Mattel’s “Hello Barbie” is one of the hottest toys this holiday season, but researchers warn that a security flaw that affects the Wi-Fi-enabled doll is capable of quickly turning Christmas into the creepiest time of the year.
Retailing for about $75, the “Hello Barbie” is perhaps the most advanced action figure on the market: between being Wi-Fi-ready and equipped with speech recognition technology, Mattel claims the doll “can interact uniquely with each child by holding conversations, playing games, sharing stories and even telling jokes.”
But security researcher Matthew Jakubowski told NBC News this week that the toy isn’t only of interest to kids, however. The personalized data that is collected by the doll is stored on the cloud, where it can easily be compromised by hackers, he explained.
“I was able to get some information out of it that I probably shouldn’t have,” Mr. Jakubowski told NBC after hacking the Hello Barbie’s operating system.
The researcher said he was able to access system information, the names of Wi-Fi networks the toy had connected to, unique identifiers that can be linked back to an individual doll and even audio files, NBC reported.
“You can take that information and find out a person’s house or business,” Mr. Jakubowski said. “It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
The company behind the doll’s advanced technology, ToyTalk, did not deny that the Hello Barbie can be hacked, but downplayed Mr. Jakubowski’s findings, saying parents shouldn’t be alarmed.
“We put parents in control of their child’s data, beginning with parental consent and by giving them the option to review and delete any or all of their child’s interactions with Hello Barbie,” a spokesperson told NBC. “We think parents should feel confident about their child’s privacy with Hello Barbie.
“An enthusiastic researcher has reported finding some device data and called that a hack. While the path that researcher used to find that data is not obvious and not user-friendly, it important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge,” they added.
More than 6,000 people have signed their names to a petition launched by the Campaign for a Commercial-Free Childhood, imploring Mattel to stop production of the doll.
“If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed,” Georgetown University Law Professor Angela Campbell told CCFC.