Security risks discovered with Mattel Hello Barbie demonstrates Internet of Things security concerns
With the introduction of Hello Barbie, Mattel has brought one of the world’s most recognizable toys into the Internet of Things era. The Wi-Fi-connected doll is able to hold real-time conversations by recording audio and uploading it to the cloud for instant processing of artificial intelligence-based responses.
For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it. Along with independent security researcher Andrew Hay, Bluebox Labs has examined the security of the mobile components of Hello Barbie. This joint research covers the mobile app, both iOS and Android versions, developed by Mattel partner ToyTalk as well as communications between the app and cloud-based servers.
We discovered several issues with the Hello Barbie app including:
- It utilizes an authentication credential that can be re-used by attackers
- It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
- It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:
- Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
- The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
Prior to publication of the research, Bluebox Labs disclosed all critical security issues to ToyTalk. Due to their fast response time, a number of the issues have already been resolved.
All of the issues discovered highlighted point to the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie. Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority.
Download the full research report to learn the details and how self-defending apps can help IoT devices.