Barbie is back, but can she be trusted? – USA TODAY
The Barbie doll has been a huge seller worldwide since she first appeared in 1959. Lately, however, she has been showing her age with sales down 16% last year.
But now, she is back and just in time for the holiday shopping season: Mattel, the maker of Barbie, working in conjunction with high-tech company, ToyTalk, has created “Hello Barbie” an Internet connected interactive doll that will have real conversations with children. “Hello Barbie” is expected to retail for $74.99.
Barbie is now going to be a part of the Internet of Things.
The Internet of Things is the name for the technology by which devices are connected and controlled over the Internet. The presently estimated number of Internet of Things devices of 4.9 billion is expected to rise to 25 billion by 2020. The list of things that make up the Internet of Things include cars, refrigerators, coffee makers, televisions, microwave ovens, fitness bands, thermostats, smartwatches, webcams, copy machines and medical devices.
Unfortunately, however, the Internet of Things has not to date proven terribly secure. In 2011 researcher Jay Radcliffe was able to hack and disable an insulin pump connected to the Internet and just this summer, security researchers Charlie Miller and Chris Valasek famously hacked into Jeep Cherokees.
Too often security appears to have not been a major consideration in the development of the Internet of Things. In a report of the Federal Trade Commission last January, the FTC urged businesses to take greater action to protect both the privacy and security of consumers using products that are a part of the Internet of Things. The FTC urged companies to build security into their Internet of Things devices at the initial development stage rather than as an afterthought in the design process.
“Hello Barbie” will have a microphone and speaker contained on her fashionable jewelry. A smartphone app will connect her through the home Wi-Fi to the Internet. She will have a data bank of built-in programmed responses to common questions and will use Wi-Fi and voice recognition software to transmit the child’s questions over the Internet to ToyTalk’s servers where the appropriate response of thousands already recorded will be chosen. Certainly, this new Barbie is not just a pretty face. In addition, “Hello Barbie” will also record all conversations between the child and Barbie which will then be transmitted via the Internet, stored in the cloud and used anonymously by ToyTalk to further construct more conversation options.
Parents will be able to access the child’s conversations with “Hello Barbie” and will also have the ability to either post those conversations on social media or delete them in their entirety from ToyTalk’s databases.
While “Hello Barbie” is the latest talking doll connected to the Internet of Things, she is not the first. That distinction goes to My Friend Cayla, which came equipped with Bluetooth capabilities and Bluetooth vulnerabilities. Security researchers found that no password was necessary to connect My Friend Cayla to a smartphone so any device within Bluetooth range could hack into the connection and make Cayla say anything the hacker wished.
“Hello Barbie,” however does not use Bluetooth technology thereby eliminating Bluetooth related vulnerabilities. Instead it uses Transport Layer Security (TLS) an encryption protocol intended to protect the privacy and security of communications over the Internet.
“Hello Barbie” also has a security system intended to protect her from the installation of malware while she is being recharged. “Hello Barbie” requires recharging after about an hour of use.
However, as Ronald Reagan famously said, “trust, but verify.” In this case, perhaps Barbie can be trusted, but parents should make sure, as they should do with all of their Internet connected devices, that they create a strong password. Weak passwords continue to be an Achilles heel in many security breaches. The ability of hackers to access the audio files by guessing the password used by parents will be greatly affected by the strength of the password chosen by the parents.
So can Barbie be trusted?
She seems to have a trustworthy face if that counts for anything and it does appear that Mattel and ToyTalk made a sincere effort to build in security as an essential component of the doll.
However nothing is perfect and much of the danger of the Internet of Things devices in the home is the danger posed by the interconnectedness of all of the devices using a home Wi-Fi system where an insecure device is used as an access point to gain access to other devices such as the parent’s computers and the personal information contained therein. Just this past summer security researchers were able to hack into a smart refrigerator and use that vulnerability to gain access to Gmail login credentials.
Already, security researchers are preordering “Hello Barbie” with the intention of trying to find her vulnerabilities to hacking, and that is not a bad thing. The work of Charlie Miller and Chris Valasek in exposing the vulnerabilities of the Jeep Cherokee has made that car safer and they now work for Uber to help them enhance its cars’ security.
As for Barbie, she seems like a nice girl.
Steve Weisman is a lawyer, a professor at Bentley University and one of the country’s leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.