Hello Barbie brings smiles to kids, nightmares to privacy advocates

David bisson
David Bisson

Privacy advocates are concerned that attackers can hack the new Hello Barbie doll and gain access to our children’s most intimate thoughts.

According to a report by NBC Chicago, Hello Barbie is the first Barbie doll equipped with artificial intelligence (AI). When its belt buckle is pressed, the doll listens to what is being said and stores it in the cloud. The doll then uses those utterances, which can be accessed later via smartphone, to communicate with whomever is interacting with it.

Hello barbie

These capabilities have raised the ire of the Campaign for a Commercial-Free Childhood (CCFC), which has spoken out against parents purchasing this doll because of the threat to children’s privacy:

“This holiday season, Mattel hopes to make Hello Barbie, a doll that records and analyses children’s private conversations, a must-have toy,” explains the CCFC. “But experts agree: it’s a threat to children’s privacy, wellbeing and creativity. Children confide in dolls and reveal intimate details about their lives, but Hello Barbie won’t keep those secrets. When Barbie’s belt buckle is held down, everything your child says is transmitted to cloud servers where it will be stored and analyzed by ToyTalk, Mattel’s technology partner. Employees of ToyTalk and their partner corporations listen to recordings of children’s conversations, and ToyTalk won’t even say who their partners are.”

The CCFC has even gone so far as to launch a “Hell No Barbie” campaign, in which it sets forth eight arguments for why parents should stay away from the new Barbie doll. Besides raising privacy concerns, the CCFC contests that the doll undermines children’s creative play and wrongfully takes the place of a genuine listener to children’s conversations.

Hello barbie

And then there’s the fact that Hello Barbie can be hacked.

In the NBC report, security researcher Matt Jacubowski reveals that he was able to hack the doll’s operating system and in his words “get some data out of it that I probably shouldn’t have.” This included Wi-Fi network names, its internal MAC address, account IDs, and MP3 files.

Using this information, Jacubowski said he could easily gain access to a home network, listen in on everything that Barbie records, and modify the doll to suit his needs:

“It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”

In response to Jacubowski’s findings, ToyTalk has stated that the hack, while concerning, “does not identify the child, nor does it compromise any audio of a child speaking.”

Sign up to our free newsletter.
Security news, advice, and tips.

But “compromise” is a fluid term in this context. While ToyTalk says it adheres to federal guidelines, it also states that some data recorded by Hello Barbie could be shared with the company’s vendors for speech-recognition research. Similar behaviour has got Smart TV manufacturers into hot water in the past.

ToyTalk’s privacy policy also reveals that the company would report a conversation that endangers the safety of a child or others to law enforcement and would respond to legal subpoenas.

Such terms have led law professor Lori Andrews to label the doll “a miniature surveillance device.”

ToyTalk has announced that it intends to launch a bug bounty program in the future so that researchers like Jacubowski can find security vulnerabilities in the doll. But that might be small comfort for parents concerned about their children’s privacy.

Barbie packaging

We live in a world of the Internet of Things, and without a doubt, there will be more toys like Hello Barbie down the road.

The question is what kind of childhood we as parents want our children to enjoy. Do we want our children to be talking to IoT devices? Or do we want them to direct their creativity elsewhere?

Only we can make that choice, but I foresee we will need to make that decision again and again going forward.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Hello Barbie brings smiles to kids, nightmares to privacy advocates”

  1. coyote

    A barbie doll has AI? I won't question what kind of AI it has but I will state that the only real intelligence needed is that of the child – combined with their imagination. Well, and perhaps the missing intelligence (and/or awareness and/or intuition) from the person who buys the doll for their child (maybe the doll can teach them ? It may indirectly and unintentionally do so). This doll is anything but a doll e.g. a privacy invasion nightmare waiting to happen. A bounty award won't really make the lives of parents or children better because the flaws are still there and any fixes will be replaced by a new flaw (or a way to circumvent the fix). And those affected by any problems before they are fixed won't feel better in the matter (and having a bug bounty does not mean everyone will report bugs). Worse is the fact they dismiss the concerns and point out they follow federal guidelines – which means a lot but nothing positive.

    What when the guidelines change? What if the guidelines are flawed? It's not like governments can keep their own secrets so what would they know about privacy? I'll tell you what they know about privacy – they know things they shouldn't know in the first place (from the so-called privacy of people in this world) that have nothing to do with running a country (but they claim it does). But as for keeping secrets or respecting privacy? Many (all ?) nations have a lot of proving to do here.

    I suppose they dismiss the concerns because they are ignorant to the real risks but it doesn't excuse it – it is worse because they should instead listen to those who actually have a clue. Yet I'm not surprised; the only thing I'm surprised about is how few culprits exist yet. But it's not 'if' but 'when'.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.