood, and they would take great interest in that alone. What they would do with it, is only in the mind of evil people; as they have great imagination I'd wager.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019