New Wi-Fi-Enabled Barbie Can Be Hacked, Researchers Say

Security researcher says he can get personal information from “Hello Barbie,” world’s first artificial intelligence-enabled Barbie doll

She looks like all the others before her: perfect hair, cute outfit, dynamite body. But she’s nothing like her predecessors. America’s most iconic toy has evolved.

“Hello Barbie” is the world’s first artificial intelligence-enabled Barbie doll. She is connected to Wi-Fi, remembers what a child says and is able to carry on a conversation, making her seem like she is alive.

“She can actually talk to you,” said 9-year-old Zsofia. “And not fake talking.”

“It’s actually funner than other Barbie’s” said 10-year-old Aiyah.

Rhonda Hoff said her daughter Aiyah confides in Barbie like she would in a diary.

“They have something they go talk to everyday when they are upset, then they go express themselves,” said Hoff.

Those expressions are stored in the cloud and accessed from a smart phone.

“We put parents in control of their child's data, beginning with parental consent and by giving them the option to review and delete any or all of their child's interactions with Hello Barbie,” said a spokesperson for Toy Talk, the company that created the technology behind the talking Barbie.

But NBC 5 Investigates in Chicago found parents are not the only ones able to get that information.

“I was able to get some information out of it that I probably shouldn’t have,” said security researcher Matthew Jackubowski. He hacked Barbie’s operating system.

“System information, Wi-Fi network names, its internal mac address, account IDs and MP3 files.”

So what does this mean in terms of a child’s security?

“You can take that information and find out a person’s house or business,” said Jackubowski.

Jackubowski said he has enough information to then access a person’s home Wi-Fi network and everything Barbie records.

“It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want," he said.

Toy Talk acknowledges the internet-connected doll can be hacked. But a Toy Talk spokesperson told NBC 5 News, “In this case, the information that was discovered does not identify a child, nor does it compromise any audio of a child speaking.”

Yet privacy experts are concerned.

“There are all sorts of issues about where that info is going, who’s listening and what it’s being used for and how it might come back to haunt you,” said Lori Andrews, Professor IIT Kent College of Law.

Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report “a conversation that raises concern about the safety of a child or others”.

“The company has said it’s going to take on the role of alerting the authorities,” said Andrews. “And in their privacy statement they also say they’re going to respond to legal subpoenas.”

Concerns that have some parents worried but mean little to a 10-year-old girl with a new doll.

“I think this one’s better because she can actually talk to you,” said Zsofia.” The other ones are weird because they’re silent.”

It’s not uncommon for the first generation of a new toy to be less secure. And sometimes companies release updates to resolve vulnerabilities.

“We think parents should feel confident about their child’s privacy with Hello Barbie,” said a Toy talk spokesperson.

NBC 5 Investigates has also learned the company will be launching a bug bounty program, offering incentives to security experts who are able to find security flaws in the product.
 

Contact Us