Hello Barbie controversy re-ignited with insecurity claims Back in February, The Register queried the security and privacy implications of Mattel's “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy. After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski ( …
Everything has to be connected to "the cloud" these days. In the wake of the Snowden revelations there are very many valid reasons why cloud storage should never be trusted. Nor is the possibility of spying, monitoring and profiling the only concern; "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data.
And for those who say "but it's only $5 a month!" - yes, it's only $5 a month now, while you're sucking everyone in, but what will it rise to once millions of people are dependent on your service and the beancounters start leaning, knowing the service has become indispensable?
Not only that, so your service is only $5 a month, but so is John's, and so is Harry's, and so is Tom's, and before you know it you're paying out $300 a month in nickel-and-dime bills for all the little must-haves that society expects you to use to get by in daily life.
Back to the toy: I realise that the little Raspberry-pi type board in this doll isn't capable of parsing a kid's spoken commands. But a decently-powered desktop PC is, so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?
No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.
*Applause*
Enjoy a Pint & an UpVote on me.
I wonder if there's a market for "Faraday Clothes" for such toys?
Dress up little Suzie's BlabberMouthBarbie in material-encased Faraday Cage mesh to block all the WiFi, a little hat on her head to keep the signals from probing her little brain, gloves & socks, and render the little pile o' plastic essentially harmless.
Zillions of different designs, colours, patterns, & materials, just like real life full sized people, but sized for the dolls that include such "enhancements".
Then again, I'd just not buy such crap for a child in the first place.
Suzie can have just as much fun with the control codes to the WHOPR & playing games of Global ThermoNuclear War.
*Cough*
... a little hat on her head to keep the signals from probing her little brain ...
Paranoid Barbie!
I love it.
And I'm fairly sure it's possible to implement a version of "Parry" in the gargantuan 2Mbytes of firmware which would eliminate the need for communications of any sort...
"a little hat on her head to keep the signals from probing her little brain,"
Maybe I'm seeing the obvious answer and perhaps the point is already made elsewhere, but isn't the answer there to vote with your wallet and just not buy this toy?
Are kids really going to ask their parents for a doll they can talk to for $5 a month? I'd be sending my kids to therapy if they asked me that...
so why can't we have some software supplied with the doll that we can install on our desktops to receive the wi-fi signals from it and parse them in the home, without the need for any data to go outside the house?
You've answered your own question. I agree with you on the "why" but the answer is what will win... Profit!!!! Companies see customers/users as cash cows to be milked, and the milked some more until dry. I'm waiting to hear the Barbie has been monetized to deliver advertising to the kids. Of course it's all about broadening the user experience, right?
Another problem: I'll bet the URI the voice data is sent to is hard-coded in that firmware. Hack the home router (and frequent Reg readers will know how secure those are), set a rogue DNS, and a malicious server can intercept everything it transmits. Knowing how well IoT devices are designed, there probably isn't any attempt to verify the identity of the server it's talking to.
The manual says it will automatically download and install software updates. Hopefully that process isn't vulnerable to the same sort of MITM attack.
" "cloud" also brings with it the Ransom-as-a-Service business model, where have have to keep paying every month or lose your data."
I've been calling that the Data as a Protection Racket model for quite a while now.
And while an increasing number of people seem to be falling for it, I've also been standing in front of a bedroom mirror, practising: "I told you so. I told you so. Well, who the hell else did I tell? I told you so!"
Have another upvote from me. People who "embrace the cloud" and the service model without thinking about it are idiots. Sorry if you're one of them - I woke up grumpy.
When toys start data mining children's actions this is abuse - no two ways about it.
No monthly milking, no monitoring, no profiling, no using psychological trickery to get inside our heads and find ever better ways of extracting another dollar, just a single good old-fashioned honest fucking trade, where I give you money once and you give me a product once, and then we fuck off out of each others' lives.
We all have only a certain amount of money to spend. So this sort of stuff just diverts cash away from real businesses that exchange real goods and services for money and into the coffers of these cloudware scam merchants. Snake oil.
Why can't we just trade? Two reasons. First, without the monthly milking and assorted additions, it wouldn't pay to develop the doll. If this was a single trade, nobody would buy it, it would be too expensive. The only way to rip people off is with small, hardly noticed, amounts combined with information sales to companies.
Secondly, if the single trade model was made, people would realize how poor they really are and either stop buying like crazy or start trying to get richer at the expense of the already rich. I get the feeling that the only thing which makes life as a debt/wage slave workable is the still slightly rising standard of living combined with the fact that one can, though only just, keep paying for it on credit with interest, of
course.
@Charles Manning
You have a point, but largely it's the same point as made by law enforcement agencies who say they don't understand what all the fuss is about surveillance and slurping communications because people share personal and private information on Facebook all the time.
There's been a couple of interesting articles floating around (news media pieces) I'll have to find some links for. It states that while those of us in the Baby Boom generation are worried about slurping and privacy, the millennials aren't. They freely share passwords and data with any and all. Maybe not all of the millennials but enough to raise eyebrows and concerns.
Indeed, I think companies hire staff of this age group and the mindset pervades. At some point, that will make it easier for the TLA's and FLA's to do what they want. This toy will go a long way to helping with that mindset about privacy.
> The great unwashed are too careless with their personal information. They do not realize that hackers are looking for easy targets and they paint a bulls-eye on their backs.
The problem is it's not just hackers or truly 'personal' information either
There's plenty of stuff that I did as a teen that I'm fucking glad isn't available online. Like everyone else, I'm happy to talk about some of the antics I got up to, but there are other things that are best left buried. I'm sure most people my age probably have at least a few things they feel that way about.
The "great unwashed" though, are posting their antics on facebook, and then complaining when they become a meme. In a decade or so, someone's going to go onto goofacetwat.er and search for their name and dredge it all up again.
I know people who are against the IPB, but don't think twice about letting their social media 'friends' know every time they take a shit. Of course, the latter is their choice, but it still seems bizzare
Those same millennials are now in decision making positions, which goes some way to explain why we have all this trouble.
Now join a few news stories together and ponder if you will the scenario where a former member of Microsoft/Google/Matel's data collection team takes direct entry to the Police and becomes superintendent in charge of authorising RIPA requests.
It doesn't take removing your tin foil cap to realize that perverts will be highly motivated to cruise the neighborhoods looking for the SSID of these things; or for that matter breaking into the cloud data base to sift for data regarding local customers.
What I love is when companies questioned on security say that they:
“[C]onform[s] to applicable government standards”.
Bully for you. The problem is that "government standards" when it comes to data protection are generally anything but strict or comprehensive. So saying that your product/company/application/website conforms to "government"standards" is not really reassuring.
Remember that TalkTalk followed the required regulations.
...and as we learned from Police Scotland recently, they are "only guidelines", not hard and fast rules, never mind law.
Be fair to them: They didn't take a full stock of lifeboats because they believed that lifeboats would never be needed, instead designing a ship that was supposed to be unsinkable. A double-walled hull design was almost impervious to breaches, and even if a section did breach there was a system for sealing off entire sections - the ship could float even with multiple compartments flooded. Unsinkable wasn't just an idle boast - it was a design specification. It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid.
"It did take a lot of damage to sink, and that only because of a side-on collision with an iceburg, something that designers didn't anticipate because giant floating lumps of ice are usually easy to see ahead and avoid."
The point was that for commercial reasons (®) the Titanic took a dangerous route, and there was evidence that technical errors were made which caused the collision. The Titanic story exactly mirrors these hacking cases: Something is constructed according to out of date/inadequate regulations, giving a false sense of security, and then somebody does something stupid which contributes to the disaster.
Indeed. Probably the only "government standard" in this case, is that they hand over all data when asked.
"I am sorry little girl, Barbie heard your parent criticising the government, so off to GitMo for them and off to social services for you. Don't cry, you can keep the doll."
Does Barbie have an informant costume?
From ToyTalk's point of view – and Vulture South's – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child's doll?
Depends on the child in question.
If it's the child(ren) of someone you want to manipulate - say, an exec of major firm or president of some nation - then it may be worth the effort to do so. :(
Yes, and there are many, many other ways in which to do that in that scenario. This is why high-profile people tend to have high-profile security measures, often including their families.
Personally I wish Vulture Central would become a bit more ...resistant.. to publishing "Security!!" stories, or at least be more critical about the next release from the tinfoil hat brigade.
Security is important, but most readers here will probably be aware of the fact that anything made up of electronics and programming is ultimately hackable, under the right set of circumstances. And quite often, the "articles" , often rehacked press releases nowadays, gloss over the fact that the Next Scare really isn't all that practical, or even likely.
There's a bit of a Publish or Perish race going on in the Security business, and, pardon my french, every damn geek OCD tinfoil hatter is looking for his 5 Minutes of Fame, because the issue is "hot" at the moment. And quite a lot of the guff published about it contains "could", "would", "possibly", and "under the right conditions" , and ever more frequently the dreaded "leverage(ing)" which shows who the article really is aimed at: the Boss, instead of the BOFH.
And the latter....saddens.. me.
When I placed the cursor over that link, it showed me the URL, with '.pdf' at the end. Doesn't your browser do that?
It's a bit backward, I know, but placing a cursor over a link is a trick that the browsers on phones and tablets haven't caught up with yet!
(Even when I connect an actual USB mouse to the USB port of my phone with an OTG adaptor and get an honest-to-goodness pointer that I can place over a link the browser does not see fit to show me the destination of that link. Not with Chrome on Android Lollipop, anyway.)
Exactly what I was thinking.
How long before Barbie starts delivering "Important messages from carefully chosen suppliers"?
"Hey, kids, have you heard of this great new accessory set? Builds week-by-week into a complete package, only £1.99 for the first part! Just say 'Yes Please' to buy! (allsubsequentpartsare£9.99comesin104weeklyinstallmentsnorefundspermitted)"
I would assume the hack affords them getting your bank details and money from MITM attacks. That is the easy target, especially if the toy is sold in hundreds and thousands. If two rich people buy the toy, then yes, other more expensive and dangerous means might happen. But thieves tend to go for the easy pickings.
Why would you assume that? The article tells you what they can get, your SSID, your barbie username, and an mp3 saying "Hi, I'm barbie".
You don't get any passwords and even if you did get the passwords, the only passwords Barbie knows are for your wifi and your Barbie account. How is that going to give away your bank details? How is that going to allow MITM attacks to get your money?
I'm not sure that internet connected toys are a good idea, you certainly want to be very very careful about what sensitive information you provide to them and there have been and will be security problems (see VTECH) but this is not one of those times.
Hi! I'm Barbie. I love you very much.
Question is, will this new cutting edge technology be resistant to the best efforts of Mr. Snodworthy? Better yet, will it be able to get one over Mr. Snodworthy with, perhaps, a carefully placed arm?
We should all watch these developments most carefully.
These toys already featured in a 'CSI: Cyber' episode, just ramped up a little. In that episode story a hacker-and-burglar team worked together: A hacker would hack the doll and communicate with the child to learn the contents of the property and when the family would be away, and manipulate the child into unlocking a window. The burglar would then use the information and assistance to do his thing.
... how many of the fathers approving of this toy this year for Solstice were tweenagers when 7 of 9 appeared on STV. I mean, honestly, do you REALLY want all of your single-digit-old kid's musings uploaded into a (very probably) not securable network storage device outside your personal control?
I can just imagine some old bloke in a car outside hacking the doll remotely..........just imagine
"Hello Susie, this is Barbie..........I've left some sweeties for you at the front door.....go outside and look"
or
"Hello Susie.......open the window so you can see my kittens...."
or similar
scary
Isn't all firmware.
I'm not sure how much of this information is still secret,the wifi microcontroller module used on this can be bought by the general public now, but..
- The application code initially exists on the external flash and can run from there but it's more likely that it is loaded into the internal RAM. The size of the firmware is probably less than ~300K and the external flash probably contains 2 copies of it. The firmware can be signed and encrypted as this is supported by the module. If it's not encrypted it should at least be signed which will make running custom code a lot more of a challenge.
- The rest of the external flash is used for storing big bits of data like the MP3 files they found but is also used to persist data that needs to be reloaded between reboots like the wifi settings... All they have done is read out data that isn't encrypted. Big deal. The SDK actually supports encrypting that data too but I guess they had finished the product before those features made it in or decided it wasn't worth it.
Presumably that 16Mb of code would have been secure if only they had got a boy to write it for them.
Significant difference between mega-bytes and mega-bits...
I would be surprised if there is any security-by-design in this toy, that could push the release dates and £££
I would not be surprised if one update did not provide the , "I need the 100 dollar shoes or I'll die" feature though...
Back when my daughter played with dolls, and she still does sometimes, her and her friends and sometimes me too would make up what the various dolls would say with our imaginations. We'd often end up with the most wacky, funny, soaring stories you could think of.
Now it'll just be:
"I like you Barbie."
pause
"I like you too, insert name here."
RUBBISH
The fun comes when the engine gets a little more advanced. Not turing-test-capable advanced, but enough that it becomes capable of answering queries. Barbie is going to need a knowledge base and turn Siri-for-children. There may also be issues where Barbie answers questions that the parents may not want answered, unless it evades all questions on matters remotely interesting.
Who controls what answers Bimbo will give my child?
What is their political view, religious believe, general moral standpoints? Apart from a clearly commercial agenda?
Educational material needs careful review- not given here...
Scary.
As a criminal mastermind I wouldn't waste my money hiring a decent hacker to provide a MITM attack. I'd just steal the doll and replace it with one of my own, already pre-configured to ask the child to let me charge up via daddys computer "Because I'm feeling a bit tired".
Wouldn't be surprised if this has already been done.
... until they are too old for barbies. Period!
Our kids do play with tablets, and Skype with grandma, but under our supervision, and with our credentials. They will not have their own online credentials before they out of grade school, and even then only tightly monitored.
We don't post their pictures on Facebook, Twitter etc., and not anywhere else either.
Call me paranoid- but as a parent I owe my children the best protection from any harm I can give them. I make sure they wear helmets and seat belts, know where to go and where not, and how to safely use hammer and screwdriver- again, under supervision.
Not only should the online world be treated the same, but with even more caution.
Besides the simple fact that the "Hello Bimbo" doll is a horrible idea. An actually speaking doll is the bast way to kill a child's imagination and creativity...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
