Mattel's "Hello Barbie," which allows children to engage in conversation with the iconic doll, suffered at launch from serious security issues, according to analysis by experts at Bluebox Labs. Much like how Siri and Google Now work, the doll would send recorded speech to the cloud, where the audio is analyzed and a response determined, which is sent back to the doll for playback.
But Bluebox's analysis, published Friday, shows that this process was vulnerable at several points. The app, for instance, would connect to any Wi-Fi network with the word "Barbie" in the name, regardless of whether that connection was secure or not — putting transmitted data at risk.
The servers that stored and analyzed speech were vulnerable to phony security certificates as well, Bluebox reported, and had not patched the widespread "POODLE" bug that affects secure connections.
The testers reported their results to Mattel and ToyTalk; Mattel told NBC News in an email that it is "working closely with ToyTalk to ensure the safety and security of Hello Barbie."
In a separate statement emailed to NBC News, ToyTalk wrote:
"We have been working with Bluebox and appreciate their Responsible Disclosure of several issues with respect to Hello Barbie. We have already fixed many of the issues they raised, such as removing the weaker SSLv3 ciphers from our servers."
These issues may have been resolved in short order, but this is one more example of why consumers should treat the "Internet of Things" with caution.