Hello Barbie: All I want for Christmas is an invasion of my privacy
One gift my five-year-old daughter has requested from Santa this year is a Barbie doll. Innocuous enough, right? I mean, it’s sexist and promotes an ideal of what a woman should look like that is both unattainable and disturbing, but still, pretty innocuous. (In her defense, she also asked for a guitar so I’ll forgive her and continue my dream that she’ll slay it like Joni Mitchell one day, but I digress). But, when I started looking into the particular Barbie doll she wanted, I became more disturbed.
The particular Barbie is called “Hello Barbie,” but if you ask me, Mattel should have thought about calling her “Hacker Barbie.” Here is why. You see, Hello Barbie, which sells for about $75, uses a microphone, voice recognition software and computer artificial intelligence to allow a call/response function.
The doll works via a free mobile app (iOS or Android) that first requires the user to create an account with the technology developer (Mattel partnered with ToyTalk to develop the technology), and connects the doll to the child’s Wi-Fi network. When the child holds down the doll’s belt buckle and speaks to the doll, the audio is sent to ToyTalk’s servers to perform speech recognition and artificial intelligence. Barbie’s response is then sent back to the doll to be played through its speaker. It’s like Siri in doll form.
I get the draw. I always wanted my dolls to talk back to me, and now they can. However, like all devices that connect to a server via a Wi-Fi connection, likely hackable.
While ToyTalk claims the Wi-Fi password is stored in a hardware-encrypted section of the doll and that it has no mechanism to return a password once it gets stored on the doll, i.e., write-only, and that the user’s username and password are not stored in the app, it is still unclear how safe the toy is. That being said, ToyTalk notes on its Tumblr page that “the doll has been certified as compliant with COPPA (Children’s Online Privacy Protection Act) by kidSAFE, an independent FTC authorized safe harbor certification provider.”
One individual claims he was able to get into the doll and access the user’s system information, Wi-Fi network names, internal MAC address, MP3 files, and account ID information. All information that can be used to find someone’s location and personal information and allow someone to access the user’s home network and listen to whatever the doll recorded. The potential ramification is that a hacker could go so far as to replace the doll’s servers with whatever server the hacker wanted and have the doll say pretty much anything to the child.
Mattel has ensured safety protocols are in place, including a function that requires a valid client-side cert to access any data when the doll is in Wi-Fi mode; HTTPS to guard against eavesdropping; and one that limits the data that it can accept, which thereby limits the amount of information available in an attack.
Regardless of the safety measures, the doll can still be hacked… like all Internet-enabled devices, which still means that if a child’s conversations with Hello Barbie are recorded, this information could be obtained by an outside, maybe nefariously-acting, third-party actor.
I don’t know if the information that might be obtained from the doll has much value, it is a kid’s conversation with a doll after all, but this advancement in toy technology certainly does raise concerns. It will be interesting to see where we are in terms of technology-advanced toys a year from now. My final thought though is, if this technology is so secure, as ToyTalk claims, why isn’t this type of security required for all similar devices/products? It seems companies can do better in protecting, not only our children, but everyone.
In the meantime, my daughter will be getting a guitar… and a drum set… and singing lessons. Hey, there is nothing wrong with wanting a tiny Dave Grohl living in your house! Hello Barbie will have to wait.