Hello Barbie! is an IoT-enabled (Internet of Things) Barbie Doll with blonde hair, blue eyes and a built-in surveillance system. She’s not the first of her kind (and she won’t be the last), but here’s what you should know about bringing it, or any connected device, into your home.
Everything that connects to the public Internet is vulnerable. Encryption does not solve the problem. While it is true that you need about 6.4 billion years to crack a 2048-bit PGP encrypted file, I can probably socially engineer you out of your encryption key by attaching a little piece of malware to an email that offers you two discounted Super Bowl tickets and a deal on a hotel.
In practice, no one, not even the very best whitehat hackers, can predict how clever or innovative blackhat hackers will become, or what kind of unexpected new hacks will evolve. Interestingly, there are two immutable facts of digital life: (1) Everything that can be connected will be connected. (2) Everything that can be hacked will be hacked. This is where Hello Barbie! gets in trouble. But it shouldn’t. Hello Barbie! is not a Barbie Doll; it’s a connected device. Here’s what you need to know:
1 – Barbie Is Not Smart, but She Is Connected
In order to have a conversation with you, Hello Barbie! has to connect to ToyTalk, Inc.’s servers. This requires, in most cases, a WiFi connection and access to the public Internet. How secure is this connection? A better question is, how secure is your home WiFi network (or the public one you’re using to connect the doll)? If you don’t know the answer, Hello Barbie! is not your problem. Your computers, game consoles, the thermostat on your wall or your connected doorbell poses a greater danger to your cyber-safety.
2 – She’s Not “Always On”
Contrary to sensationalist reports, Hello Barbie! cannot listen to you unless you press the “talk” button. Then, and only then, your voice is recorded, encrypted and transmitted via the public Internet to a remote server (the “cloud”) where the audio file of your voice is stored. The file is stored, and anonymized versions are shared with third-party vendors because the machine-learning tools that Mattel and ToyTalk, Inc. are using “learn” from each interaction with real people. The machine-learning algorithms must be “trained” in order to improve. I wrote an article that may help you better understand this process entitled “Can Machines Really Learn?”
3 – Barbie Really Can’t Talk; She Responds
After your voice file is received by ToyTalk, Inc.’s servers, it is analyzed (as quickly as possible) by a natural language processing (NLP) algorithm that attempts to understand what you have said. Then, the algorithm makes its best guess at the most appropriate response from a relatively small list (about 8,000 possible responses – get the full list here), and when you release the button, Hello Barbie! will “talk” to you by playing back the pre-recorded response the algorithm has chosen. You can think of Hello Barbie! as a crippled Siri, OK Google, Cortana or Alexa with very strict response guidelines.
4 – She’s Got a Good Memory for Networking
Hello Barbie! connects to any WiFi network. To accomplish this, you press and hold the power button and the talk button for three seconds until the doll’s necklace flashes white. Then, you launch the Hello Barbie! companion app and enter your network credentials. Like your smartphone, Hello Barbie! can store (remember) WiFi networks it has successfully connected to in the past and automatically connect to them. This is a very convenient feature. For the uninitiated, even this simple connection process is painful. Importantly, Hello Barbie! cannot be used by anyone (owner or hacker) when it is not connected.
5 – She’s a Great Target for Hackers
Maybe. Here’s what a hacker would need to do. First, infiltrate the WiFi network where the Hello Barbie! is being used. Then, figure out a way to store malware in the device. Some good ideas for doing harm include defeating the talk button and getting control of the transducer. This way a hacker could listen to every conversation. Alternatively, a hacker could just copy the audio files from each interaction, or worse, a hacker could use counterfeit servers to replace ToyTalk, Inc.’s servers and trick the user into interacting with the hacker. But here’s the important thing: if a hacker wanted to do harm to someone using digital tools, there are much, much easier ways. Hacking Hello Barbie! is not the path of least resistance, and the value (since no financial or account information is stored in the device) is minimal.
You could argue that recording a child’s conversation with an imaginary friend (albeit an anthropomorphized one) might yield incriminating or useful information about things going on in the household, or something even more nefarious. But it’s 50 times easier to activate the microphone and webcam on an average WiFi-connected laptop (without the user’s knowledge) than it would be to hack this doll. And the results of a dropcam or webcam hack would yield much more usable data.
The Bottom Line
Hello Barbie! is no more dangerous than any smart device you bring into your home. That said, manufacturers need to heed this tale. Mattel has taken some serious flak over its perceived (and in some cases real) lack of security protocols. While any motivated hacker could (and would) have a field day with Hello Barbie!, most motivated hackers can have a field day with a connected toaster oven. That’s what hackers do.
My best advice is to use Hello Barbie! as directed AND do what parents have been doing from the beginning of time: watch your kids. Would you allow your 14-year-old daughter and a 16-year-old boy to be alone in her room with with the door closed? Then why would you let any child be connected to the public Internet without adult supervision? Remember, Hello Barbie! is not a Barbie Doll; it’s a connected device. Treat it like one, and everything else will take care of itself.