PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

'Hello Barbie' Should Say Goodbye to These Security Settings

Stephanie Mlot
 & Stephanie Mlot Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

For $75 this holiday season, you can chat with Barbie, playing games, sharing jokes, and opening yourself up to a personal data breach. Wait, what?

Mattel's Wi-Fi-connected "Hello Barbie" boasts some of the same features as your mobile virtual assistant—she talks, stores data in the cloud, and gets to know you over time. But according to a report from security firm Bluebox Labs and researcher Andrew Hay, the famous blonde also poses a security risk for children and parents.

Never one to leave home without accessories, Hello Barbie comes with a free companion app for Android and iOS. Users must log in with a ToyTalk account to activate conversational features. But Bluebox discovered several issues, most notably that the apps connect to any wireless network with the word "Barbie" in the name.

That means anyone within range of your Wi-Fi-enabled figure could create a fake network and tap into your saved data and recordings.

"For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it," said Andrew Blaich, lead security analyst at Bluebox.

"As a leader in the toy industry for more than 70 years, Mattel is committed to safety and security when bringing new products to market," a company spokeswoman told PCMag.

"It is important to note that in all claims we know about, no children's audio files were accessed, no passwords were compromised, no personal information was disclosed and no dolls were made to say anything unintended," she continued.

Technology partner ToyTalk last week addressed public concerns, saying that "we are not aware of anyone who has been able to access your Wi-Fi passwords or your kid's audio data."

"Mattel and ToyTalk have invested a lot of effort to build the safest experience possible for parents and their children," ToyTalk CTO Martin Reddy wrote in a blog post. "As part of that commitment, we are actively engaging the security community to address any concerns."

In fact, Bluebox said a number of issues were resolved ahead of publication of its research. And for those that weren't, ToyTalk has initiated a security bug bounty program to keep Hello Barbie, and her friends, safe from prying eyes.

This wasn't the first complaint about Mattel's new talkative doll, which was introduced in February. In March, the Campaign for a Commercial-Free Childhood (CCFC) issued a petition to stop the toy from hitting shelves. The group was concerned about Barbie probing children about their interests, families, or location, not to mention the possibility of her being reprogrammed with inappropriate replies, or switched to an always-on mode.

About Our Expert

Stephanie Mlot

Stephanie Mlot

Contributor

My Experience

  • B.A. in Journalism & Public Relations with minor in Communications Media from Indiana University of Pennsylvania (IUP)
  • Reporter at The Frederick News-Post (2008-2012)
  • Reporter for PCMag and Geek.com (RIP) (2012-present)

My Areas of Expertise

  • Science & Space
  • Video Streaming Services
  • Social Media
  • Cars & Auto
  • Education

The Tech I Use

  • iPhone 12 Pro
  • MacBook Air (hooked up to a 23-inch Dell monitor)
  • Google Chrome
  • Google Drive
  • Soundcore Life P3 earbuds
  • Various Amazon Echo devices

Read the latest from Stephanie Mlot

Read full bio