This blog post was written by Bruce Snell.
Soon after posting our Most Hackable Gifts blog, NBC 5 in Chicago released an investigative report on a popular interactive doll being hacked. In the report, the security researcher detailed some of what he was able to get from the Barbie doll including wifi network IDs, account information and even audio recordings. This is all sensitive data that you would not want falling into the hands of a cybercriminal!
Before we become too alarmed about trenchcoated villains scanning the airwaves for smartdolls to hijack, I would like to point out one particular frame from the video.
What you’re looking at is the doll in a disassembled state with probes and connections attached directly to the hardware. This means that to get into this particular doll, it has to be opened up and directly plugged into specialized tools. If your child has this doll at a coffee shop, it’s not in danger of being remotely hacked by someone sitting nearby.
What can we learn from this?
What we have to keep in mind is that these toys require a lot of processing behind the scenes and this typically requires a connection to either a mobile device or a connection to the cloud. While this does allow for a greater range of interaction for children, it can also uknowingly expose their information to others.
As a dad, of course I want my children to have fun toys with neat features. However, it’s important that we truly understand what we are getting into when we buy a shiny new toy or gadget during the holidays. If you are considering a toy that has a cloud based component, you should pay close attention to what sort of data is being transmitted across the internet.
This might mean that you actually have to read the manual instead of skipping to the section that shows you how to put the batteries in. A side benefit of reading the manual is that it will most likely tell you where you can change the default password! One of the first things you should do when you connect your new device to the internet is to make sure you have changed the default password so others can’t take control of your device. At that point, it’s up to you as a parent/consumer/gadgeteer to decide if the amount of information you are giving up is too much, but at least you can make that an informed decision.
If you haven’t already, please take a look at the Most Hackable Gifts post by Gary Davis, where we go into more detail around some of the issues around this season’s hottest gifts.