Mom, My Barbie Needs A Better Firewall
from the Ken-is-a-nosy-bastard dept
Earlier this year, we noted that Barbie had received a face lift for the internet of things age. Hello Barbie is able to take commands from your kids, but also connects to your home Wi-Fi network to shovel your children’s conversations to the cloud — purportedly to improve Barbie’s voice recognition technology. At the time, groups like the Campaign for a Commercial Free Childhood complained that monetizing the ramblings of toddlers was a line that shouldn’t be crossed, given that kids would no longer be talking to a doll, they’d be “talking directly to a toy conglomerate whose only interest in them is financial.”
But beyond the ethical implications of marketing to kids is the more pressing lack of security and privacy standards apparent in most IOT devices. As hacked automobiles, tea kettles and refrigerators all perfectly illustrate, companies are so eager to cash in on the connected age that they “forget” about securing the end user. And now, as the Vtech hack recently illuminated, your kids’ toys are no exception. Neither is Hello (I’m an NSA operative) Barbie.
A security researcher last week found it rather trivial to modify the doll to “access system information, Wi-Fi network names, its internal mac address, and account IDs,” noting it would be easy to change what’s collected and even where that data is stored. Granted, in Skynet Barbie’s case, this requires physically obtaining the doll and torturing it. But the physical security of Barbie is only half the equation. Data’s also obviously stored in the cloud, and Barbie’s shiny new privacy policy warns kids this data can all be subpoenaed (so be good for goodness’ sake):
“There are all sorts of issues about where that info is going, who?s listening and what it?s being used for and how it might come back to haunt you,? said Lori Andrews, Professor IIT Kent College of Law. Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report ?a conversation that raises concern about the safety of a child or others?. ?The company has said it?s going to take on the role of alerting the authorities,? said Andrews. ?And in their privacy statement they also say they?re going to respond to legal subpoenas.”
Here you were thinking you were just buying your child a Barbie. Little did you know you were providing an internal mole for use in future custody hearings. And again, like the Vtech hack reiterates, physical security of the toy itself is only a small part of the equation. Companies are so damn enamored with the lure of the Internet-of-whatsa-doodles, they tend to not only forget to secure the device, the transmission, and the storage, but they very often hungrily collect way more data than is actually necessary. The end result is a modern household full of toys, appliances and devices guarded by what’s at best paper-mache grade security standards.
Filed Under: barbie, internet of things, iot, privacy, security
Companies: mattel
Comments on “Mom, My Barbie Needs A Better Firewall”
Other security issues...
In addition to the question of physical security of the device, and security of the data it sends to the cloud, there’s also the issue of its potential harm to other devices on your network. My home network is behind a Linux-based firewall/router which I trust to deal with outside threats, but so far I’ve treated internal devices as safe and trusted. With the security record of the “IoT” devices, it looks like I might need to change that model, perhaps shunting any such devices to a DMZ.
Re: Other security issues...
Treating inside devices as trusted is something that died almost a decade ago. Seriously. Even for home devices.
Treat every electronic device you own as if it is under the control of a third party — either a manufacturer, or someone who breached security before you even got the product. Pretty much every network-capable device these days supports encrypted transport and has at least one call-home capability.
You need to be watching what’s leaving your network and what’s going around IN your network as much as what’s attempting to come in from the outside.
Re: Other security issues...
I configure my whole-net firewall so it blocks outgoing connections just as fervently as incoming ones. No outbound traffic is allowed without my explicitly allowing it. We long ago passed the point where you can consider either side of your firewall as trustworthy.
Yes, I’m talking to you, Sid Phillips. Remember, we toys can see eeeeeeeeeverything.
So play nice!
Re: Re:
Now imagine that, but with Child’s Play’s Chucky. Shudder!
Solution is simple ..
Actively avoid buying these types of toys. Teach your kids that books, family and people are more important. If they must have an electronic device, be a parent and regulate its use.
I personally could not have been more proud when one of my kids told me they created an account on a web based game site using a bogus name and age. Usually they ask first before they create accounts but as they get older I let them have more leeway. I still run all household traffic through a SophosUTM. Props to Sophos for providing families a defense against the open internet.
That said, majority of the fault can be laid right at the feet of the companies that keep foisting this junk upon the masses who are technically illiterate and know not better.
Re: Solution is simple ..
Forgot the UTM link:
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
I have popcorn being made in wait for the first “report to authorities” of a child screaming as their parent yells at them and you can hear a crash of something in the background only to find out the kid threw a temper tantrum and broke something and not that the child was being harmed in any way.
Re: Re:
Is that unharmed until the swat team comes bursting in?
Swatting Barbie
I don’t know how well Mattel is going to do at confirming the identity of the Barbie owners, but I suspect that guy in the apartment across the hall who plays loud music all the time and leaves his WIFI unsecured is gonna be really surprised when child services comes knocking.
Next, we'll hear...
Today, Germany announced a new program to welcome immigrants with items such as food baskets and Barbie dolls.
Re: Next, we'll hear...
Germany should invite the Gates foundation with their HCG antibody vaccines …
how many days until the spy barbie doll calls the cops
which come and kill a child and his dogs?
One point I have issue with is the amounts of stored data. My feeling when looking at the VTech case is one where the data is collected to be stored temporarily, but it not being deleted. They aren’t just “hoovering up” data to have lots of stuff, but rather they are failing to grade the data and delete what is not needed or relevant.
I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.
Also, I think a little consumer education is needed here. Most home wi-fi setups (at least newer ones) support either guest networks or more restrictive access secondary network access that would be perfect for “internet of things” while protecting your personal devices such as desktops, laptops, and hand held devices. All IoT style devices need to be treated as potential security holes, and given access in keeping with their nature. Giving them run of the house is just a really bad idea.
Re: Re:
I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.
It’s about marketing opportunities, Whatever. Turbo-charged pester power.
Firewalling
Firewalling isn’t really a good solution anymore. Devices need to have proper mutual authentication (not passwords) and cryptography. Too many devices assume they’re in a “safe” network and don’t need to do this. But a virus can hop from the coffeeshop wifi to your laptop to your home network, or a worm can get onto your LAN through a hacked Barbie doll. Perimeters are too porous these days for perimeter security to be viable.
I think I'll try this...
I have a parrot who recites decades-old arguments between her former owners, complete with woman screaming and baby crying. I think I’ll get my pet a Barbie for Christmas.
Make it happen, Internet!
Patiently looking forward to an RMS doll running free software.
If I was a parent in a custody battle, I would immediately get one of these for my child to keep with the other parent then subpoena that info.
This will end badly.
1984 available on sale now!
Not only is Big Brother in your house, you actually purchased him!
Re: 1984 available on sale now!
In Soviet Russia, big brother house purchases you!
Not too surprising...
We already knew that Barbie was a crappy programmer…
http://www.dailydot.com/geek/barbie-engineer-book-girls-game-developers/
this reminds me of the story of that louisiana white-supremacist-turned-politician whose true nature was revealed by a comment made by his little daughter who was too young to understand that she needed to pretend.
if this is what i think it is, this is really ugly, barbie.
Again
WOW, what a great way to stick a Mic, in every home, and monitor EVERYONE.,…
Amusingly, Amazon’s ad on the sidebar is promoting Hello Barbie. Only 59.99, what a deal!