What's inside a "Hello Barbie" surveillance toy?

Mattel's Hello Barbie has a microphone and a wifi interface, and it transmits the phrases it hears to a central server in order to parse them and formulate a response. Mattel claims that the data isn't being retained or harvested for marketing purposes, and assures parents that they can make Barbie stopping eavesdropping on them at will. But does it work?

Somerset Recon has done a teardown on a Hello Barbie, examining its components and dumping its firmware. Part one of their report is online now, and it's a little dry: Hello Barbie has some standard IoT chips — a sound codec, a wifi card, etc — but until Somerset posts their analysis of the firmware dump, this is pretty preliminary stuff.

At the far left of the topside of the board is the AzureWave AW-CU300E 802.11 b/g/n WiFi Microcontroller Module (M1), which builds upon the Marvell 88MW300. In a press release, Marvell pointed out that this module "provides both the Wi-Fi connection as well as the microcontroller to run Hello Barbie firmware." This means that the mainboard is composed of a Wi-Fi MCU System-on-Chip (SoC) where everything else connected to it is a peripheral. This is interesting because Marvell is essentially providing IoT board designers a simple Internet-ready drop-in module for all their devices. We can imagine lots of IoT devices being designed using these sorts of ready-made network computer modules in the future.

The Nuvoton NAU8810 24-bit audio codec (U1), is located on the lower-middle half of the board. It provides ADC, DAC, gain, and input/output mixers for both the doll's microphone and speaker. It also has an I2C bus connector (J7) near the bottom-right corner.

The chip to the left of the AW-CU300E is a Gigadevice GD25Q16 16Mbit SPI Flash (U2), and is the system's main non-volatile memory. This is where the doll's firmware and resource files are stored.

Hello Barbie Security: Part 1 – Teardown

[Somerset Recon]