Updated Mattel's Hello Barbie doll, the Wi-Fi-equipped playmate that talks to its owner and reports back on the conversations to mummy and daddy, has more security problems than first thought – this time on the software side.
Last week security researcher Matt Jakubowski found that it was relatively easy to purloin wireless network names, account IDs, and MP3 files from the toy. Now an examination by a different team has found that both the mobile app controlling the doll and the server-side systems used by the plastic playthings also have serious issues.
After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner's questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.
The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app's executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.
The doll is also set up as a wireless access point with the name "Barbie" followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.
On the server side, the team spotted that ToyTalk, Mattel's tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.
None of these problems are unfixable, and the researchers are in contact with ToyTalk and are patching up the holes. But, given the somewhat sensitive nature of the doll in these days of worry over privacy, they should really have been fixed earlier.
"ToyTalk were great to work with," Bluebox's lead security analyst Andrew Blaich, told The Reg. "Within a day of us getting in touch they were patching their systems, which is almost unheard of for this kind of internet of things device, and they had already updated SSLv3 to bar POODLE attacks."
So if you're buying a Hello Barbie for your little snowflake this Christmas, there shouldn't be too much to worry about – apart from the doll's option to report back its conversations with children to their parents. That could cause a few problems, particularly if the little tyke asks why mummy shouts to Jesus when the postman comes around. ®
"We have been working with Bluebox and appreciate their Responsible Disclosure of several issues with respect to Hello Barbie. We have already fixed many of the issues they raised, such as removing the weaker SSLv3 ciphers from our servers," ToyTalk told El Reg.
"We used an industry standard implementation and added client certificate authentication, above and beyond what most Internet-connected devices do, as a way to deter a casual attacker but this implementation can pose a vulnerability to a sophisticated hacker."
"It is important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access WiFi passwords, no access to child audio data, and cannot change what the doll says."