We’ve written about the Internet of Things – the vision of connecting everything – before. Any vision that involves connecting practically everything in our world so it can send and receive information is always going to have severe privacy ramifications.
And the latest gadgets to come into the firing line for the privacy concerns that they raise are – rather alarmingly – toys. While we may have come to terms with the fact that the Internet has eroded some aspects of our private lives, we’re justly more unwilling to accept the same for our children.
Hello Barbie is one of many toys that hit the market in time for Christmas 2015 that utilises Internet connectivity. Like many toys that are now capitalising on the voice recognition and control niche, this latest Barbie doll transmits what you say to her into cyberspace so it can be translated and an appropriate response sent back.
The problem, however, is that the toy had several security flaws according to BlueBox. The data sent between Barbie (that needed to be connected to a Wi-Fi enabled device with the Hello Barbie App installed) and the servers from its developers ToyTalk and Mattel could have been intercepted. The data would have been encrypted but another vulnerability – known as the POODLE attack – could have forced ToyTalk’s servers to remove the encryption, allowing hackers to listen to everything sent from the Barbie app.
If that wasn’t enough the app could have been fooled into connecting to any Wi-Fi network with Barbie in the name, allowing hackers to set up networks to steal information from the app.
It is unknown if anyone actually exploited the vulnerabilities, and ToyTalk have now claimed that as a result of the revelation, they have addressed many of the security flaws.
The problem with toys that rely on voice recognition is that – just like your TV and phone – they are not capable of understanding everything you say to them by themselves. They need to use servers located elsewhere in the world, so your voice is sent over the Internet for translation.
This has privacy ramifications, because criminals can intercept what you say, or if your voice is stored on data servers (like it is with Apple’s Siri feature) then you run the risk of that data leaking on the Internet.
An inherent problem here is that toy manufacturers are not security experts. They’re not veteran software companies and as a result their security procedures can often be dated and vulnerable to attack, something that was highlighted in the recent VTech hack.
And with an increase in toys that connect to the Internet and use microphones like the Hello Barbie doll, how safe do you think our children’s privacy really is when they use them?
A frustrating aspect to all of this is that there isn’t really anything we can do unless we avoid buying these must-have toys all together. Parents are forced into trusting toy companies with valuable and personal information, and so far even the leading companies are letting them down.