Last week, I brought to you the story of “Hello Barbie” which is a Barbie doll that kids could speak to and it would respond. But was also discovered to be really insecure as it could be hacked to spy on kids, or an attacker could take full control of the doll. At the time, one the companies behind this said this:
Mattel partnered with a company named ToyTalk to develop “Hello Barbie.” ToyTalk CEO Oren Jacob said this:
“An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge.”
To which I responded with this:
Mr. Jacob has basically baited every single hacker on Earth to pwn Barbie. And trust me, that will happen.
Guess what? The pwning has begun according to The Register:
After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner’s questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.
The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app’s executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.
The doll is also set up as a wireless access point with the name “Barbie” followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.
On the server side, the team spotted that ToyTalk, Mattel’s tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.
#Fail.
Now the group is working with ToyTalk to fix these holes. But these holes shouldn’t have existed in the first place. Thus this is a toy that I would give a pass on if I were you. And don’t be shocked when more people find more ways to pwn Barbie.
Like this:
Like Loading...
Related
This entry was posted on December 4, 2015 at 8:10 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hello Barbie Found By Others To Be More Insecure Than Originally Thought
Last week, I brought to you the story of “Hello Barbie” which is a Barbie doll that kids could speak to and it would respond. But was also discovered to be really insecure as it could be hacked to spy on kids, or an attacker could take full control of the doll. At the time, one the companies behind this said this:
Mattel partnered with a company named ToyTalk to develop “Hello Barbie.” ToyTalk CEO Oren Jacob said this:
“An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge.”
To which I responded with this:
Mr. Jacob has basically baited every single hacker on Earth to pwn Barbie. And trust me, that will happen.
Guess what? The pwning has begun according to The Register:
After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner’s questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.
The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app’s executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.
The doll is also set up as a wireless access point with the name “Barbie” followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.
On the server side, the team spotted that ToyTalk, Mattel’s tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.
#Fail.
Now the group is working with ToyTalk to fix these holes. But these holes shouldn’t have existed in the first place. Thus this is a toy that I would give a pass on if I were you. And don’t be shocked when more people find more ways to pwn Barbie.
Share this:
Like this:
Related
This entry was posted on December 4, 2015 at 8:10 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.