With little girls all excited to open and play with their new "Hello Barbie" dolls this season, experts are worried on the toys' privacy. The all new high-tech dolls now have the ability to initiate a conversation like iPhone's Siri. However, security threat is a concern.
A cyber team of researchers revealed a number of faulty security measures in "Hello Barbie" doll's Internet-ready scheme that allows interaction between the kiddos and their toys via artificial intelligence. Based on Bluebox Security's and independent researcher Andrew Hay's studies, the app and cloud storage programmed in the dolls are susceptible for hackers, giving a threat of snooping even to children's intimate play time.
"We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie," Michelle Chidoni, Mattel representative, said. ToyTalk's chief technology office Martin Reddy admitted that they have "already fixed many of the issues they raised." The researchers, on the other hand, confirmed that the company has been very cooperative in heightening security measures.
Recently, toymaker VTech has been a victim of data breach that left more than 6 million children's information exposed. With Hello Barbie's security glitches, it is alarming how Internet-connected toys are making their way to children's hands without ensuring their privacy risk.
"It's really important that if you want to use these connected toys, no matter if it's a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it's secured," Bluebox's lead security analyst Andrew Bleich said. "Once data is out of your control, that's it - there's no taking it back, essentially."
To show that the companies are serious in raising their security barriers, Mattel and ToyTalk initiated a "bug bounty" campaign that hands rewards to researchers who find faulty glitches and help them fix the issue. However, they made clear in their privacy terms that although "reasonable measures" will be taken to safeguard the information collected, they cannot guarantee its total safety. "[D]espite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse."