Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Goodbye, Hello Barbie: Wireless toy dogged by POODLE SSL hole

More flaws found after plastic pal probed

Updated Mattel's Hello Barbie doll, the Wi-Fi-equipped playmate that talks to its owner and reports back on the conversations to mummy and daddy, has more security problems than first thought – this time on the software side.

Last week security researcher Matt Jakubowski found that it was relatively easy to purloin wireless network names, account IDs, and MP3 files from the toy. Now an examination by a different team has found that both the mobile app controlling the doll and the server-side systems used by the plastic playthings also have serious issues.

After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner's questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.

The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app's executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.

The doll is also set up as a wireless access point with the name "Barbie" followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.

On the server side, the team spotted that ToyTalk, Mattel's tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.

None of these problems are unfixable, and the researchers are in contact with ToyTalk and are patching up the holes. But, given the somewhat sensitive nature of the doll in these days of worry over privacy, they should really have been fixed earlier.

"ToyTalk were great to work with," Bluebox's lead security analyst Andrew Blaich, told The Reg. "Within a day of us getting in touch they were patching their systems, which is almost unheard of for this kind of internet of things device, and they had already updated SSLv3 to bar POODLE attacks."

So if you're buying a Hello Barbie for your little snowflake this Christmas, there shouldn't be too much to worry about – apart from the doll's option to report back its conversations with children to their parents. That could cause a few problems, particularly if the little tyke asks why mummy shouts to Jesus when the postman comes around. ®

Update

"We have been working with Bluebox and appreciate their Responsible Disclosure of several issues with respect to Hello Barbie. We have already fixed many of the issues they raised, such as removing the weaker SSLv3 ciphers from our servers," ToyTalk told El Reg.

"We used an industry standard implementation and added client certificate authentication, above and beyond what most Internet-connected devices do, as a way to deter a casual attacker but this implementation can pose a vulnerability to a sophisticated hacker."

"It is important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access WiFi passwords, no access to child audio data, and cannot change what the doll says."

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like