Backdoor Barbie, Let's Go Dancing

(Whoops, who's eavesdropping?)

A clearly harmless fluffy toy, not known to transmit private data

Barely a couple of months after my ITsecurity article about Furbys (updated article here), John Zorabedian told us how a “Hell No Barbie” social media campaign targets Mattel’s talking toy.

Yes, Barbie was in trouble again, though at least she wasn’t spreading viruses this time. It could certainly said that she was still failing as a security role model, though she was no longer perpetuating the stereotypical myth that ‘girls can’t do IT, let alone programming’. At any rate, the Campaign for a Commercial-Free Childhood was (for a while) very worried by Hello Barbie, a Wi-Fi enabled version of the doll with an embedded microphone intended to transmit what the child who owns it says to cloud-hosted voice recognition software.

The real reason Barbie is no longer a computer engineer

The CCFC article articulated concerns that analysis of the child’s conversations will be used to elicit information about the child’s interests and family, and that play will be driven by Mattel rather than the child. Mattel’s policy on the data it collects, including audio data, made much of its limited nature, but apparently parents were not convinced. In April 2016 another Fairplay article shared a Bloomberg report indicating that sales of the doll had been extremely disappointing for Mattel, and the product and service were soon discontinued.

According to an article in The Register dating back to the announcement of the Pink Fink, Big Blue was moving in a similar direction with a Green Dinosaur. (This is starting to look like a Rainbow Coalition with overtones of Zippy and Bungle.)

It may not have escaped your notice that this is the (probably inevitable) next step from furry devices like Teddy Ruxpin and Furby, which only played back pre-recorded material and had no recording capability. It’s a big step, though. I had no grounds (apart from nearly seven decades of scepticism and downright cynicism) for disbelieving Mattel’s assurances that children would not be bombarded with advertising, but the acceptance of this level of ‘eavesdropping’ with the potential for conversational data to be transmitted far beyond the walls of home and reviewed by outsiders has ‘interesting’ and disconcerting implications. Other parties were less scrupulous, and by 2016 the market for other overly-communicative and potentially vulnerable products was clearly expanding. As I’m no longer in the security business, I’ve not been tracking that market, so further research is left as an exercise for the reader, with bonus points for analysis of the additional threats posed by AI.

Sadly, the Team Cymru article on Hello World Meets Hello Barbie seems to have disappeared: I’d like to have retrieved it, as it made some points worth considering on the need to teach security awareness at an ever-earlier age, and on parental responsibility in particular. (You can’t blame everything on the inadequacies of antivirus.)

I never did hear whether NSA staff would be banned from bringing their Barbies to the office, either. Perhaps they’d be expected to leave them at home to keep Furby company. Nor did I get to hear Edward Snowden’s revelations about My Little Pony.

You might find later Sophos blogs on similar issues of interest. While this article of mine for ESET addresses the risks from the Internet of Things more generally. And while I no longer maintain this page on the Internet of Unnecessarily Networked Things, it includes links to a wide range of links on the topic.