Somerset Recon: Mattel's WiFi-Enabled Hello Barbie Toys Vulnerable To Hacking And Phishing Attacks

By Diana Samson, Parent Herald January 27, 07:03 pm

The Internet of Things makes everything - from cars to home appliances - smarter and more efficient in serving you, however, it comes with a caveat. Because it is always connected to the Internet, it has vulnerabilities to unlock your smartphone, tablet, laptop, or PC units. Case in point: researchers found several security bugs in a Barbie doll that makes it vulnerable to hacking.

According to Newsweek, cybersecurity firm Somerset Recon claims that the Hello Barbie toy, which Mattel introduced last year, has a serious security and privacy issue. On a report published on Monday, the security research team revealed that the doll has a total of 14 vulnerabilities.

Hello Barbie is a doll that is equipped with speech recognition technology and WiFi connectivity to allow verbal exchange between the human child and the toy. It is considered to be one of the more high-tech toys in the market today, at least, for its intended age group.

Barbie is also hooked up to an artificial intelligence machine which enables it to respond to the child by choosing from the databank consisting of more than 8,000 pre-recorded lines.


Out of 14 security holes, four are considered severe, while the threat from the 10 remaining issues is "low." The most concerning vulnerability is the ability to input an unlimited number of password guesses without triggering a lockdown.

In most cases, users choose a password that is very easy to guess. In 2015, the most popular password  is "123456" for the fifth year in a row," reported Yahoo! News.

The hacker will then have access to recordings of the child's conversations with the doll. Mattel and the AI developer, ToyTalk, allows parents access to the interaction between their child and Barbie which they can choose to delete or share oon their social media account.

Moreover, ToyTalk's own website does not require its users to submit a complex password. The security researchers revealed that company's password policy needs a minimum of eight characters, but it doesn't require inclusion of at least one number and/or special character.

Somerset Recon also warned that users of the doll might also be targeted in phishing scams. According to the report, consumers might receive links that appear to be from ToyTalk will be redirected towards phishing websites. 

The company immediately responded to fix the doll's vulnerabilities. ToyTalk enlisted the help of bounty hunters to find the security issues in order to be patched before anyone falls victim into illegal cyber activity. However, the research firm is not impressed. 

"The number of vulnerabilities found in both ToyTalk's websites and web services, and in such a short amount of time, indicate that they had little to no pre-production security analysis and are relying on their bug bounty program to patch up the holes," Somerset Recon wrote. 

For more information, you can find the full report on

See Now: Top 30 Best The Incredibles 2 Toys

© 2019 All rights reserved. Do not reproduce without permission.

Sign up for our Newsletter

Real Time Analytics