It’s nothing new that when we’re on the Internet, somewhere, a small portion of our semi-personal or personal data is being cached. We’re a society used to being watched in some form or another while online. And sad to say, most people just accept this. However, what about when that steps over the line from collecting anonymous statistics about your normal browsing habits to invading the privacy of your home?

Take, for instance, your flat screen TV. Not too long ago, it was discovered that the Samsung smart TV line was in fact voice recording all the time because of its voice recognition technology, which allows users to give verbal commands. Makes you all warm and fuzzy, doesn’t it? It’s not even just TVs anymore – as it turns out,for all the smart features of LG’s “Smart Thinq Fridge” to work, the fridge must be connected to  wireless. However, the Deputy Director of the CIA Directorate of Science and Technology recently told the Aspen Security Center forum in Colorado that “smart refrigerators have been used in distributed denial of service attacks” and claim that “at least one smart fridge played a role in a massive attack last year involving more than 100,000 Internet connected devices and more than 750,000 spam emails.” Imagine having a botnet of refrigerators attacking major infrastructure. Welcome to the Internet of Things.

Of course, those of us who are privacy advocates have been aware of things like this for some time. But what really moved us to write this article was something that was released within the past few days.

Hello Barbie. The doll that REALLY listens

When you think of it, what could be more harmless than a child’s doll, especially those famous totally out-of-proportion ones? Yes, I’m talking about Barbie. Well, the Mattel Company, which makes Barbie, has developed something called “Hello Barbie.” This is the first fashion doll that can have a two-way conversation with children. It features speech recognition and progressive learning features that provide the child with an engaging and unique Barbie experience, and we’re quoting directly from the FAQ from the Mattel site. It plays interactive games, tells jokes and inspires storytelling,it tailors its conversations based on play history, and it’s only $74.99!!!

But there are some alarming features and requirements of this particular doll that should raise some massive concerns. Hello Barbie’s two-way communication does not work when it’s not connected to the Internet. The doll must be connected via Wi-Fi to have a conversation with the child. But Mattel tries to put the parents at ease with a specific section in the FAQ that talks about “what parents need to know about this product.” First, the company says that Hello Barbie is not always on. Hello Barbie is only active when her belt buckle is pressed. The next point shows a glimpse of the capabilities, which aren’t explained in much detail. All recorded conversations are stored online, which are “stored securely on (their cloud) server infrastructure and parents have the power to listen to, SHARE, and/or delete stored recordings any time.”

But as you can imagine, somebody looked into the security of the technology a little deeper. A security researcher by the name of Matt Jakubowski found that there are flaws and insecurities in the doll itself as well as how the information is stored and transferred. What is this two-way conversation with Hello Barbie based on again? It requires the use of Wi-Fi and an Internet connection, and hence it is as susceptible to attackers as anything that would be on your home network.

The question arises; why does the doll itself need a constant connection to the Internet when, in the features of the doll, it is preprogrammed with more than 8000 lines of dialogue and 20 interactive games? Still, it requires to be connected to a cloud-based service that is used for voice recognition and information storage. This means that everything heard is transmitted via the Internet to the cloud-based system, after which the response is generated and sent back to the doll. Now granted, Mattel does state that it uses encryption and “commercially reasonable and appropriate measures to protect customer data” and that “The security and privacy of Hello Barbie has been certified as in compliance with COPPA (Childrens Online Privacy Protection Act).” However, this is NOT the problem.

The “vulnerability” does not specifically originate with a flawed communication method or an exploitable piece of code (at least not yet). The doll itself raises privacy concerns. The actual security/privacy of the doll is only as strong as the Wi-Fi networks it connects to. Now even though Jakubowski has not released specific findings or details on the exact method of hacks, we can speculate possibilities because the practice of hijacking wireless has been around for some time.

A wireless access point can be cloned (often called an “evil twin”) to get users to unwittingly connect to the “evil” AP. First, information is gathered about the wireless access point to be targeted. Then, the users of the legitimate wireless network are disconnected using what’s called a “de-authentication attack.” Then all that’s needed is for the evil twin access point, now cloned as the target access point, to have a stronger signal than the original, and the client will connect to it. Once this is done, all traffic through the network can be captured or sniffed, including any data that the Hello Barbie would relay back to the cloud-based voice recognition servers. Also, according to Jakubowski, once he connected to the Hello Barbie’s Wi-Fi network, he had “him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.” Speculating on this statement leads us to believe that the doll itself does have some serious security flaws as does its connection to and from the cloud-based servers. For that, we will have to wait and see.

So what does this mean for your personal safety and security? As you can see, technology is advancing to make our lives not only easier but also more interesting, not just for adults but children as well. However, as parents, or anyone for that matter, we need to be aware of all types of smart technology. Ask yourself: What information is it capturing? Why does it need it? Can it be disabled? Understand to some degree how it does what it does and question why a certain smart device requires access to the Internet. How? READ THE FINE PRINT of the device’s privacy statement, which it is required to have. This will help in determining what information your smart device may be sending and help to determine if a malicious individual could leverage this information to attack you and your family.

Sources:
https://www.schneier.com/blog/archives/2015/02/samsung_televis.html
https://www.defenseone.com/technology/2014/07/cia-fears-internet-things/89660/
http://hellobarbiefaq.mattel.com/wp-content/uploads/2015/12/hellobarbie-faq-v3.pdf
https://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Chicago-353434911.html