Wi-fi “spy” Barbie records children’s conversations – and could be a target for hackers, say experts
17 February 2015
Toymaker Mattel has announced plans to create a connected Barbie doll capable of having internet-based conversations with children
Grown-up technology recording your conversations is one thing, but putting it in the hands of a child is quite another.
Toymaker Mattel has partnered with a San Francisco startup called ToyTalk to develop “Hello Barbie” – an internet-connected version of the popular doll that’ll strike up a real conversation with your little tykes.
Spy Barbie currently uses a bank of pre-programmed responses to common questions and speech recognition software to detect which one to use.
However, it starts to get a bit creepy the more your nipper chats with the toy.
It will actually record each child’s response and store it in a database in the cloud to allow the team at ToyTalk to develop more complex conversations.
“Whatever we come away with as our first blush attempt at the conversations, we’ll see what kids want to talk about or not,” said Oren Jacob, CEO of ToyTalk and former CTO of Pixar.
“We’ll take our honest best guess at that and then see what comes back, and then that will change and evolve over time as those conversations happen between individual children and Barbie dolls,” he told FastCompany.
If that worries you a bit, you’re not alone. Ken Munro, a security researcher at Pen Test Partners performed a hack on a similar toy called My Friend Cayla – and warns there are obvious security concerns to take note of.
“It wouldn’t take much for a malicious individual to intercept either the wi-fi communications from the phone or tablet, or connect to the doll over Bluetooth directly.
These problems aren’t difficult to solve; the manufacturer needs to check the phone application carefully to make sure it’s secure. They also need to check that any information sent by the doll to their online systems is protected.”
James Schmidt, a director at Intel Security, agreed that a connected (and potentially unsecured) Barbie could be a problem if security wasn’t addressed.
“The potential issue is around the information recorded from the child. If that text is sent to a server, there’s a security use-case there,” he said.
“Potentially, the Barbie could ask a question to prompt for information from the child that could then be used by this party for any marketing purposes.”
ToyTalk already has a number of iPad games in the Apple App store that use its speech-recognition software to interact with children.
For any child under 13 to use the apps, the company requires parental consent and it makes clear what the recordings will be used for.
“We share audio recordings with third party vendors who assist us with speech recognition,” the company says.
“These vendors do not have access to your account information and have agreed to not retain any copies of these audio files.”
When it comes to Hello Barbie though, the company has refuted the security concerns mentioned above.
“While we’re familiar with the Cayla doll and with what happened in terms of a privacy breach, Hello Barbie is fundamentally different on many levels,” said a company spokesperson.
“As with all of ToyTalk’s products–we started with apps for kids–online privacy and security is of utmost importance. That’s why we ask for parental consent and agreement to use their kids’ speech, anonymously, to add to our database in order to increase Barbie’s conversational capabilities.
“To address the issue of being able to intercept the wi-fi communications or connect Barbie via Bluetooth, all communications take place over a secured TLS (HTTPS) network and it’s not possible to connect her via Bluetooth.
“Further Barbie connects directly to ToyTalk servers–not via an outside app with local data stored on it. And no back doors are being added to the app, to further avoid access issues.”
Mattel isn’t hanging around when it comes to production either.
The company has a prototype on show at the New York Toy Fair this week and hopes to have the doll ready for Christmas 2015.