Barbie has gone through more reinventions than Madonna in her 57 ageless years, but her latest reincarnation could be her most revolutionary yet. The internet of things has entered the playroom, and it’s added a layer of intelligence to Mattel’s signature fashion doll, which can now record what children say and give personalised replies by feeding data to the cloud and analysing their play habits.

It all sounded like fun and games until reports emerged last September that Hello Barbie might not be as innocent as she seemed. Security vulnerabilities in the Wi-Fi enabled doll opened a route to turn it into a surveillance device by joining the connected home network.

Image: iStock/Ekaterina Minaeva
Image: iStock/Ekaterina Minaeva

Security researcher Matt Jakubowski told NBC Chicago he had accessed the toy’s operating system to gain system information, the Wi-FI network names and account IDs it connects to and the audio it records. He claimed he could use that information to find the house it was kept in and then access the home network.

"We're still struggling to have a security kind of mindset when we develop software and products," Gartner analyst Ruggero Contu tells Techworld.

"There is a need — particularly in the world of digital business and IoT — that security processes and best practices in technology are embedded into the development stage, and at the moment I don't think it's the case."

Barbie isn’t the only example of an insecure Mattel smart toy. Its subsidiary Fisher-Price produces an interactive stuffed animal with verification limitations unearthed by researchers at Boston security company Rapid7 that could give out personal details about a child.

Other manufacturers have faced similar criticisms. The toymaker VTech admitted that information about more than six million children had been stolen by hackers in November 2015 by accessing its devices, including children's photos and addresses.

Legal action

The spate of vulnerabilities exposed led a trio of consumer watchdogs in the USA to file a complaint last December alleging that some toy manufacturers collected and used personal information including children’s voices and provided a way for strangers to listen in on their conversations.

The submission claims they violate the Children's Online Privacy Protection Act (COPPA), which requires companies to gain parental consent for any personal information obtained online from children under age of 13.

Mattel told Techworld that it was committed to safety and security when bringing new products to market.

"Mattel and its partners take a number of steps to ensure all of our products conform with applicable laws and standards, including the Children's Online Privacy Protection Act," the company said in a statement.

Read next: 11 UK internet of things startups to watch out for in 2016

Hello Barbie is not sold in the UK, where similar devices may breach the terms of the EU Unfair Contract Terms Directive, EU Data Protection Directive and Toy Safety Directive. But the regulations appear to have provided insufficient deterrence so far.

"The problem with the IoT world is that responsibility can be potentially attributed to different participants in the ecosystem," says Contu.

"There are the manufacturers that obviously have some relevant responsibility, there are the communications service providers that when we look at for example a major denial of server attack, potentially could do more to limit the effectiveness of such attacks [and] there is the responsibility of the consumers themselves."

Smart toy dangers

These concerns are not new. In 1998, an electronic toy capable of learning English through play called Furby became the must-have Christmas gift for children. The National Security Agency saw a sinister potential bubbling under the fake fur and banned the cuddly robot from its headquarters, forcing Tiger Electronics president Roger Shiffman to declare that "Furby is not a spy!"

IoT technology has turned such paranoia into justified anxiety and the market is set for a boom. Smart toys are predicted to reach $2.8 billion in revenues in 2020 according to Juniper Research, more than quadruple the figure they estimated for 2015.

Smart toys don’t just interact with children. They can also be used by parents to monitor location information if the child carries it with them. A security breach could allow someone to find out where the toy was, or even create false data that is sent back to the parent indicating that the child was somewhere that it wasn't.

The potential dangers of internet-enabled toys don’t end in accessing the device itself. The Wi-Fi network it connects to could also be accessed and its operation reprogrammed, giving hackers an entry-point to the home security network and everything else connected to it, such as mobiles, computers and smart TVs.

"If you're talking about people's home computers, at some point there is somebody sitting in front of a screen, you can give them some instructions and tell them what to do," says Paul Marshall, the chief customer officer at IoT connectivity provider Eseye.

"When we talk about internet of things devices, there's a lot of them and you can't tell them to be careful, you can't tell them there's a new threat about, you have to build that in from the get go."

IoT security

Eseye has developed a tool that could allay some of the fears. The AnyNet Secure SIM enables interconnected devices such as smart toys to remotely and securely activate, connect, certify and authenticate.

The company recognised that making IoT devices identifiable was key to its solution, and that leaving this to an individual to enter a security key into the device would be a major vulnerability.

"You could put the security key in at manufacture, but we see a lot of customers nervous about that, because if you're outsourcing the manufacture, you don't necessarily know where your security material's going," says Marshall.

"And this is the security material that allows not only the device to identify itself, but also to feed data straight into the core network delivering the back end services.

"The other possibility that people could see is that you open up an insecure connection to start with and quickly send the security material across it, but then of course you've still got this insecure link that you're delivering the security material across."

The solution it developed delivers application security material across the authentication channel between the modem and the network operator through the AnyNet Secure SIM.

"The device is identified by the SIM card and that's secure and known, so therefore nobody actually needs to type in a number of copy paste anything or feed anything in locally."

The tale of Hello Barbie is a terrifying one for parents, but the reactions of the industry and security companies offer some hope that the risks will be reduced in her next reinvention.