Hello Barbie, hello another kid security nightmare

Connected kids toys continue to face growing pains, with Mattel's Hello Barbie the latest to show worrying flaws that could leave children exposed to hacks. The talking, WiFi-connected doll was announced earlier this year, as Mattel attempted to bring its iconic dress-up toy into the 21st century by allowing her to react to and learn from the child playing with her.

That had already prompted a number of privacy concerns, with the toy – and, specifically, the interactive services powered by ToyTalk – facing criticisms from the Campaign for a Commercial-Free Childhood (CCFC) who suspected it of feeding marketable data back to advertisers.

Now, though, it's the digital security of the Hello Barbie itself that has come under fire. Researchers BlueBox dug through the companion app and the server-side services, finding a number of potentially perilous weaknesses.

For instance, the doll will link up to any unsecured WiFi network hosted by a mobile advice, just as long as it has "Barbie" in the network name, and the authentication credentials can be reused.

Some of the code in the app "serves no function but increases the overall attack surface," BlueBox's researchers say. On the server, meanwhile, there are weaknesses in certificate authentication credentials, and ToyTalk's server domain was discovered to be running on infrastructure with known attack weaknesses.

BlueBox informed ToyTalk of the findings before releasing them publicly, and say that several of the issues have, as a result, been fixed. Nonetheless, some of the potential applications of the hacked toy were disturbing.

For instance, hackers could have accessed recordings of conversations held with the Hello Barbie doll by a child.

Patchy security for devices intended to be used by kids has been in the headlines recently, following the high-profile hack of toy tablet manufacture VTech. The company admitted that data on millions of parents and children had been exposed because of flaws in its app server, while other researchers have taken the firm to task on inherent flaws in its low-cost gadgets.

One such project discovered that all user data a child saved on a VTech tablet was stored on a removable microSD card, and could still be accessible if the toy was lost, sold, or stolen.

The Hello Barbie revelations are likely to draw greater attention to the security – or absence of – around connected and Internet of Things devices, concerning given the increasing number of web-enabled gadgets found in the average smart home.