Say “Hello” to the new IoT – the Internet of Toys, and It Can Be Just As Vulnerable

I wrote a blog recently So What Should Go Under the Tree This Year? The Drones Discussion Continues and yes while it was mostly targeted to (as it states) drones discussion, there was mention of one of the hottest toys currently on the market. In fact this was the blog’s ending with a link to a Chicago Tribune article:

Oh, and about that Hello Barbie…

Why parents should say goodbye to Hello Barbie

Watch this video.

And given the fact that “Hello Barbie” is an internet connected toy operating off of an app, I’ll say it was with 99.9% certainty that I had figured this would likely happen next:

Fortune Barbie Hack

According to the writer Hello Barbie, Mattel’s Internet-connected iconic doll, has a few insecurities. Computer security researchers after heavy testing with the app have discovered several flaws that let hackers eavesdrop on communications between it and the cloud servers it connects to.

So how does Hello Barbie work exactly? The doll uses Wi-Fi to transmit audio from the child talking to it to servers that process the speech and prepare responses. The doll acts in a way as a digital assistant, like Apple’s Siri or Microsoft’s Cortana. In addition, researchers found that phones with the app will automatically connect to any Wi-Fi network that includes “Barbie” in its name. One more – according to the article the servers that link with the dolls were also vulnerable to Poodle, an encryption-busting bug that Google researchers notified people about more than a year ago.

A research director at OpenDNS (a Cisco owned company), and researchers at Bluebox Security, a San Francisco-based mobile app security firm, found that the toy uses a digital ID that attackers can abuse and potentially let them spy on the chatter between a doll and a server. The vulnerability affects the Android as well as iOS versions of the Hello Barbie app.

Days back, The Guardian published an article We shouldn’t let high-tech toys make children vulnerable to hackers with an opening statement: This week saw the largest-ever hack targeting minors, described as an Ashley Madison-level breach. It serves as a reminder that kids can be targeted too. When Ashley Madison and reference to children’s playthings are used in the same sentence it has to give you tremendous pause.

The reference here was to VTech, a Hong Kong-based company that sells various tablets, “learning” toys and apps designed for children, experienced one of the largest ever hacks targeting children. It was discovered that nearly 5 million parent accounts and 6.4 million children’s profiles are believed to have been compromised. In fact it also stated that security experts have been warning about the potential vulnerabilities of many next generation toys that include features like Wi-Fi, data collection and voice recognition.


It was reported by Reuters on December 1st that VTech was hit by the largest-ever hack targeting kids which was determined to be a direct attack on databases for its Learning Lodge app store and Kid Connect messaging system. Seth Chromick, a threat analyst with network security firm vArmour made a cringe-worthy statement: “This breach is a parent’s nightmare of epic proportions.”  Co-founder of cyber security firm Veracode Chris Wysopalsaid specified that this could be a wake up call for families in the same way that the hack on infidelity website Ashley Madison earlier this year made adults realize online data might not be safe. 

VTech said in a statement that children’s profiles included name, gender and birth date. Stolen adult data included name, mailing address, email address, password retrieval questions, IP address and passwords. (Here is FAQ about the data breach). The most VTech customers affected were in the United States, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands.

Added to this, security researchers have also found two glaring vulnerabilities in VTech’s InnoTab Max tablet for kids. Ken Munro, who heads up consultancy Pen Test Partners and discovered the issues with the InnoTab within a day stated “This bug has been known about for well over two years. It’s a bit lame of VTech to continue shipping vulnerable tablets, tablets that expose children’s data.” The hack itself was reported to be perpetrated with a well-known and age-old technique – SQL injection – that firms should be well prepared for. It was storing most data, including children’s images and chat messages with parents, in an unencrypted manner. Its website was not protected with SSL web encryption and the Android application used by parents to chat with their children was said to be vulnerable.

On December 3rd, it was reported that VTech hired well-known cybersecurity firm FireEye Inc’s Mandiant forensics unit to help the company secure its systems after the massive hack, and that it was cooperating with law enforcement worldwide to investigate the cyber attack.

Last, in October Linux Insider stated how Canonical, a company whose mission is to make open source software available to people everywhere, announced plans to launch the Internet of Toys – an open source initiative calling on toy makers, hackers, Internet of Things fans and innovators to build the next generation of toys that would be web-accessed. One compelling statement made in the article though alluded to how questions of privacy and security are raised as there are no security standards for IoT devices, and baby monitors, smart cars and medical devices have been hacked.  Tim Erlin, director of IT security and risk strategy at Tripwire states in the article: “As more devices are able to interact with the physical world around us, cybersecurity really becomes an issue of cybersafety.”  He added: “If we don’t address the logical security in the IoT soon, we’ll end up with a consumer safety requirement to manage.”


And about that Hello Barbie – I did advise you to say goodbye to it, right…?


Reuters: Toymaker VTech hit by largest-ever hack targeting kids 

The Guardian: We shouldn’t let high-tech toys make children vulnerable to hackers

Fortune: More Trouble For VTech — Kids Tablet Is ‘Easy’ To Hack

Linux Insider: Canonical Plays With Internet of Toys Idea

Check out Dynepic’s Internet of Toys website for information about IoToys and a great blog Toy Story is Becoming a Reality – 20 Years Later