Welcome to the Internet of toys.
Hello Barbie, Mattel’s Internet-connected iconic doll, has a few insecurities. Computer security researchers dug into the toy’s accompanying app and discovered several flaws that let hackers eavesdrop on communications between it and the cloud servers it connects to.
The doll uses Wi-Fi to transmit audio from children talking to it to servers that process the speech and prepare responses. The doll acts sort of like a digital assistant, like Apple’s Siri or Microsoft’s (MSFT) Cortana.
Andrew Hay, research director at Cisco-owned (CSCO) OpenDNS, and researchers at Bluebox Security, a security firm based in San Francisco, found that the toy uses a digital ID that attackers can abuse and potentially let them spy on the chatter between a doll and a server. The vulnerability affects the Google (GOOG) Android as well as the Apple (AAPL) iOS versions of the Hello Barbie app.
Additionally, the researchers found that phones with the app will automatically connect to any Wi-Fi network that includes “Barbie” in its name. The servers that link with the dolls were also vulnerable to Poodle, an encryption-busting bug that Google researchers raised the alarm bells about more than a year ago.
To design the doll and app, Mattel (MAT) partnered with ToyTalk, a tech startup founded by former Pixar executives in 2011 that has raised $31 million in venture capital funding to date. Bluebox alerted the company to the problems before releasing its report.
“We have been working with Bluebox and appreciate their Responsible Disclosure of several issues with respect to Hello Barbie,” Martin Reddy, chief technology officer and co-founder of ToyTalk, said in a statement emailed to Fortune. He said the company has patched the Poodle vulnerabilities, although he did not say whether the issue with the digital ID, or authentication credential, had been, or would be, fixed.
Per the note:
It is important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access WiFi passwords, no access to child audio data, and cannot change what the doll says.
VTech, another children’s toymaker, recently suffered a data breach that leaked information on 6.4 million children and 4.8 million adults.
In companies’ push to connect everything to the Internet—from automobiles to ovens to toys—vulnerabilities are certain to abound. In the case of Hello Barbie at least, no one can say they didn’t see this coming.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.
For more about the app-enabled toys, watch the video below:
