NZ Herald
  • Home
  • Latest news
  • Herald NOW
  • Video
  • New Zealand
  • Sport
  • World
  • Business
  • Entertainment
  • Podcasts
  • Quizzes
  • Opinion
  • Lifestyle
  • Travel
  • Viva
  • Weather

Subscriptions

  • Herald Premium
  • Viva Premium
  • The Listener
  • BusinessDesk

Sections

  • Latest news
  • New Zealand
    • All New Zealand
    • Crime
    • Politics
    • Education
    • Open Justice
    • Scam Update
  • Herald NOW
  • On The Up
  • World
    • All World
    • Australia
    • Asia
    • UK
    • United States
    • Middle East
    • Europe
    • Pacific
  • Business
    • All Business
    • MarketsSharesCurrencyCommoditiesStock TakesCrypto
    • Markets with Madison
    • Media Insider
    • Business analysis
    • Personal financeKiwiSaverInterest ratesTaxInvestment
    • EconomyInflationGDPOfficial cash rateEmployment
    • Small business
    • Business reportsMood of the BoardroomProject AucklandSustainable business and financeCapital markets reportAgribusiness reportInfrastructure reportDynamic business
    • Deloitte Top 200 Awards
    • CompaniesAged CareAgribusinessAirlinesBanking and financeConstructionEnergyFreight and logisticsHealthcareManufacturingMedia and MarketingRetailTelecommunicationsTourism
  • Opinion
    • All Opinion
    • Analysis
    • Editorials
    • Business analysis
    • Premium opinion
    • Letters to the editor
  • Politics
  • Sport
    • All Sport
    • OlympicsParalympics
    • RugbySuper RugbyNPCAll BlacksBlack FernsRugby sevensSchool rugby
    • CricketBlack CapsWhite Ferns
    • Racing
    • NetballSilver Ferns
    • LeagueWarriorsNRL
    • FootballWellington PhoenixAuckland FCAll WhitesFootball FernsEnglish Premier League
    • GolfNZ Open
    • MotorsportFormula 1
    • Boxing
    • UFC
    • BasketballNBABreakersTall BlacksTall Ferns
    • Tennis
    • Cycling
    • Athletics
    • SailingAmerica's CupSailGP
    • Rowing
  • Lifestyle
    • All Lifestyle
    • Viva - Food, fashion & beauty
    • Society Insider
    • Royals
    • Sex & relationships
    • Food & drinkRecipesRecipe collectionsRestaurant reviewsRestaurant bookings
    • Health & wellbeing
    • Fashion & beauty
    • Pets & animals
    • The Selection - Shop the trendsShop fashionShop beautyShop entertainmentShop giftsShop home & living
    • Milford's Investing Place
  • Entertainment
    • All Entertainment
    • TV
    • MoviesMovie reviews
    • MusicMusic reviews
    • BooksBook reviews
    • Culture
    • ReviewsBook reviewsMovie reviewsMusic reviewsRestaurant reviews
  • Travel
    • All Travel
    • News
    • New ZealandNorthlandAucklandWellingtonCanterburyOtago / QueenstownNelson-TasmanBest NZ beaches
    • International travelAustraliaPacific IslandsEuropeUKUSAAfricaAsia
    • Rail holidays
    • Cruise holidays
    • Ski holidays
    • Luxury travel
    • Adventure travel
  • Kāhu Māori news
  • Environment
    • All Environment
    • Our Green Future
  • Talanoa Pacific news
  • Property
    • All Property
    • Property Insider
    • Interest rates tracker
    • Residential property listings
    • Commercial property listings
  • Health
  • Technology
    • All Technology
    • AI
    • Social media
  • Rural
    • All Rural
    • Dairy farming
    • Sheep & beef farming
    • Horticulture
    • Animal health
    • Rural business
    • Rural life
    • Rural technology
    • Opinion
    • Audio & podcasts
  • Weather forecasts
    • All Weather forecasts
    • Kaitaia
    • Whangārei
    • Dargaville
    • Auckland
    • Thames
    • Tauranga
    • Hamilton
    • Whakatāne
    • Rotorua
    • Tokoroa
    • Te Kuiti
    • Taumaranui
    • Taupō
    • Gisborne
    • New Plymouth
    • Napier
    • Hastings
    • Dannevirke
    • Whanganui
    • Palmerston North
    • Levin
    • Paraparaumu
    • Masterton
    • Wellington
    • Motueka
    • Nelson
    • Blenheim
    • Westport
    • Reefton
    • Kaikōura
    • Greymouth
    • Hokitika
    • Christchurch
    • Ashburton
    • Timaru
    • Wānaka
    • Oamaru
    • Queenstown
    • Dunedin
    • Gore
    • Invercargill
  • Meet the journalists
  • Promotions & competitions
  • OneRoof property listings
  • Driven car news

Puzzles & Quizzes

  • Puzzles
    • All Puzzles
    • Sudoku
    • Code Cracker
    • Crosswords
    • Cryptic crossword
    • Wordsearch
  • Quizzes
    • All Quizzes
    • Morning quiz
    • Afternoon quiz
    • Sports quiz

Regions

  • Northland
    • All Northland
    • Far North
    • Kaitaia
    • Kerikeri
    • Kaikohe
    • Bay of Islands
    • Whangarei
    • Dargaville
    • Kaipara
    • Mangawhai
  • Auckland
  • Waikato
    • All Waikato
    • Hamilton
    • Coromandel & Hauraki
    • Matamata & Piako
    • Cambridge
    • Te Awamutu
    • Tokoroa & South Waikato
    • Taupō & Tūrangi
  • Bay of Plenty
    • All Bay of Plenty
    • Katikati
    • Tauranga
    • Mount Maunganui
    • Pāpāmoa
    • Te Puke
    • Whakatāne
  • Rotorua
  • Hawke's Bay
    • All Hawke's Bay
    • Napier
    • Hastings
    • Havelock North
    • Central Hawke's Bay
    • Wairoa
  • Taranaki
    • All Taranaki
    • Stratford
    • New Plymouth
    • Hāwera
  • Manawatū - Whanganui
    • All Manawatū - Whanganui
    • Whanganui
    • Palmerston North
    • Manawatū
    • Tararua
    • Horowhenua
  • Wellington
    • All Wellington
    • Kapiti
    • Wairarapa
    • Upper Hutt
    • Lower Hutt
  • Nelson & Tasman
    • All Nelson & Tasman
    • Motueka
    • Nelson
    • Tasman
  • Marlborough
  • West Coast
  • Canterbury
    • All Canterbury
    • Kaikōura
    • Christchurch
    • Ashburton
    • Timaru
  • Otago
    • All Otago
    • Oamaru
    • Dunedin
    • Balclutha
    • Alexandra
    • Queenstown
    • Wanaka
  • Southland
    • All Southland
    • Invercargill
    • Gore
    • Stewart Island
  • Gisborne

Media

  • Video
    • All Video
    • NZ news video
    • Herald NOW
    • Business news video
    • Politics news video
    • Sport video
    • World news video
    • Lifestyle video
    • Entertainment video
    • Travel video
    • Markets with Madison
    • Kea Kids news
  • Podcasts
    • All Podcasts
    • The Front Page
    • On the Tiles
    • Ask me Anything
    • The Little Things
  • Cartoons
  • Photo galleries
  • Today's Paper - E-editions
  • Photo sales
  • Classifieds

NZME Network

  • Advertise with NZME
  • OneRoof
  • Driven Car Guide
  • BusinessDesk
  • Newstalk ZB
  • Sunlive
  • ZM
  • The Hits
  • Coast
  • Radio Hauraki
  • The Alternative Commentary Collective
  • Gold
  • Flava
  • iHeart Radio
  • Hokonui
  • Radio Wanaka
  • iHeartCountry New Zealand
  • Restaurant Hub
  • NZME Events

SubscribeSign In
Advertisement
Advertise with NZME.
Home / Lifestyle

Is Barbie eavesdropping on your children? Hello Barbie targeted by hackers

Washington Post
6 Dec, 2015 06:03 PM5 mins to read

Subscribe to listen

Access to Herald Premium articles require a Premium subscription. Subscribe now to listen.
Already a subscriber?  Sign in here

Listening to articles is free for open-access content—explore other articles or learn more about text-to-speech.
‌
Save

    Share this article

Hello Barbie on display at the Mattel showroom at the North American International Toy Fair in New York. Photo / AP

Hello Barbie on display at the Mattel showroom at the North American International Toy Fair in New York. Photo / AP

Toys that talk back are one of the hottest holidays gifts this year. And they may soon be a hot item for hackers too.

Cybersecurity researchers uncovered a number of major security flaws in systems behind Hello Barbie, an Internet-connected doll that listens to children and uses artificial intelligence to respond. Vulnerabilities in the mobile app and cloud storage used by the doll could have allowed hackers to eavesdrop on even the most intimate of those play sessions, according to a report released Friday by Bluebox Security and independent security researcher Andrew Hay.

• Read more: Kids exposed to hackers through hi-tech toys

Mattel did not immediately respond to a request for comment on the report. Martin Reddy, co-founder and chief technology officer of ToyTalk -- the company behind the voice features in Hello Barbie -- told The Washington Post that the company has been working with BlueBox and has "already fixed many of the issues they raised." The researchers say they informed ToyTalk about the issues in mid-November and the company was very responsive.

But the news comes on the heels of a major breach at VTech, a Hong Kong-based seller of toys for toddlers and young children, which exposed profiles on more than six million kids around the world. And Hello Barbie's security issues are yet another sign that Internet-connected devices are making their way into kids' hands with problems that leave privacy at risk.

Advertisement
Advertise with NZME.
Advertisement
Advertise with NZME.

"It's really important that if you want to use these connected toys, no matter if it's a doll or a tablet, you be really careful about what information are being sent to and from the servers, and how it's secured," said Andrew Bleich lead security analyst at Bluebox. "Once data is out of your control, that's it -- there's no taking it back, essentially."

Consumer advocates raised alarm bells about Hello Barbie before the security flaws were uncovered. In fact, even before Hello Barbie was released, they circulated a petition that called the doll "creepy."

The doll's talking features work by recording a child when it presses a button on its stomach and sending the audio file over the Internet to a server where it is processed. The doll then responds with one of thousands of pre-recorded messages. Parents must consent to the doll's terms of use and set it up via a mobile app.

Advertisement
Advertise with NZME.

But the researchers say they discovered that the app contained a number of security problems, including that digital certificates, which are supposed to confirm that the connection between the doll and the app is legitimate, used a "hardcoded" password. That meant that every app used the same password as part of this verification process -- so if an attacker figured out that password, he or she could create a fraudulent app that could potentially steal data, including audio recordings, that passed between the doll and ToyTalk's servers.

And during the setup process, the researchers say the app would connect the phone to any unsecured Wi-Fi network with the word "Barbie" in its name. That would make it easy for an attacker to create a Barbie-labeled WiFi hub and to steal data.

"It's important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access [to] WiFi passwords, no access to child audio data, and cannot change what the doll says," ToyTalk's Reddy said.

The researchers also say that the secure connection between the doll and the server was vulnerable to a highly publicized attack disclosed last year. The attack, known as POODLE, allows an attacker to trick servers into using a weak form of encryption that he or she could easily crack after intercepting the data, according to Hay. The company has now fixed this problem, Reddy said.

Discover more

Lifestyle

The changing face of Barbie

16 Nov 11:42 PM
Lifestyle

Barbie ad features a boy for the first time (+video)

18 Nov 11:00 PM
Entertainment

Witherspoon set to bring Barbie to life

30 Nov 03:30 AM
Business

Kids exposed to hackers through hi-tech toys

30 Nov 10:00 PM

Mattel and ToyTalk have both gone to great lengths to assure customers that they take privacy and seriously. ToyTalk has even started a "bug bounty" program that rewards independent researchers who come forward with problems they've found and work with the company to fix them.

But the doll's own privacy policy says that even though the companies take "reasonable measures" to protect the information it collects, it can't promise to keep it safe: "[D]espite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse."

However, even with that caveat, experts say the security problems in the doll may open the companies up to action from the Federal Trade Commission, which cracks down on when companies violate their privacy promises, because consumers likely expect that reasonable measures include protecting against well-known security flaws like POODLE. The agency also has special powers to go after companies that fail to adequately protect the personal information of children 12 and under -- including voice recordings -- under the Children's Online Privacy Protection, or COPPA.

The FTC declined to comment specifically on the Hello Barbie incident because it neither confirms or denies potential investigations. But David Vladeck, a former director of the agency's Bureau of Consumer Protection and current Georgetown Law professor, says the issue is likely on its radar. "It has always taken its responsibility to protect children very seriously," he said. "This is very much in the core of what the FTC is concerned about, and I assume they are taking a very hard look this."

Save

    Share this article

Latest from Lifestyle

Lifestyle

How tinned fish became the star of dining trends

11 Jul 12:00 AM
Premium
Lifestyle

Advice: My brother and I haven’t spoken in four years - can we reconcile?

11 Jul 12:00 AM
Lifestyle

Why this Birkin bag became a $16.6m fashion icon

10 Jul 08:53 PM

Get your kids involved in your reno

sponsored
Advertisement
Advertise with NZME.

Latest from Lifestyle

How tinned fish became the star of dining trends

How tinned fish became the star of dining trends

11 Jul 12:00 AM

From sardine toast to tuna pate, premium tins are leaping from pantry to plate.

Premium
Advice: My brother and I haven’t spoken in four years - can we reconcile?

Advice: My brother and I haven’t spoken in four years - can we reconcile?

11 Jul 12:00 AM
Why this Birkin bag became a $16.6m fashion icon

Why this Birkin bag became a $16.6m fashion icon

10 Jul 08:53 PM
‘Are you having a laugh?’: Boss’ text to former employee goes viral

‘Are you having a laugh?’: Boss’ text to former employee goes viral

10 Jul 08:30 PM
Sponsored: Why heat pumps make winter cheaper
sponsored

Sponsored: Why heat pumps make winter cheaper

NZ Herald
  • About NZ Herald
  • Meet the journalists
  • Newsletters
  • Classifieds
  • Help & support
  • Contact us
  • House rules
  • Privacy Policy
  • Terms of use
  • Competition terms & conditions
  • Our use of AI
Subscriber Services
  • NZ Herald e-editions
  • Daily puzzles & quizzes
  • Manage your digital subscription
  • Manage your print subscription
  • Subscribe to the NZ Herald newspaper
  • Subscribe to Herald Premium
  • Gift a subscription
  • Subscriber FAQs
  • Subscription terms & conditions
  • Promotions and subscriber benefits
NZME Network
  • The New Zealand Herald
  • The Northland Age
  • The Northern Advocate
  • Waikato Herald
  • Bay of Plenty Times
  • Rotorua Daily Post
  • Hawke's Bay Today
  • Whanganui Chronicle
  • Viva
  • NZ Listener
  • Newstalk ZB
  • BusinessDesk
  • OneRoof
  • Driven Car Guide
  • iHeart Radio
  • Restaurant Hub
NZME
  • About NZME
  • NZME careers
  • Advertise with NZME
  • Digital self-service advertising
  • Book your classified ad
  • Photo sales
  • NZME Events
  • © Copyright 2025 NZME Publishing Limited
TOP