According to separate media reports in recent days, servers for at least two major toy manufacturers have either been hacked, or are susceptible to hacking.
Matt Jakubowski, a security expert, alleges Mattel’s WiFi enabled “Hello Barbie” doll can be turned into a surveillance device without the owner’s knowledge. Jakubowski claims the wireless connection allows easy access to the doll’s system information, account information, stored audio files, and direct access to the microphone. A compromised doll could also allow hackers to take over a home WiFi network, and then gain access to other internet connected devices.
Mattel has not yet officially commented on the issue, however Mattel’s partner ToyTalk has denied the allegations.
In another incident, toy company Vtech on November 27, 2015 admitted there was “unauthorised access” to its database on November 14. The server is a gateway for customers to download games, e-books, and other content onto their Vtech devices. While no financial records were reportedly compromised, the server contained general user profile information.
Analyst comment:
Toy manufacturers, especially those with products that can connect to servers, are encouraged to conduct a thorough forensic audit of their information technology systems, and address any potential loopholes immediately.
Clients who have used Vtech’s servers should contact the company to discern if any data were compromised, and should change all security passwords as a basic precaution. Personnel with access to sensitive information should also inform their information security officer as a security precaution, in case data were stolen due to the WiFi connection. The stolen information can be used for identity theft or other criminal practices.
In January 2015, Vivid Toy group’s Cayla Dolls were hacked to speak expletives. The company subsequently upgraded the application inside the dolls.