Internet-Connected Toys Are Getting Hacked, and It’s As Creepy As We Feared It Would Be

Hello Barbie: Data Leaking Edition just in time for the holidays!

Image from Mattel

In November 2014, British toymaker Vivid Toys debuted an Internet-connected doll, My Friend Cayla, that used speech recognition and artificial intelligence techniques to have conversations with kids. By February, researchers had hacked the doll to spew curse words. Now other Internet of Things toys are encountering similar problems.

On Wednesday, NBC Chicago reported that security researcher Matt Jakubowski had hacked Mattel’s Hello Barbie, potentially exposing users’ account information, home Wi-Fi networks, and MP3 files recorded by the dolls. Hello Barbie is a version of the classic toy that converses with kids, remembers things they say, and recalls details later. “I was able to get some data out of it that I probably shouldn’t have,” Jakubowski told NBC Chicago. “You can take that information and find someone’s house or business.”

When Mattel announced Hello Barbie in February, privacy advocates were concerned. The doll is always “listening,” meaning that it sends audio files to a cloud server for processing and storage. In March, Angela Campbell, faculty adviser at Georgetown University’s Center on Privacy and Technology, told the Washington Post, “If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed.” The Campaign for a Commercial-Free Childhood started a petition against the toy. And Network World published a story with the headline, “How long will it take for Internet of Things Hello Barbie to be hacked?” Well, now we have our answer.

Jakubowski hasn’t published the details of his hack yet, and he noted in a tweet that the companies involved in Hello Barbie “really are doing a lot of stuff right.” Oren Jacob, the CEO of ToyTalk, which provides cloud computing for Hello Barbie, said in a statement: 

An enthusiastic researcher has reported finding some device data and called that a hack. While the path that researcher used to find that data is not obvious and not user-friendly, it[’s] important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge.

It’s fair enough to point out that not everything that is colloquially called a hack is actually an exploitation of a previously unknown vulnerability, but if Jakubowski is accessing data that typical customers would assume is secure, that sounds like a problem.

Meanwhile, Motherboard reported on Friday that cordless phone and electronic toy manufacturer VTech suffered a data breach in early November that exposed personal information from almost 5 million adult customers and 200,000 children, including names, birthdays, and genders. “What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard,” Lorenzo Franceschi-Bicchierai wrote. He added on Monday that the breach seems to include photos of children and family chat logs.

As everything from toys to educational tools come online, more and more data breaches will affect kids. Adults have to make their own choices about whether to trust tech companies with their data, but kids trust adults implicitly to make good cybersecurity decisions for them.