With the recent VTech breach exposing million of parents and children to risk, there is increased sensitivity and awareness around the security of Internet-connected toys this holiday season. Today, Bluebox Security revealed flaws in the Hello Barbie connected toy manufactured by ToyTalk. The good news, though, is that Bluebox responsibly disclosed the issues and ToyTalk acted quickly to remediate them.
Bluebox wasn't the only organization looking at the security of the Hello Barbie toy. An NBC report on Nov. 25 alleged multiple security issues with Hello Barbie.
Andrew Blaich, lead security analyst at Bluebox, said that the NBC report was coincidental and not connected to his firm's research.
"There are a few researchers looking at Hello Barbie from a variety of different aspects," Blaich told eWEEK. "We had started our work in early November with a focus on the mobile app and network communications from the doll. We went through responsible disclosure, which takes time before you can publicly disclose the findings."
Bluebox collaborated with independent security researcher Andrew Hay on the Hello Barbie security analysis. Blaich explained that Hay initiated the Barbie research and pulled Bluebox in to assist with the mobile app side of the research.
"We contacted ToyTalk in the middle of November, and we heard back within a few hours of contacting them," Blaich said. "ToyTalk was extremely fast to respond and started patching the issues we found within the same day of disclosure."
ToyTalk now also has a bug-bounty program that is operated by HackerOne, which provides hosted bug-bounty programs for organizations and recently named well-known open-source luminary Marten Mickos as the company's CEO.
"We worked with ToyTalk before their bug bounty became public and then submitted our work through it after it did go public," Blaich said. "Bluebox always follows responsible disclosure when submitting security issues that we find as we feel it is the most appropriate way of letting a vendor know about an issue and giving them time to fix it."
In terms of the actual vulnerabilities, Bluebox found issues on both the mobile app as well as the server side of the Hello Barbie platform. Hello Barbie is an interactive device that makes use of WiFi to listen and respond to a child's voice. Blaich explained that the main issues were the reuse of credentials for authentication with the server and being able to find the password in the source code for it. Additionally, there was an issue with an unsecured WiFi network that could be spoofed by nearby attackers.
"On the app side, the core issue is that the app itself is capable of being tampered with since it lacks self-defending behavior, which leads to things like the password disclosure," Blaich said.
The server side of the Hello Barbie app had a number of configuration and cryptography issues, as well. The biggest issue is that the server supported SSLv3 and was vulnerable to the POODLE attack. POODLE, or Padding Oracle On Downgraded Legacy Encryption, is a vulnerability first disclosed by Google in October 2015.
Blaich explained that because the server was initially vulnerable to the POODLE attack, an attacker could potentially listen on the communication channel and downgrade the crypto used on that channel to steal conversations going from the doll to the servers. He noted that ToyTalk patched the POODLE risk very quickly.
"We were pleasantly surprised at how fast and responsible ToyTalk handled the disclosures," Blaich said. "While there were security issues found, it is important to also measure how fast a company is able to react, respond and resolve the issues."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.