Mom, My Barbie Needs A Better Firewall

from the Ken-is-a-nosy-bastard dept

Earlier this year, we noted that Barbie had received a face lift for the internet of things age. Hello Barbie is able to take commands from your kids, but also connects to your home Wi-Fi network to shovel your children’s conversations to the cloud — purportedly to improve Barbie’s voice recognition technology. At the time, groups like the Campaign for a Commercial Free Childhood complained that monetizing the ramblings of toddlers was a line that shouldn’t be crossed, given that kids would no longer be talking to a doll, they’d be “talking directly to a toy conglomerate whose only interest in them is financial.”

But beyond the ethical implications of marketing to kids is the more pressing lack of security and privacy standards apparent in most IOT devices. As hacked automobiles, tea kettles and refrigerators all perfectly illustrate, companies are so eager to cash in on the connected age that they “forget” about securing the end user. And now, as the Vtech hack recently illuminated, your kids’ toys are no exception. Neither is Hello (I’m an NSA operative) Barbie.

A security researcher last week found it rather trivial to modify the doll to “access system information, Wi-Fi network names, its internal mac address, and account IDs,” noting it would be easy to change what’s collected and even where that data is stored. Granted, in Skynet Barbie’s case, this requires physically obtaining the doll and torturing it. But the physical security of Barbie is only half the equation. Data’s also obviously stored in the cloud, and Barbie’s shiny new privacy policy warns kids this data can all be subpoenaed (so be good for goodness’ sake):

“There are all sorts of issues about where that info is going, who’s listening and what it’s being used for and how it might come back to haunt you,” said Lori Andrews, Professor IIT Kent College of Law.
Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report “a conversation that raises concern about the safety of a child or others”.
“The company has said it’s going to take on the role of alerting the authorities,” said Andrews. “And in their privacy statement they also say they’re going to respond to legal subpoenas.”

Here you were thinking you were just buying your child a Barbie. Little did you know you were providing an internal mole for use in future custody hearings. And again, like the Vtech hack reiterates, physical security of the toy itself is only a small part of the equation. Companies are so damn enamored with the lure of the Internet-of-whatsa-doodles, they tend to not only forget to secure the device, the transmission, and the storage, but they very often hungrily collect way more data than is actually necessary. The end result is a modern household full of toys, appliances and devices guarded by what’s at best paper-mache grade security standards.

Filed Under: , , , ,
Companies: mattel

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Mom, My Barbie Needs A Better Firewall”

Subscribe: RSS Leave a comment

Other security issues...

In addition to the question of physical security of the device, and security of the data it sends to the cloud, there’s also the issue of its potential harm to other devices on your network. My home network is behind a Linux-based firewall/router which I trust to deal with outside threats, but so far I’ve treated internal devices as safe and trusted. With the security record of the “IoT” devices, it looks like I might need to change that model, perhaps shunting any such devices to a DMZ.


Re: Re: Other security issues...

Treating inside devices as trusted is something that died almost a decade ago. Seriously. Even for home devices.

Treat every electronic device you own as if it is under the control of a third party — either a manufacturer, or someone who breached security before you even got the product. Pretty much every network-capable device these days supports encrypted transport and has at least one call-home capability.

You need to be watching what’s leaving your network and what’s going around IN your network as much as what’s attempting to come in from the outside.


Solution is simple ..

Actively avoid buying these types of toys. Teach your kids that books, family and people are more important. If they must have an electronic device, be a parent and regulate its use.

I personally could not have been more proud when one of my kids told me they created an account on a web based game site using a bogus name and age. Usually they ask first before they create accounts but as they get older I let them have more leeway. I still run all household traffic through a SophosUTM. Props to Sophos for providing families a defense against the open internet.

That said, majority of the fault can be laid right at the feet of the companies that keep foisting this junk upon the masses who are technically illiterate and know not better.


One point I have issue with is the amounts of stored data. My feeling when looking at the VTech case is one where the data is collected to be stored temporarily, but it not being deleted. They aren’t just “hoovering up” data to have lots of stuff, but rather they are failing to grade the data and delete what is not needed or relevant.

I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.

Also, I think a little consumer education is needed here. Most home wi-fi setups (at least newer ones) support either guest networks or more restrictive access secondary network access that would be perfect for “internet of things” while protecting your personal devices such as desktops, laptops, and hand held devices. All IoT style devices need to be treated as potential security holes, and given access in keeping with their nature. Giving them run of the house is just a really bad idea.

Wendy Cockcroftsays:

Re: Re:

I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.

It’s about marketing opportunities, Whatever. Turbo-charged pester power.



Firewalling isn’t really a good solution anymore. Devices need to have proper mutual authentication (not passwords) and cryptography. Too many devices assume they’re in a “safe” network and don’t need to do this. But a virus can hop from the coffeeshop wifi to your laptop to your home network, or a worm can get onto your LAN through a hacked Barbie doll. Perimeters are too porous these days for perimeter security to be viable.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow