How long will it take for Internet of Things Hello Barbie to be hacked?

Watch out world, here comes an internet-connected version of Barbie, complete with a wireless connection, microphone, speaker, advanced voice recognition capabilities, and a “customized cloud-based database of her owner’s likes and dislikes” so Barbie can have “real” back and forth conversations with her owner. Hello Barbie is expected to sell for $75 by the holiday shopping season.

Mattel showed off a “smart” Barbie prototype on Valentine’s Day at the New York Toy Fair. The BBC reported that Hello Barbie will be able to play interactive games, tell stories, jokes and “listen to the child’s conversation and adapt to it over time. For instance, if a child mentions that they like to dance, the doll may refer to this in a future chat.”

Mattel has partnered with ToyTalk to make the Internet-connected version of Barbie. ToyTalk CEO Oren Jacob told Fast Company, “The most requested thing that kids have wanted to do with Barbie, and Mattel’s done unbelievable amounts of research over the course of decades, is to talk to Barbie. That’s the number one request over all demographics, over all geographies, of all time. For the first time we’re doing that for real now.”

“A microphone, speaker and two tricolor LEDs will be embedded in the doll’s necklace, while rechargeable batteries in its legs can be connected to an external wall-mounted charger,” the BBC reported. “The doll requires a Wi-Fi connection and can provide an hour’s worth of playtime when fully charged.”

Just last month, the “first” smart doll Cayla was hacked. Despite British toymaker Vivid Toys promising its software would block inappropriate words, security researcher Ken Munro from Pen Test Partners discovered four attacks to make Cayla spew curse words: by modifying the “database contents on the child’s phone;” via a MITM (man-in-the-middle) attack; by “backdooring” the Cayla doll and by “random pairing” such as when the doll’s owner gets out of the range; it took just one tap for an attacker’s device to pair with the doll’s Bluetooth functionality.

Munro showed the Mirror how Cayla could “quote Hannibal Lecter and 50 Shades of Grey.” Other examples of Cayla’s modified response included responding to “hello” with “I could be feeding hacker filth straight to your children. Does that worry you?” Although there were 1,500 blocked “bad words” in Cayla’s local database, Munro said, “With our modified data dictionary file we can get Cayla to swear like a docker, a very sweary docker at that.”

Since then, Vivid Toys called the problem an “isolated case” but issued a patch via an upgraded app to prevent Cayla from acquiring a potty mouth. Munro is now eying Barbie for potential vulnerabilities, but so far that is without physically having the doll. On the good side, he said, “Fashion conscious Barbie also appears to be security conscious – her belt buckle is a push-to-talk device – she only listens when you want her to. That’s a relief.”

“Unlike Cayla,” Munro wrote, “Barbie collates audio in order to drive improved responses. The server side audio processing and response engine looks pretty awesome, some cool AI is claimed. Parents can also create online accounts to interface with the engine in order to customize Barbie’s responses too. That’s really neat, but opens up a whole new set of attack vectors that simply don’t apply to Cayla…Parents would never re-use a password for that interface from elsewhere would they?”

Indeed ToyTalk CEO Jacob told Newsweek, “If a parent chooses, the company will create and store audio files of the child-doll conversations on its website. In order to access the files, parents will have to verify it is them by logging in. If hackers figure out that password, however, the conversation is then accessible to them as well.”

If you intend to get your child an IoT version of Barbie, please be wise about creating a strong password in order to protect you and your child’s privacy.