Privacy advocates are concerned that attackers can hack the new Hello Barbie doll and gain access to our children’s most intimate thoughts.
According to a report by NBC Chicago, Hello Barbie is the first Barbie doll equipped with artificial intelligence (AI). When its belt buckle is pressed, the doll listens to what is being said and stores it in the cloud. The doll then uses those utterances, which can be accessed later via smartphone, to communicate with whomever is interacting with it.
These capabilities have raised the ire of the Campaign for a Commercial-Free Childhood (CCFC), which has spoken out against parents purchasing this doll because of the threat to children’s privacy:
“This holiday season, Mattel hopes to make Hello Barbie, a doll that records and analyses children’s private conversations, a must-have toy,” explains the CCFC. “But experts agree: it’s a threat to children’s privacy, wellbeing and creativity. Children confide in dolls and reveal intimate details about their lives, but Hello Barbie won’t keep those secrets. When Barbie’s belt buckle is held down, everything your child says is transmitted to cloud servers where it will be stored and analyzed by ToyTalk, Mattel’s technology partner. Employees of ToyTalk and their partner corporations listen to recordings of children’s conversations, and ToyTalk won’t even say who their partners are.”
The CCFC has even gone so far as to launch a “Hell No Barbie” campaign, in which it sets forth eight arguments for why parents should stay away from the new Barbie doll. Besides raising privacy concerns, the CCFC contests that the doll undermines children’s creative play and wrongfully takes the place of a genuine listener to children’s conversations.
And then there’s the fact that Hello Barbie can be hacked.
In the NBC report, security researcher Matt Jacubowski reveals that he was able to hack the doll’s operating system and in his words “get some data out of it that I probably shouldn’t have.” This included Wi-Fi network names, its internal MAC address, account IDs, and MP3 files.
Using this information, Jacubowski said he could easily gain access to a home network, listen in on everything that Barbie records, and modify the doll to suit his needs:
“It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
In response to Jacubowski’s findings, ToyTalk has stated that the hack, while concerning, “does not identify the child, nor does it compromise any audio of a child speaking.”
But “compromise” is a fluid term in this context. While ToyTalk says it adheres to federal guidelines, it also states that some data recorded by Hello Barbie could be shared with the company’s vendors for speech-recognition research. Similar behaviour has got Smart TV manufacturers into hot water in the past.
Such terms have led law professor Lori Andrews to label the doll “a miniature surveillance device.”
ToyTalk has announced that it intends to launch a bug bounty program in the future so that researchers like Jacubowski can find security vulnerabilities in the doll. But that might be small comfort for parents concerned about their children’s privacy.
We live in a world of the Internet of Things, and without a doubt, there will be more toys like Hello Barbie down the road.
The question is what kind of childhood we as parents want our children to enjoy. Do we want our children to be talking to IoT devices? Or do we want them to direct their creativity elsewhere?
Only we can make that choice, but I foresee we will need to make that decision again and again going forward.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.