Internet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bug

The dreaded Hello Barbie. (credit: Mattel)

A recent review of the Internet-connected Hello Barbie doll from toymaker Mattel uncovered several red flags. Not only did the toy use a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but those servers were also vulnerable to POODLE, an attack disclosed 14 months ago that breaks HTTPS encryption.

The vulnerabilities, laid out in a report published Friday by security firm Bluebox Labs, are the latest black eye for so-called "Internet of Things" devices. The term is applied to appliances and other everyday devices that are connected to the Internet, supposedly to give them a wider range of capabilities. The Hello Barbie doll is able to hold real-time conversations by uploading the words a child says to a server. Instant processing on the server then allows the doll to provide an appropriate response.

Bluebox researchers uncovered a variety of weaknesses in the iOS and Android app developed by Mattel partner ToyTalk. The apps are used to connect the doll to a nearby Wi-Fi networks. The researchers also reported vulnerabilities in the remote server used to communicate with the doll.

Read 3 remaining paragraphs | Comments

Canada’s role in international botnet takedown

The Canadian Radio-television and Telecommunications Commission (CRTC) has served its first warrant under Canada’s Anti-Spam Law (CASL) to take down a Toronto-based command and control server.  The malware family Win32/Dorkbot had reportedly infected more than a million personal computers in 190 countries.

The CRTC has repeatedly stated that it is working together in close collaboration with other countries to address spam, malware and other “online threats”.  In this case, the CRTC collaborated with the FBI, Europol, Interpol, Microsoft, and the RCMP, among others.  The CRTC Chief Compliance and Enforcement Officer, Manon Bombardier, has said that “partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats”.  CASL expressly provides for sharing information among the Government of Canada, various Canadian enforcement agencies, and the government of a foreign state or international organization, for the purpose of administering and enforcing CASL’s anti-spam and malware provisions.

For more information on CASL’s application to malware, see CASL – Software, Apps and other Computer Programs.