STE WILLIAMS

Mattel’s Hello Barbie doll, the Wi-Fi-equipped playmate that talks to its owner and reports back on the conversations to mummy and daddy, has more security problems than first thought – this time on the software side.

Last week security researcher Matt Jakubowski found that it was relatively easy to purloin wireless network names, account IDs, and MP3 files from the toy. Now an examination by a different team has found that both the mobile app controlling the doll and the server-side systems used by the plastic playthings also have serious issues.

After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner’s questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.

The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app’s executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.

The doll is also set up as a wireless access point with the name “Barbie” followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.

On the server side, the team spotted that ToyTalk, Mattel’s tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.

None of these problems are unfixable, and the researchers are in contact with ToyTalk and are patching up the holes. But, given the somewhat sensitive nature of the doll in these days of worry over privacy, they should really have been fixed earlier.

“ToyTalk were great to work with,” Bluebox’s lead security analyst Andrew Blaich, told The Reg. “Within a day of us getting in touch they were patching their systems, which is almost unheard of for this kind of internet of things device, and they had already updated SSLv3 to bar POODLE attacks.”

So if you’re buying a Hello Barbie for your little snowflake this Christmas, there shouldn’t be too much to worry about – apart from the doll’s option to report back its conversations with children to their parents. That could cause a few problems, particularly if the little tyke asks why mummy shouts to Jesus when the postman comes around. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/wireless_barbie_slipshod_security/