back to article Hello Barbie controversy re-ignited with insecurity claims

Back in February, The Register queried the security and privacy implications of Mattel's “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy. After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski ( …

  1. Steven Roper

    The whole problem is the cloud mentality

    Everything has to be connected to "the cloud" these days. In the wake of the Snowden revelations there are very many valid reasons why cloud storage should never be trusted. Nor is the possibility of spying, monitoring and profiling the only concern; "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data.

    And for those who say "but it's only $5 a month!" - yes, it's only $5 a month now, while you're sucking everyone in, but what will it rise to once millions of people are dependent on your service and the beancounters start leaning, knowing the service has become indispensable?

    Not only that, so your service is only $5 a month, but so is John's, and so is Harry's, and so is Tom's, and before you know it you're paying out $300 a month in nickel-and-dime bills for all the little must-haves that society expects you to use to get by in daily life.

    Back to the toy: I realise that the little Raspberry-pi type board in this doll isn't capable of parsing a kid's spoken commands. But a decently-powered desktop PC is, so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?

    No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.

    1. Shadow Systems Silver badge

      Re: The whole problem is the cloud mentality

      *Applause*

      Enjoy a Pint & an UpVote on me.

      I wonder if there's a market for "Faraday Clothes" for such toys?

      Dress up little Suzie's BlabberMouthBarbie in material-encased Faraday Cage mesh to block all the WiFi, a little hat on her head to keep the signals from probing her little brain, gloves & socks, and render the little pile o' plastic essentially harmless.

      Zillions of different designs, colours, patterns, & materials, just like real life full sized people, but sized for the dolls that include such "enhancements".

      Then again, I'd just not buy such crap for a child in the first place.

      Suzie can have just as much fun with the control codes to the WHOPR & playing games of Global ThermoNuclear War.

      *Cough*

      1. John Brown (no body) Silver badge
        Gimp

        Re: The whole problem is the cloud mentality

        "Dress up little Suzie's BlabberMouthBarbie in material-encased Faraday Cage mesh to block all the WiFi"

        I've been told there are already places which sell clothes like that but they may result in awkward questions from children. See icon.

      2. roytrubshaw
        Coat

        Re: The whole problem is the cloud mentality

        ... a little hat on her head to keep the signals from probing her little brain ...

        Paranoid Barbie!

        I love it.

        And I'm fairly sure it's possible to implement a version of "Parry" in the gargantuan 2Mbytes of firmware which would eliminate the need for communications of any sort...

      3. adnim Silver badge

        Re: The whole problem is the cloud mentality

        Things are getting bad when toy doll has to wear a tinfoil hat.

      4. Voyna i Mor Silver badge

        Re: The whole problem is the cloud mentality

        "a little hat on her head to keep the signals from probing her little brain,"

        Benefits of RF-proof hats

      5. ProperDave
        Facepalm

        Re: The whole problem is the cloud mentality

        Maybe I'm seeing the obvious answer and perhaps the point is already made elsewhere, but isn't the answer there to vote with your wallet and just not buy this toy?

        Are kids really going to ask their parents for a doll they can talk to for $5 a month? I'd be sending my kids to therapy if they asked me that...

      6. JCitizen
        Devil

        Re: The whole problem is the cloud mentality

        You could make a mint modifying bird cages and calling it "Jail House Barbie" or maybe get a license to put an orange jump suit on it along the lines of a popular TV show we all know.

    2. Mark 85 Silver badge

      @Steven Roper -- Re: The whole problem is the cloud mentality

      so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?

      You've answered your own question. I agree with you on the "why" but the answer is what will win... Profit!!!! Companies see customers/users as cash cows to be milked, and the milked some more until dry. I'm waiting to hear the Barbie has been monetized to deliver advertising to the kids. Of course it's all about broadening the user experience, right?

    3. Kanhef

      Re: The whole problem is the cloud mentality

      Another problem: I'll bet the URI the voice data is sent to is hard-coded in that firmware. Hack the home router (and frequent Reg readers will know how secure those are), set a rogue DNS, and a malicious server can intercept everything it transmits. Knowing how well IoT devices are designed, there probably isn't any attempt to verify the identity of the server it's talking to.

      The manual says it will automatically download and install software updates. Hopefully that process isn't vulnerable to the same sort of MITM attack.

    4. VinceH Silver badge

      Re: The whole problem is the cloud mentality

      " "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data."

      I've been calling that the Data as a Protection Racket model for quite a while now.

      And while an increasing number of people seem to be falling for it, I've also been standing in front of a bedroom mirror, practising: "I told you so. I told you so. Well, who the hell else did I tell? I told you so!"

    5. Zog_but_not_the_first Silver badge
      Thumb Up

      Re: The whole problem is the cloud mentality

      Have another upvote from me. People who "embrace the cloud" and the service model without thinking about it are idiots. Sorry if you're one of them - I woke up grumpy.

      When toys start data mining children's actions this is abuse - no two ways about it.

    6. Terry 6 Silver badge

      Re: The whole problem is the cloud mentality

      No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.

      We all have only a certain amount of money to spend. So this sort of stuff just diverts cash away from real businesses that exchange real goods and services for money and into the coffers of these cloudware scam merchants. Snake oil.

      1. TRT Silver badge

        Re: The whole problem is the cloud mentality

        A Man in the Middle is going to upset Ken. Or maybe not, thinking about it, given his Toy Story 3 personification.

        1. x 7 Silver badge

          Re: The whole problem is the cloud mentality

          "A Man in the Middle is going to upset Ken"

          depends on which Ken......those named Livingstone or Moore might appreciate a man in the middle

    7. als1232

      Re: The whole problem is the cloud mentality

      Why can't we just trade? Two reasons. First, without the monthly milking and assorted additions, it wouldn't pay to develop the doll. If this was a single trade, nobody would buy it, it would be too expensive. The only way to rip people off is with small, hardly noticed, amounts combined with information sales to companies.

      Secondly, if the single trade model was made, people would realize how poor they really are and either stop buying like crazy or start trying to get richer at the expense of the already rich. I get the feeling that the only thing which makes life as a debt/wage slave workable is the still slightly rising standard of living combined with the fact that one can, though only just, keep paying for it on credit with interest, of

      course.

  2. Charles Manning

    The Great Unwashed are not so paranoid

    "However, in the wake of the weekend's breach of toymaker VTech, the question of children's privacy is now on a few million minds."

    Really? They're going to post videos of their kid talking to Barbie all over FB/youtube anyway.

    1. dan1980

      Re: The Great Unwashed are not so paranoid

      @Charles Manning

      You have a point, but largely it's the same point as made by law enforcement agencies who say they don't understand what all the fuss is about surveillance and slurping communications because people share personal and private information on Facebook all the time.

      1. Mark 85 Silver badge

        Re: The Great Unwashed are not so paranoid

        There's been a couple of interesting articles floating around (news media pieces) I'll have to find some links for. It states that while those of us in the Baby Boom generation are worried about slurping and privacy, the millennials aren't. They freely share passwords and data with any and all. Maybe not all of the millennials but enough to raise eyebrows and concerns.

        Indeed, I think companies hire staff of this age group and the mindset pervades. At some point, that will make it easier for the TLA's and FLA's to do what they want. This toy will go a long way to helping with that mindset about privacy.

        1. Ben Tasker Silver badge

          Re: The Great Unwashed are not so paranoid

          > The great unwashed are too careless with their personal information. They do not realize that hackers are looking for easy targets and they paint a bulls-eye on their backs.

          The problem is it's not just hackers or truly 'personal' information either

          There's plenty of stuff that I did as a teen that I'm fucking glad isn't available online. Like everyone else, I'm happy to talk about some of the antics I got up to, but there are other things that are best left buried. I'm sure most people my age probably have at least a few things they feel that way about.

          The "great unwashed" though, are posting their antics on facebook, and then complaining when they become a meme. In a decade or so, someone's going to go onto goofacetwat.er and search for their name and dredge it all up again.

          I know people who are against the IPB, but don't think twice about letting their social media 'friends' know every time they take a shit. Of course, the latter is their choice, but it still seems bizzare

        2. Adam 52 Silver badge

          Re: The Great Unwashed are not so paranoid

          Those same millennials are now in decision making positions, which goes some way to explain why we have all this trouble.

          Now join a few news stories together and ponder if you will the scenario where a former member of Microsoft/Google/Matel's data collection team takes direct entry to the Police and becomes superintendent in charge of authorising RIPA requests.

      2. a_yank_lurker Silver badge

        Re: The Great Unwashed are not so paranoid

        Our overlords have not made the distinction between what information one voluntary, if stupidly, releases about oneself and electronic snooping. This distinction is important to many.

    2. a_yank_lurker Silver badge

      Re: The Great Unwashed are not so paranoid

      @Charles Manning - The great unwashed are too careless with their personal information. They do not realize that hackers are looking for easy targets and they paint a bulls-eye on their backs.

    3. Stoneshop Silver badge
      Holmes

      Re: The Great Unwashed are not so paranoid

      There may well be children's privacy on a few million minds, but the, what is it now, one and a half billion or so farcebook users simply outnumber them several hundred to one.

    4. JCitizen
      Stop

      Re: The Great Unwashed are not so paranoid

      It doesn't take removing your tin foil cap to realize that perverts will be highly motivated to cruise the neighborhoods looking for the SSID of these things; or for that matter breaking into the cloud data base to sift for data regarding local customers.

  3. Anonymous Coward
    Anonymous Coward

    Do those innards count as...

    ...silicon implants?

    I guess I always knew it, but I never wanted to believe it.

    Damn.

  4. dan1980

    What I love is when companies questioned on security say that they:

    “[C]onform[s] to applicable government standards”.

    Bully for you. The problem is that "government standards" when it comes to data protection are generally anything but strict or comprehensive. So saying that your product/company/application/website conforms to "government"standards" is not really reassuring.

    Remember that TalkTalk followed the required regulations.

    1. John Brown (no body) Silver badge
      Childcatcher

      ...and as we learned from Police Scotland recently, they are "only guidelines", not hard and fast rules, never mind law.

    2. a_yank_lurker Silver badge

      So did the White Star Line when they sent the RMS Titanic on her maiden voyage. In fact, they exceeded the requirements for lifeboat capacity. That did not turn out very well for ~1500 people.

      1. Suricou Raven

        Be fair to them: They didn't take a full stock of lifeboats because they believed that lifeboats would never be needed, instead designing a ship that was supposed to be unsinkable. A double-walled hull design was almost impervious to breaches, and even if a section did breach there was a system for sealing off entire sections - the ship could float even with multiple compartments flooded. Unsinkable wasn't just an idle boast - it was a design specification. It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid.

        1. Voyna i Mor Silver badge

          Titanic

          "It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid."

          The point was that for commercial reasons (®) the Titanic took a dangerous route, and there was evidence that technical errors were made which caused the collision. The Titanic story exactly mirrors these hacking cases: Something is constructed according to out of date/inadequate regulations, giving a false sense of security, and then somebody does something stupid which contributes to the disaster.

    3. Jagged

      Indeed. Probably the only "government standard" in this case, is that they hand over all data when asked.

      "I am sorry little girl, Barbie heard your parent criticising the government, so off to GitMo for them and off to social services for you. Don't cry, you can keep the doll."

      Does Barbie have an informant costume?

      1. LaeMing
        Pirate

        Snitches get stiches

        Get the needle-craft kit down.

  5. Anonymous Coward
    Anonymous Coward

    It depends...

    From ToyTalk's point of view – and Vulture South's – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child's doll?

    Depends on the child in question.

    If it's the child(ren) of someone you want to manipulate - say, an exec of major firm or president of some nation - then it may be worth the effort to do so. :(

    1. Grikath Silver badge

      Re: It depends...

      Yes, and there are many, many other ways in which to do that in that scenario. This is why high-profile people tend to have high-profile security measures, often including their families.

      Personally I wish Vulture Central would become a bit more ...resistant.. to publishing "Security!!" stories, or at least be more critical about the next release from the tinfoil hat brigade.

      Security is important, but most readers here will probably be aware of the fact that anything made up of electronics and programming is ultimately hackable, under the right set of circumstances. And quite often, the "articles" , often rehacked press releases nowadays, gloss over the fact that the Next Scare really isn't all that practical, or even likely.

      There's a bit of a Publish or Perish race going on in the Security business, and, pardon my french, every damn geek OCD tinfoil hatter is looking for his 5 Minutes of Fame, because the issue is "hot" at the moment. And quite a lot of the guff published about it contains "could", "would", "possibly", and "under the right conditions" , and ever more frequently the dreaded "leverage(ing)" which shows who the article really is aimed at: the Boss, instead of the BOFH.

      And the latter....saddens.. me.

  6. harmjschoonhoven
    1. David Roberts Silver badge

      Re: FTFY

      I would have upvoted you for the classic ScFi reference if you had just indicated that it was a bloody PDF.

      1. frank ly Silver badge

        Re: FTFY

        When I placed the cursor over that link, it showed me the URL, with '.pdf' at the end. Doesn't your browser do that?

        1. Michael Habel Silver badge

          Re: FTFY

          Not if your iin the glorious Tablet Race.

        2. dajames Silver badge

          Re: FTFY

          When I placed the cursor over that link, it showed me the URL, with '.pdf' at the end. Doesn't your browser do that?

          It's a bit backward, I know, but placing a cursor over a link is a trick that the browsers on phones and tablets haven't caught up with yet!

          (Even when I connect an actual USB mouse to the USB port of my phone with an OTG adaptor and get an honest-to-goodness pointer that I can place over a link the browser does not see fit to show me the destination of that link. Not with Chrome on Android Lollipop, anyway.)

          1. LaeMing
            Black Helicopters

            Re: Teddy

            I vaguely recall a short story about a rogue AI in a Teddy Bear that eventually was dealt with via a spin in the washer.

            Might be time to take Barbie for a swim!

    2. Graham Marsden
      Flame

      @harmjschoonhoven - Re: FTFY

      Exactly what I was thinking.

      How long before Barbie starts delivering "Important messages from carefully chosen suppliers"?

      "Hey, kids, have you heard of this great new accessory set? Builds week-by-week into a complete package, only £1.99 for the first part! Just say 'Yes Please' to buy! (allsubsequentpartsare£9.99comesin104weeklyinstallmentsnorefundspermitted)"

    3. dajames Silver badge

      Re: FTFY

      I Always Do What Teddy Barbie Says

      Upvoted (but, a PDF link with no warning? Shame on you) ... but it reminds me rather more of the Young Lady's Illustrated Primer from Neal Stephenson's The Diamond Age.

  7. Anonymous Coward
    Anonymous Coward

    Creepy

    That is all

  8. Anonymous Coward
    Anonymous Coward

    Come on Barbie ...

    ... :Let's go Stasi.

    1. LDS Silver badge
      Joke

      Re: Come on Barbie ...

      Just wait they add the same technology to inflatable dolls...

  9. Seajay#

    Physical security

    If an adversary has physical access to your children's toys and all they do is dump your SSID, you have got away very lightly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Physical security

      I would assume the hack affords them getting your bank details and money from MITM attacks. That is the easy target, especially if the toy is sold in hundreds and thousands. If two rich people buy the toy, then yes, other more expensive and dangerous means might happen. But thieves tend to go for the easy pickings.

      1. Seajay#

        Re: Physical security

        Why would you assume that? The article tells you what they can get, your SSID, your barbie username, and an mp3 saying "Hi, I'm barbie".

        You don't get any passwords and even if you did get the passwords, the only passwords Barbie knows are for your wifi and your Barbie account. How is that going to give away your bank details? How is that going to allow MITM attacks to get your money?

        I'm not sure that internet connected toys are a good idea, you certainly want to be very very careful about what sensitive information you provide to them and there have been and will be security problems (see VTECH) but this is not one of those times.

        1. JCitizen
          FAIL

          Re: Physical security

          The local pervert doesn't care about that - he(or she) only cares that a Barbie SSID is in the neighborhood, and they would take great interest in that alone. What they would do with it, is only in the mind of evil people; as they have great imagination I'd wager.

          1. Pookietoo

            Re: a Barbie SSID is in the neighborhood

            Why would Barbie have an SSID? She's not a wireless access point.

  10. 45RPM Silver badge

    Hi! I'm Barbie. I love you very much.

    Question is, will this new cutting edge technology be resistant to the best efforts of Mr. Snodworthy? Better yet, will it be able to get one over Mr. Snodworthy with, perhaps, a carefully placed arm?

    We should all watch these developments most carefully.

  11. Suricou Raven

    It's been hollywoodised.

    These toys already featured in a 'CSI: Cyber' episode, just ramped up a little. In that episode story a hacker-and-burglar team worked together: A hacker would hack the doll and communicate with the child to learn the contents of the property and when the family would be away, and manipulate the child into unlocking a window. The burglar would then use the information and assistance to do his thing.

  12. jake Silver badge

    One wonders ...

    ... how many of the fathers approving of this toy this year for Solstice were tweenagers when 7 of 9 appeared on STV. I mean, honestly, do you REALLY want all of your single-digit-old kid's musings uploaded into a (very probably) not securable network storage device outside your personal control?

    1. JCitizen
      Trollface

      Re: One wonders ...

      I'd bet a 7 of 9 Barbie would be popular - umm, with kids that is!

  13. Flatpackhamster

    Hmm

    Where's Hello Barbie's charging point?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      Looks like it's in the small of the back.

      No Chobits moment here!

      1. Anonymous Noel Coward
        Boffin

        Re: Hmm

        Chii~

    2. dajames Silver badge

      Re: Hmm

      Where's Hello Barbie's charging point?

      Monthly, by continuous credit card authorization ...

      ... Oh, you meant electrical charging?

      1. x 7 Silver badge

        Re: Hmm

        "Where's Hello Barbie's charging point?"

        theres a zero force insertion socket hidden in her underwear.....

        1. LaeMing
          Go

          Re: Hmm

          Do you need the special Ken charging pack?

          1. TRT Silver badge

            Re: Hmm

            I think he's likely to be charged by Yewtree.

  14. chivo243 Silver badge

    glad I have a son

    So far he's not asked for a Barbie... Only Darth Vader, Luke, Chewy and R2 and...

    However, If I had a little girl, I would not be getting a gift like this for her...

  15. x 7 Silver badge

    I can just imagine some old bloke in a car outside hacking the doll remotely..........just imagine

    "Hello Susie, this is Barbie..........I've left some sweeties for you at the front door.....go outside and look"

    or

    "Hello Susie.......open the window so you can see my kittens...."

    or similar

    scary

  16. Anonymous Coward
    Anonymous Coward

    The headline isn't scaremongery enough.

    It should be something like: "HOW ISIS INSURGENTS COULD REMOTELY TURN YOUR DAUGHTER'S BARBIE INTO A TICKING TIME BOMB!"

  17. Joefish
    Trollface

    But what do the rag press think?

    Seriously, have the Daily Heil not done a paedogeddon article on this yet?

    Obviously padded out with some 'stripped down' close-ups...

    Am disappoint.

  18. Anonymous Coward
    Anonymous Coward

    The 16mbit of firmware..

    Isn't all firmware.

    I'm not sure how much of this information is still secret,the wifi microcontroller module used on this can be bought by the general public now, but..

    - The application code initially exists on the external flash and can run from there but it's more likely that it is loaded into the internal RAM. The size of the firmware is probably less than ~300K and the external flash probably contains 2 copies of it. The firmware can be signed and encrypted as this is supported by the module. If it's not encrypted it should at least be signed which will make running custom code a lot more of a challenge.

    - The rest of the external flash is used for storing big bits of data like the MP3 files they found but is also used to persist data that needs to be reloaded between reboots like the wifi settings... All they have done is read out data that isn't encrypted. Big deal. The SDK actually supports encrypting that data too but I guess they had finished the product before those features made it in or decided it wasn't worth it.

    1. Mage Silver badge
      Coffee/keyboard

      Re: The 16mbit of firmware..

      wifi microcontroller module

      Maybe it's the same one in IoT kettles and coffee makers.

      Security?

      1. Anonymous Coward
        Anonymous Coward

        Re: The 16mbit of firmware..

        The module is from Marvell. The coffee maker was based on an esp8266.

        1. x 7 Silver badge

          Re: The 16mbit of firmware..

          "The module is from Marvell"

          don't they make comics?

  19. ScottAS2
    Paris Hilton

    If I learned anything from "I Can Be A Computer Engineer"

    Presumably that 16Mb of code would have been secure if only they had got a boy to write it for them.

    1. Anonymous Coward
      Anonymous Coward

      Re: If I learned anything from "I Can Be A Computer Engineer"

      Significant difference between mega-bytes and mega-bits...

      I would be surprised if there is any security-by-design in this toy, that could push the release dates and £££

      I would not be surprised if one update did not provide the , "I need the 100 dollar shoes or I'll die" feature though...

  20. Yugguy

    Imagination's gone then

    Back when my daughter played with dolls, and she still does sometimes, her and her friends and sometimes me too would make up what the various dolls would say with our imaginations. We'd often end up with the most wacky, funny, soaring stories you could think of.

    Now it'll just be:

    "I like you Barbie."

    pause

    "I like you too, insert name here."

    RUBBISH

    1. Suricou Raven

      Re: Imagination's gone then

      The fun comes when the engine gets a little more advanced. Not turing-test-capable advanced, but enough that it becomes capable of answering queries. Barbie is going to need a knowledge base and turn Siri-for-children. There may also be issues where Barbie answers questions that the parents may not want answered, unless it evades all questions on matters remotely interesting.

      1. Arthure B. Hynde

        Re: Imagination's gone then, and brainwashing gone mainstream

        Who controls what answers Bimbo will give my child?

        What is their political view, religious believe, general moral standpoints? Apart from a clearly commercial agenda?

        Educational material needs careful review- not given here...

        Scary.

  21. klstoner

    After I'm done hacking my hairdryer, I'll see to this... ;)

  22. MatsSvensson

    In Mattel Russia, toys play YOU.

  23. lukewarmdog

    why hack..

    As a criminal mastermind I wouldn't waste my money hiring a decent hacker to provide a MITM attack. I'd just steal the doll and replace it with one of my own, already pre-configured to ask the child to let me charge up via daddys computer "Because I'm feeling a bit tired".

    Wouldn't be surprised if this has already been done.

  24. Arthure B. Hynde

    Don't allow your kids to leave a digital footprint...

    ... until they are too old for barbies. Period!

    Our kids do play with tablets, and Skype with grandma, but under our supervision, and with our credentials. They will not have their own online credentials before they out of grade school, and even then only tightly monitored.

    We don't post their pictures on Facebook, Twitter etc., and not anywhere else either.

    Call me paranoid- but as a parent I owe my children the best protection from any harm I can give them. I make sure they wear helmets and seat belts, know where to go and where not, and how to safely use hammer and screwdriver- again, under supervision.

    Not only should the online world be treated the same, but with even more caution.

    Besides the simple fact that the "Hello Bimbo" doll is a horrible idea. An actually speaking doll is the bast way to kill a child's imagination and creativity...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019