Internet-Connected Toys Are Getting Hacked, and It’s As Creepy As We Feared

Started by jimmy olsen, November 30, 2015, 06:28:33 PM

Previous topic - Next topic

jimmy olsen

If I was the hacker, I'd make it seemed like the doll was possesed!  :menace:

http://www.slate.com/blogs/future_tense/2015/11/30/researcher_matt_jakubowski_says_he_hacked_mattel_s_hello_barbie.html

Quote

Internet-Connected Toys Are Getting Hacked, and It's As Creepy As We Feared It Would Be

By Lily Hay Newman

In November 2014, British toymaker Vivid Toys debuted an Internet-connected doll, My Friend Cayla, that used speech recognition and artificial intelligence techniques to have conversations with kids. By February, researchers had hacked the doll to spew curse words. Now other Internet of Things toys are encountering similar problems.


On Wednesday, NBC Chicago reported that security researcher Matt Jakubowski had hacked Mattel's Hello Barbie, potentially exposing users' account information, home Wi-Fi networks, and MP3 files recorded by the dolls. Hello Barbie is a version of the classic toy that converses with kids, remembers things they say, and recalls details later. "I was able to get some data out of it that I probably shouldn't have," Jakubowski told NBC Chicago. "You can take that information and find someone's house or business."

When Mattel announced Hello Barbie in February, privacy advocates were concerned. The doll is always "listening," meaning that it sends audio files to a cloud server for processing and storage. In March, Angela Campbell, faculty adviser at Georgetown University's Center on Privacy and Technology, told the Washington Post, "If I had a young child, I would be very concerned that my child's intimate conversations with her doll were being recorded and analyzed." The Campaign for a Commercial-Free Childhood started a petition against the toy. And Network World published a story with the headline, "How long will it take for Internet of Things Hello Barbie to be hacked?" Well, now we have our answer.

Jakubowski hasn't published the details of his hack yet, and he noted in a tweet that the companies involved in Hello Barbie "really are doing a lot of stuff right." Oren Jacob, the CEO of ToyTalk, which provides cloud computing for Hello Barbie, said in a statement:

An enthusiastic researcher has reported finding some device data and called that a hack. While the path that researcher used to find that data is not obvious and not user-friendly, it['s] important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge.

It's fair enough to point out that not everything that is colloquially called a hack is actually an exploitation of a previously unknown vulnerability, but if Jakubowski is accessing data that typical customers would assume is secure, that sounds like a problem.

Meanwhile, Motherboard reported on Friday that cordless phone and electronic toy manufacturer VTech suffered a data breach in early November that exposed personal information from almost 5 million adult customers and 200,000 children, including names, birthdays, and genders. "What's worse, it's possible to link the children to their parents, exposing the kids' full identities and where they live, according to an expert who reviewed the breach for Motherboard," Lorenzo Franceschi-Bicchierai wrote. He added on Monday that the breach seems to include photos of children and family chat logs.

As everything from toys to educational tools come online, more and more data breaches will affect kids. Adults have to make their own choices about whether to trust tech companies with their data, but kids trust adults implicitly to make good cybersecurity decisions for them.
It is far better for the truth to tear my flesh to pieces, then for my soul to wander through darkness in eternal damnation.

Jet: So what kind of woman is she? What's Julia like?
Faye: Ordinary. The kind of beautiful, dangerous ordinary that you just can't leave alone.
Jet: I see.
Faye: Like an angel from the underworld. Or a devil from Paradise.
--------------------------------------------
1 Karma Chameleon point

Martinus


Martinus

QuoteAs everything from toys to educational tools come online, more and more data breaches will affect kids. Adults have to make their own choices about whether to trust tech companies with their data, but kids trust adults implicitly to make good cybersecurity decisions for them.

I don't understand the purpose of this statement. Isn't this true for essentially 99% of choices made by adults for their children? Whether it comes to the choice of school, food, entertainment or whether to get vaccinated, all these choices may be good or bad and children "trust adults implicitly" to make good decisions for them. Yet these decisions often aren't. I fail to see why we should single out online security like that, especially as many of the other choices I mentioned are much more important to the child's future than whether someone somewhere can hear them talking to their doll.

Tonitrus

My Amazon Echo is probably recording all the conversations I have with myself to the Cloud.

Valmy

Quote from: Martinus on December 01, 2015, 01:21:05 AM
Yet these decisions often aren't.

They aren't? Well I guess it depends on how often "often" is in this context.

Anyway I would think all that information being picked up is more damaging to the adults except in those very rare occurrences somebody out there actually cares about the kid in question. I have a hard time picturing some adult sitting out there thinking 'aha! 5 year old Jimmy wants to be a cowboy!' well ok maybe adults to market toys to kids or something. Suddenly the doll starts telling Jimmy about exciting cowboy related products.
Quote"This is a Russian warship. I propose you lay down arms and surrender to avoid bloodshed & unnecessary victims. Otherwise, you'll be bombed."

Zmiinyi defenders: "Russian warship, go fuck yourself."

garbon

"I've never been quite sure what the point of a eunuch is, if truth be told. It seems to me they're only men with the useful bits cut off."
I drank because I wanted to drown my sorrows, but now the damned things have learned to swim.

garbon

Quote from: Martinus on December 01, 2015, 01:21:05 AM
QuoteAs everything from toys to educational tools come online, more and more data breaches will affect kids. Adults have to make their own choices about whether to trust tech companies with their data, but kids trust adults implicitly to make good cybersecurity decisions for them.

I don't understand the purpose of this statement. Isn't this true for essentially 99% of choices made by adults for their children? Whether it comes to the choice of school, food, entertainment or whether to get vaccinated, all these choices may be good or bad and children "trust adults implicitly" to make good decisions for them. Yet these decisions often aren't. I fail to see why we should single out online security like that, especially as many of the other choices I mentioned are much more important to the child's future than whether someone somewhere can hear them talking to their doll.

Slate
"I've never been quite sure what the point of a eunuch is, if truth be told. It seems to me they're only men with the useful bits cut off."
I drank because I wanted to drown my sorrows, but now the damned things have learned to swim.