Hello Barbie: She's just insecure

Researchers revealed new flaws in the doll Friday, adding to problems publicized last week. Hello Barbie's software maker is racing to patch security bugs during the holiday shopping season.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Enlarge Image

Researchers have found security flaws in Mattel's Hello Barbie. Software manufacturers are racing to patch her up.

Ben Fox Rubin/CNET

Hello, Barbie. Can we talk? Security researchers are worried about your safety.

New data released Friday by security firm Bluebox reveals even more vulnerabilities in Hello Barbie, the $75 Internet-connected doll from Mattel.

Researchers found the application and the cloud server that connect the doll to the Internet would allow attackers to cut through security protections and access recordings of children's conversations with Barbie. That's probably enough to put Barbie on the naughty list this holiday.

Friday's revelation about the iconic doll follows a related problem made public last week by a different researcher, Matt Jakubowski. He said he'd discovered a flaw that would potentially allow hackers to pinpoint home addresses of doll owners.

Barbie isn't the only toy that's run into safety or privacy concerns related to its Internet connection. Last month, hackers stole account information of more than 6.4 million children who use the Learning Lodge app store for VTech toys. The company has since hired a high-profile cybersecurity incident-response team to deal with the aftermath.

Such security concerns could give parents second thoughts about buying the Internet-connected toys on their children's holiday wish lists. The timing is especially critical for Hello Barbie, which was released last month just in time for the holiday shopping season.

Mattel and software maker ToyTalk are racing to patch the security problems with the doll.

ToyTalk has fixed some of the flaws in the software it built for Hello Barbie and is working its way through the others. It also set up a "bug bounty" program about two weeks ago to streamline reporting from any other researchers looking into the doll's software.

Despite the recent flurry of software patches for Hello Barbie, ToyTalk executive Martin Reddy said the company built in security features from the very beginning and had a cybersecurity company audit the toy before taking it to market.

"Security has been a major focus throughout the entire process, and I think we've done a very good job of it," Reddy said. "I'm very proud of the [doll]."

A Trojan horse of a different sort

The way Hello Barbie works seems magical at first glance. Children talk with Barbie, and her necklace lights up to show she's listening. Then she talks back. Behind the scenes, the doll wirelessly communicates with a companion app and ToyTalk's service on the Internet.

A hack on the doll's software could have wide-ranging consequences. Once Jakubowski opened up Hello Barbie doll and hacked it, he pulled out information that would allow him to send signals to other Hello Barbies from a web browser, where he would pose as the companion app. Meanwhile, the Bluebox researchers found flaws in the companion app, as well as ToyTalk's website account service.

Hackers could "potentially take the voice recordings and ... reconstruct it as the child recorded it. Or, as the 36-year-old security researcher recorded it," said Andrew Hay, who helped Bluebox research the doll.

The good news is that the flaws are easy to fix, both TechTalk and the security researchers said. And so far there aren't indications that hackers have actually used the bugs to intrude on real-life children at play. All told, the flaws were not exactly direct paths to Hello Barbie's beating heart.

To the potential relief of parents, not all Internet-connected dolls are made similarly to Hello Barbie. For example, the My Friend Cayla doll also talks with children, but she doesn't record conversations or send recordings to the cloud like Barbie does. Tim Medin, a security researcher at Counter Hack, attempted to hack Cayla in January and came up with a few flaws that required hackers to get physical access to the doll or at least get very close.

In the process, he made Cayla respond to him with some foul comments, which did get some negative attention for the doll. But unlike with Hello Barbie, researchers needed physical access to Cayla, and the doll wasn't susceptible to attacks over the Internet.

"Cayla was basically the subject of a tech prank," said Peter Magalhaes, general manager of Cayla manufacturer Genesis.

For Barbie, not so much.

Updated 12/4 at 12:08 p.m. PT: Additional context has been added to this story to explain how hackers could communicate with Hello Barbie.

Watch this: Saying hello to Hello Barbie