[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hello Barbie controversy re-ignited with insecurity claims
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2015-11-30 11:00:13
Message-ID: alpine.DEB.2.02.1511301100010.794 () infosecnews ! org
[Download RAW message or body]

http://www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/

By Richard Chirgwin
The Register
29 Nov 2015

Back in February, The Register queried the security and privacy 
implications of Mattel's "Hello Barbie", and now the doll has hit the 
shelves, a prominent security researcher has turned up the first security 
problems with the toy.

After an initial flurry of concern, the issue went quiet, but last Friday 
Matt Jakubowski (formerly of Trustwave's SpiderLabs) reignited it by 
extracting Wi-Fi network names, account IDs, and MP3 files from the toy.

That brought a defensive response from Oren Jacob, CEO of ToyTalk (which 
provides the cloud processing chunk of Hello Barbie). He called Jakubowski 
an "enthusiastic researcher", said the data is "already available" to 
customers, and "no major security or privacy protections have been 
compromised".

While it's probably easier to get an SSID by standing outside a house and 
letting it pop up on your phone's Wi-Fi connection list, an account ID is 
another matter, since all an attacker needs is to get a password and they 
have access to the Hello Barbie account.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/

[prev in list] [next in list] [prev in thread] [next in thread]