Update: Hello Barbie Fails Another Security Test

The security firm Bluebox says the mobile applications used with Hello Barbie contain security flaws that could lead to the theft of passwords and other information.
The security firm Bluebox says the mobile applications used with Hello Barbie contain security flaws that could lead to the theft of passwords and other information.

In-brief: The security firm Bluebox says the mobile applications used with Hello Barbie contain security flaws that could lead to the theft of passwords and other information.

Update: this story was updated to include comment from Bluebox and ToyTalk. PFR 12/4/2015

With the holiday shopping season in full swing, security researchers are raising a red flag about one of the most sought after toys on the market: Mattel’s Hello Barbie, an update to the American classic that adds real-time, natural language processing features allowing Barbie to “talk” with her owner.

The security firm Bluebox Security Security said that it discovered security flaws in the mobile application that comes with Hello Barbie, made by the venture-funded startup ToyTalk. Among other things, the researchers warn that the application is plagued by a myriad of authentication woes that could leak owner passwords, or allow an attacker to re-use stolen credentials to access other, linked web properties.

In an email statement, ToyTalk’s CTO said the vulnerabilities discovered by Bluebox have been patched and that their impact is limited and does not expose sensitive data.

The research is just the latest to reveal security flaws with connected toys. Last week, the hack of VTech, a maker of technology products for children, exposed sensitive data on millions of children, including photos and personally identifiable information.

In the case of Hello Barbie, the revelations are far less sensational than VTech – but still concerning. Bluebox, working with independent security researcher Andrew Hay, said it found that the problems the firm discovered “point to the need for more secure app development,” and better protections for mobile applications that accompany connected devices – including toys like Hello Barbie.

Hello Barbie is a new generation of the toy that sports a realtime connection to the Internet for the purposes of allowing the doll to listen to and processing language from its owner in real time. Recorded snippets of conversation are captured by the doll and relayed to “ToyTalk” servers in the cloud for analysis. An appropriate response is then transmitted back to the Hello Barbie, allowing it to “talk back” to its owner.

Needless to say, that connectivity brings risk. Most concerning: Bluebox’s research revealed that the Mattel mobile application that accompanies Hello Barbie can be altered in a way that would enable an attacker to steal the credentials that allow the toy to communicate with ToyTalk servers. Bluebox also found that they could disable security features within the app, including so-called “certificate pinning” to ensure that only authenticated users can communicate with the ToyTalk servers.

Specifically, Bluebox discovered that a file dubbed “P12” that is packaged with both the iOS and Android versions of the Hello Barbie mobile application contains a hardcoded password that can be reverse engineered. While that password is protected, Bluebox researchers were able to export it in decrypted form by taking advantage of other application-level vulnerabilities.

The researchers also discovered that the Hello Barbie acts as an unsecured mobile hotspot during its initial set up, allowing the mobile application to connect to- and configure the doll. But Mattel’s mobile applications use simple string “contains” check for wireless networks with the word “Barbie” in their name when determining which wireless network to connect to. That would make it simple for a malicious actor to spoof a wireless network and trick the Hello Barbie application into authenticating to it.

“Since the app allows the mobile device to connect to an un-secured wireless access point, any network traffic from any app on the device would be susceptible to data collection and man in the middle attacks by a rogue access point,” Bluebox warned.

That, in turn, could open the door to attacks on the application and the phone it is running on.

Beyond that, insecurities in the Hello Barbie mobile application and doll could lead to more serious compromises of Mattel’s cloud based infrastructure, Bluebox warned. “If an attacker bypasses the authentication mechanism that was designed to keep out intruders as a first line of defense, he can investigate further the server side API components to look for vulnerabilities,” the company noted.

And the cloud infrastructure Mattel uses for ToyTalk uses insecure encryption protocols (SSLv3) and cipher suites, making it susceptible to the POODLE attack, a widely-noted exploit that allows an attacker to downgrade the security of the connection so that they can intercept and listen to the communications to the server such as the uploaded conversations.

There are some caveats. For one: dodgy encryption implementations are sadly common. A recent survey of web servers operated by 161 firms on the Forbes Global 2000 list by the firm Hitech Bridge found that a little over 18 percent were still vulnerable to POODLE over SSL. And BlueBox noted that, upon being told about it, doll maker ToyTalk has patched this issue and others raised by Bluebox and Hay. ToyTalk enabled over the air (OTA) updates for Hello Barbie, making it easy for the company to push out software updates.

In an e-mail statement to The Security Ledger, ToyTalk CTO Martin Reddy said that his company has been working with Bluebox and “appreciate their Responsible Disclosure of several issues with respect to Hello Barbie.”

“We have already fixed many of the issues they raised, such as removing the weaker SSLv3 ciphers from our servers.” he wrote. “It’s important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access WiFi passwords, no access to child audio data, and cannot change what the doll says,” he wrote. ”

On the issue of the P12 certificate on the app, Reddy said the company “always assumed that a sophisticated hacker would find this.” The company added client certificate authentication between the mobile application and the hosted, management servers to compensate for that and deter casual attackers.

This isn’t the first warning about Hello Barbie. In recent weeks, independent security researcher Matt Jakubowski raised many of the same warnings about extracting sensitive information from the Hello Barbie doll.  In response to that, ToyTalk founder and CTO Martin Reddy used a blog post to refute allegations that sensitive data was exposed by the doll.

Still, the issues discovered in Hello Barbie are part of a clear pattern, Bluebox said. “We have seen that IoT devices and their apps are commonly lacking in security and are unnecessarily vulnerable.”

The company, which makes mobile application security tools, said better protections need to be built into mobile applications that accompany toys. (No surprise there.)

In a blog post from November 26, Reddy said that his firm, which has received millions in venture funding, has invested “a lot of effort to build the safest experience possible for parents and their children” and that ToyTalk is “engaging the security community to address any concerns.” Among other things, the company has launched a security bug bounty program via the bounty platform Hackerone that allows researchers with information on vulnerabilities in ToyTalk’s products to receive payment for information on them.

Andrew Blaich of Bluebox said that ToyTalk’s security was solid – though not perfect – and he gave the company credit for being open to feedback from security researchers.

Still, Blaich said connected toy makers like Mattel and ToyTalk need to be conscious of the kind of data that they are gathering and saving. “If a doll is connected to the Internet but its not gathering any personal data, that’s one thing,” Blaich said. “But if the doll is gathering voice data or photos and then storing that on servers in the cloud, you need to be aware of that context and adjust your threat model to what the device is sharing and doing.”