Hello Barbie poses threat to children's privacy

News by Danielle Correa

The new hackable Hello Barbie doll is giving a way into the minds of children.

The new hackable Hello Barbie doll is giving a way into the minds of children. It is the first Barbie doll that has artificial intelligence, allowing the doll to listen to what is said around it and it then stores the information in the cloud when its belt buckle is pressed.

NBC Chicago reports that the dialogue saved in the cloud can later be accessed through a smartphone to communicate with the people it is interacting with. The Campaign for a Commercial-Free Childhood (CCFC) has protested against parents that purchase the doll since it poses a threat to children's privacy. The CCFC has gone as far as launching a “Hell No Barbie” campaign setting forth arguments that plead with parents to stay away from the doll.

“Children confide in dolls and reveal intimate details about their lives, but Hello Barbie won't keep those secrets. When Barbie's belt buckle is held down, everything your child says is transmitted to cloud servers where it will be stored and analysed by ToyTalk, Mattel's technology partner. Employees of ToyTalk and their partner corporations listen to recordings of children's conversations, and ToyTalk won't even say who their partners are,” the CCFC stated.

Security researcher Matt Jacubowski who contributed to the NBC findings revealed that he successfully hacked the doll's operating system and was able to gain access to Wi-Fi network names, the internal MAC address, account IDs and MP3 files. With this information, Jacubowski could easily get into a home network, listen to the recordings by Barbie and modify the doll to suit his needs. “It's just a matter of time until we are able to replace their servers with ours and have her say anything we want,” says Jacubowski.

ToyTalk noted that, "no children's audio was accessed, no passwords were compromised, and no dolls were made to say anything unintended." Jacubowski commended the company on its security protocols.

ToyTalk intends to launch a bug bounty programme in the future for researchers to discover vulnerabilities in the doll. 

UPDATE: ToyTalk's privacy policy reads, “We cannot prevent children from providing personal information when they talk with Hello Barbie, and such information may be captured in the recordings. However, it is our policy to delete such personal information where we become aware of it."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews