Mom, My Barbie Needs A Better Firewall
from the Ken-is-a-nosy-bastard dept
Earlier this year, we noted that Barbie had received a face lift for the internet of things age. Hello Barbie is able to take commands from your kids, but also connects to your home Wi-Fi network to shovel your children's conversations to the cloud -- purportedly to improve Barbie's voice recognition technology. At the time, groups like the Campaign for a Commercial Free Childhood complained that monetizing the ramblings of toddlers was a line that shouldn't be crossed, given that kids would no longer be talking to a doll, they'd be "talking directly to a toy conglomerate whose only interest in them is financial."But beyond the ethical implications of marketing to kids is the more pressing lack of security and privacy standards apparent in most IOT devices. As hacked automobiles, tea kettles and refrigerators all perfectly illustrate, companies are so eager to cash in on the connected age that they "forget" about securing the end user. And now, as the Vtech hack recently illuminated, your kids' toys are no exception. Neither is Hello (I'm an NSA operative) Barbie.
A security researcher last week found it rather trivial to modify the doll to "access system information, Wi-Fi network names, its internal mac address, and account IDs," noting it would be easy to change what's collected and even where that data is stored. Granted, in Skynet Barbie's case, this requires physically obtaining the doll and torturing it. But the physical security of Barbie is only half the equation. Data's also obviously stored in the cloud, and Barbie's shiny new privacy policy warns kids this data can all be subpoenaed (so be good for goodness' sake):
"There are all sorts of issues about where that info is going, who’s listening and what it’s being used for and how it might come back to haunt you,” said Lori Andrews, Professor IIT Kent College of Law. Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report “a conversation that raises concern about the safety of a child or others”. “The company has said it’s going to take on the role of alerting the authorities,” said Andrews. “And in their privacy statement they also say they’re going to respond to legal subpoenas."Here you were thinking you were just buying your child a Barbie. Little did you know you were providing an internal mole for use in future custody hearings. And again, like the Vtech hack reiterates, physical security of the toy itself is only a small part of the equation. Companies are so damn enamored with the lure of the Internet-of-whatsa-doodles, they tend to not only forget to secure the device, the transmission, and the storage, but they very often hungrily collect way more data than is actually necessary. The end result is a modern household full of toys, appliances and devices guarded by what's at best paper-mache grade security standards.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: barbie, internet of things, iot, privacy, security
Companies: mattel
Reader Comments
Subscribe: RSS
View by: Time | Thread
Other security issues...
[ link to this | view in chronology ]
Re: Other security issues...
Treat every electronic device you own as if it is under the control of a third party -- either a manufacturer, or someone who breached security before you even got the product. Pretty much every network-capable device these days supports encrypted transport and has at least one call-home capability.
You need to be watching what's leaving your network and what's going around IN your network as much as what's attempting to come in from the outside.
[ link to this | view in chronology ]
Re: Other security issues...
[ link to this | view in chronology ]
So play nice!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Solution is simple ..
I personally could not have been more proud when one of my kids told me they created an account on a web based game site using a bogus name and age. Usually they ask first before they create accounts but as they get older I let them have more leeway. I still run all household traffic through a SophosUTM. Props to Sophos for providing families a defense against the open internet.
That said, majority of the fault can be laid right at the feet of the companies that keep foisting this junk upon the masses who are technically illiterate and know not better.
[ link to this | view in chronology ]
Re: Solution is simple ..
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Swatting Barbie
[ link to this | view in chronology ]
Next, we'll hear...
[ link to this | view in chronology ]
Re: Next, we'll hear...
[ link to this | view in chronology ]
which come and kill a child and his dogs?
[ link to this | view in chronology ]
I cannot imagine any valid use for individual conversations between parents and children, as an example. But I can imagine needing to store that data at least temporarily to be able to send it back and forth between devices. Their real issue appears to be not doing housecleaning.
Also, I think a little consumer education is needed here. Most home wi-fi setups (at least newer ones) support either guest networks or more restrictive access secondary network access that would be perfect for "internet of things" while protecting your personal devices such as desktops, laptops, and hand held devices. All IoT style devices need to be treated as potential security holes, and given access in keeping with their nature. Giving them run of the house is just a really bad idea.
[ link to this | view in chronology ]
Re:
It's about marketing opportunities, Whatever. Turbo-charged pester power.
[ link to this | view in chronology ]
Firewalling
[ link to this | view in chronology ]
I think I'll try this...
[ link to this | view in chronology ]
Make it happen, Internet!
[ link to this | view in chronology ]
This will end badly.
[ link to this | view in chronology ]
1984 available on sale now!
[ link to this | view in chronology ]
Re: 1984 available on sale now!
[ link to this | view in chronology ]
Not too surprising...
http://www.dailydot.com/geek/barbie-engineer-book-girls-game-developers/
[ link to this | view in chronology ]
if this is what i think it is, this is really ugly, barbie.
[ link to this | view in chronology ]
Again
[ link to this | view in chronology ]
[ link to this | view in chronology ]