Mom, My Barbie Needs A Better Firewall

from the Ken-is-a-nosy-bastard dept

Earlier this year, we noted that Barbie had received a face lift for the internet of things age. Hello Barbie is able to take commands from your kids, but also connects to your home Wi-Fi network to shovel your children's conversations to the cloud -- purportedly to improve Barbie's voice recognition technology. At the time, groups like the Campaign for a Commercial Free Childhood complained that monetizing the ramblings of toddlers was a line that shouldn't be crossed, given that kids would no longer be talking to a doll, they'd be "talking directly to a toy conglomerate whose only interest in them is financial."

But beyond the ethical implications of marketing to kids is the more pressing lack of security and privacy standards apparent in most IOT devices. As hacked automobiles, tea kettles and refrigerators all perfectly illustrate, companies are so eager to cash in on the connected age that they "forget" about securing the end user. And now, as the Vtech hack recently illuminated, your kids' toys are no exception. Neither is Hello (I'm an NSA operative) Barbie.

A security researcher last week found it rather trivial to modify the doll to "access system information, Wi-Fi network names, its internal mac address, and account IDs," noting it would be easy to change what's collected and even where that data is stored. Granted, in Skynet Barbie's case, this requires physically obtaining the doll and torturing it. But the physical security of Barbie is only half the equation. Data's also obviously stored in the cloud, and Barbie's shiny new privacy policy warns kids this data can all be subpoenaed (so be good for goodness' sake):
"There are all sorts of issues about where that info is going, who’s listening and what it’s being used for and how it might come back to haunt you,” said Lori Andrews, Professor IIT Kent College of Law. Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report “a conversation that raises concern about the safety of a child or others”. “The company has said it’s going to take on the role of alerting the authorities,” said Andrews. “And in their privacy statement they also say they’re going to respond to legal subpoenas."
Here you were thinking you were just buying your child a Barbie. Little did you know you were providing an internal mole for use in future custody hearings. And again, like the Vtech hack reiterates, physical security of the toy itself is only a small part of the equation. Companies are so damn enamored with the lure of the Internet-of-whatsa-doodles, they tend to not only forget to secure the device, the transmission, and the storage, but they very often hungrily collect way more data than is actually necessary. The end result is a modern household full of toys, appliances and devices guarded by what's at best paper-mache grade security standards.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dan (profile), 2 Dec 2015 @ 8:34am

    Other security issues...

    In addition to the question of physical security of the device, and security of the data it sends to the cloud, there's also the issue of its potential harm to other devices on your network. My home network is behind a Linux-based firewall/router which I trust to deal with outside threats, but so far I've treated internal devices as safe and trusted. With the security record of the "IoT" devices, it looks like I might need to change that model, perhaps shunting any such devices to a DMZ.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2015 @ 9:37am

      Re: Other security issues...

      Treating inside devices as trusted is something that died almost a decade ago. Seriously. Even for home devices.

      Treat every electronic device you own as if it is under the control of a third party -- either a manufacturer, or someone who breached security before you even got the product. Pretty much every network-capable device these days supports encrypted transport and has at least one call-home capability.

      You need to be watching what's leaving your network and what's going around IN your network as much as what's attempting to come in from the outside.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 2 Dec 2015 @ 9:39am

      Re: Other security issues...

      I configure my whole-net firewall so it blocks outgoing connections just as fervently as incoming ones. No outbound traffic is allowed without my explicitly allowing it. We long ago passed the point where you can consider either side of your firewall as trustworthy.

      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 2 Dec 2015 @ 8:43am

    Yes, I'm talking to you, Sid Phillips. Remember, we toys can see eeeeeeeeeverything.

    So play nice!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 8:47am

    Solution is simple ..

    Actively avoid buying these types of toys. Teach your kids that books, family and people are more important. If they must have an electronic device, be a parent and regulate its use.

    I personally could not have been more proud when one of my kids told me they created an account on a web based game site using a bogus name and age. Usually they ask first before they create accounts but as they get older I let them have more leeway. I still run all household traffic through a SophosUTM. Props to Sophos for providing families a defense against the open internet.

    That said, majority of the fault can be laid right at the feet of the companies that keep foisting this junk upon the masses who are technically illiterate and know not better.

    reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 2 Dec 2015 @ 8:50am

    I have popcorn being made in wait for the first "report to authorities" of a child screaming as their parent yells at them and you can hear a crash of something in the background only to find out the kid threw a temper tantrum and broke something and not that the child was being harmed in any way.

    reply to this | link to this | view in chronology ]

  • icon
    Griffdog (profile), 2 Dec 2015 @ 8:56am

    Swatting Barbie

    I don't know how well Mattel is going to do at confirming the identity of the Barbie owners, but I suspect that guy in the apartment across the hall who plays loud music all the time and leaves his WIFI unsecured is gonna be really surprised when child services comes knocking.

    reply to this | link to this | view in chronology ]

  • icon
    Griffdog (profile), 2 Dec 2015 @ 8:59am

    Next, we'll hear...

    Today, Germany announced a new program to welcome immigrants with items such as food baskets and Barbie dolls.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 9:01am

    how many days until the spy barbie doll calls the cops
    which come and kill a child and his dogs?

    reply to this | link to this | view in chronology ]

  • icon
    Whatever (profile), 2 Dec 2015 @ 9:08am

    One point I have issue with is the amounts of stored data. My feeling when looking at the VTech case is one where the data is collected to be stored temporarily, but it not being deleted. They aren't just "hoovering up" data to have lots of stuff, but rather they are failing to grade the data and delete what is not needed or relevant.

    I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.

    Also, I think a little consumer education is needed here. Most home wi-fi setups (at least newer ones) support either guest networks or more restrictive access secondary network access that would be perfect for "internet of things" while protecting your personal devices such as desktops, laptops, and hand held devices. All IoT style devices need to be treated as potential security holes, and given access in keeping with their nature. Giving them run of the house is just a really bad idea.

    reply to this | link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 7 Dec 2015 @ 6:01am

      Re:

      I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.

      It's about marketing opportunities, Whatever. Turbo-charged pester power.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 9:22am

    Firewalling

    Firewalling isn't really a good solution anymore. Devices need to have proper mutual authentication (not passwords) and cryptography. Too many devices assume they're in a "safe" network and don't need to do this. But a virus can hop from the coffeeshop wifi to your laptop to your home network, or a worm can get onto your LAN through a hacked Barbie doll. Perimeters are too porous these days for perimeter security to be viable.

    reply to this | link to this | view in chronology ]

  • icon
    scotts13 (profile), 2 Dec 2015 @ 9:37am

    I think I'll try this...

    I have a parrot who recites decades-old arguments between her former owners, complete with woman screaming and baby crying. I think I'll get my pet a Barbie for Christmas.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 9:49am

    Make it happen, Internet!

    Patiently looking forward to an RMS doll running free software.

    reply to this | link to this | view in chronology ]

  • icon
    Jeremy2020 (profile), 2 Dec 2015 @ 10:04am

    If I was a parent in a custody battle, I would immediately get one of these for my child to keep with the other parent then subpoena that info.

    This will end badly.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 2 Dec 2015 @ 10:13am

    1984 available on sale now!

    Not only is Big Brother in your house, you actually purchased him!

    reply to this | link to this | view in chronology ]

  • identicon
    PRMan, 2 Dec 2015 @ 10:37am

    Not too surprising...

    We already knew that Barbie was a crappy programmer...

    http://www.dailydot.com/geek/barbie-engineer-book-girls-game-developers/

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 10:51am

    this reminds me of the story of that louisiana white-supremacist-turned-politician whose true nature was revealed by a comment made by his little daughter who was too young to understand that she needed to pretend.

    if this is what i think it is, this is really ugly, barbie.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 2 Dec 2015 @ 1:33pm

    Again

    WOW, what a great way to stick a Mic, in every home, and monitor EVERYONE.,...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 7:33pm

    Amusingly, Amazon's ad on the sidebar is promoting Hello Barbie. Only 59.99, what a deal!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Caution: Copyright
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.