Hello Barbie’s POODLE problem, and other security issues with internet-connected doll

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Hello Barbie, the internet-connected talking doll from toymaker Mattel, isn’t receiving the best publicity at the moment.

We have had concerns raised by privacy advocates about Hello Barbie, and now more researchers are uncovering security problems.

Hello barbie

Bluebox Labs has published a report uncovering that the toy’s smartphone app is not only vulnerable to hackers intercepting communications as they are sent up to its internet servers, but also that those servers were vulnerable to the POODLE attack disclosed in October 2014:

Sign up to our free newsletter.
Security news, advice, and tips.

We discovered several issues with the Hello Barbie app including:

  • It utilizes an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, we also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox Labs says it informed Hello Barbie app developer ToyTalk about the issues prior to publication, and “a number of the issues have already been resolved.”

As I described in a video at the time, the POODLE vulnerability provides a way for hackers to trick your browser into using a weaker form of encryption (SSL 3.0) which contains bugs that can be exploited to snoop upon your communications.

The POODLE bug! SSL vulnerability explained | Graham Cluley

What’s good is that ToyTalk appears to have fixed the bugs, including the POODLE vulnerability on its website.

What’s bad is that if BlueBox Labs had never told ToyTalk about the problems, maybe they would never have been fixed.

Too many manufacturers are rushing to create products that are internet-enabled, without taking security seriously.

It’s understandable that consumers should be particularly concerned when the risky products are entering their households under the disguise of being harmless kids’ toys – such as the VTech early learning tools found lacking last week.

If you would like to see more videos from me in future, subscribe to my YouTube channel.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Hello Barbie’s POODLE problem, and other security issues with internet-connected doll”

  1. Simon

    When will manufactures learn to secure all facets as best as possible at the point of release? Furthermore, have the ability to patch/remedy such weaknesses afterwards?

    It must simply come down to cost cutting measures, poor Q/A, or ease of use/accessibility for their customers so it 'just's work'.

    You have to give some marks to Mattel for at least attempting to use (if vulnerable) some form of SSL.

    Not only did VTech lack any SSL, they were using a deprecated version of ASP and their database fall victim to a SQL injection over the internet.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.