Security News

Major security flaw found in app-connected sex toy

Emma McGowan, 18 October 2020

When it comes to your devices, be on the lookout for signs of so-called abandonware

When we talk about the Internet of Things (IoT), we’re usually talking about “smart” home appliances. Fridges. Coffeemakers. Virtual assistants. But there’s another category of device that is also increasingly connected to the internet: sex toys. And, like other IoT devices, app-connected sex toys are at risk of security and privacy violations if they’re not created with security in mind. 

The latest to make the news is the Qiui Cellmate, a chastity device for men that can be unlocked or locked via an app and a Bluetooth connection. To people interested in this type of activity, it probably sounded like a dream come true.

But that dream turned into a nightmare when it came out that the lock has a major security flaw. According to the security firm Pen Test Partners, the API that the app uses to communicate with the toy was left open and without a password. That means anyone with the know-how could hack into the toy and take control of it. It also left the users’ exact locations and private messages open to intruders. 

“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device,” Pen Test Partners wrote in a blog post. “There is no physical unlock. The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.”

In addition to the horror of having to use an angle grinder to cut off something attached to your genitals, Pen Test rightly points out that the location data potentially puts people living in countries with oppressive anti-sex laws at a legal risk. And it puts people everywhere at risk of blackmail.

As someone who has been writing about teledildonics and sex tech for nearly a decade, I can attest to the fact that the earliest versions of these toys were largely not created with security or privacy in mind. To be perfectly frank, most of them were created by well-meaning sex-positive sex toy inventors, not techies. The focus was more “Wow, look at this fun thing this new tool lets us do!” And less on, “How do we make sure our users are protected and safe?”

Liz Klinger, CEO of the teledildonics company Lioness -- which scored a 5/5 on security in Mozilla’s  *privacy not included report -- also points out that many of the early and current creators of haptic sex toys are manufacturers, not developers.

“A lot of companies that create smart sex toys, remote control — anything with another layer of tech added to it — tend to be manufacturers first and foremost,” Klinger says. “They know how to produce products, but they don’t have the software expertise. And that’s a huge problem when you’re working with anything that connects to the internet.”

But with the We-Vibe scandal four years — in which the popular company was sued for collecting very personal data and information without consent — as well as the increased focus on data privacy and security in recent years, the better quality IoT sex toys are making sure that security and privacy are a priority from “go.” 

Lioness, for example, produces a biofeedback insertable vibrator that lets people visualize their orgasms in the form of a graph. The company has had a Chief Technical Officer (CTO) since they launched in 2013. As a result, they’ve built in extra security from day one. Step one: they collect the bare minimum of personal data from their users. 

“The less data you need, the better,” Klinger says. “Only have the data you need for the device to work. It’s kind of the opposite philosophy of Google or Facebook. They’re almost like hoarders who collect as much data as possible in case they need it at some point. But, really, it’s a liability -- for you and for your customers.” 

Then, the information Lioness does collect is not only encrypted and anonymized, it’s also stored in different places. As a result, if a cyber criminal did manage to get access to their data, all they would see was anonymized pelvic floor vibrations. “That’s a lot less interesting than, ‘John used this device in Toronto at 12:30 AM,’” Klinger says.

For people who are interested in exploring with an app-connected sex toy but are concerned about privacy, Klinger recommends first looking for a privacy policy that’s clear and explicit about what the company does and does do. Second, she suggests reaching out to the company and asking. If they don’t answer or they come back with an inadequate answer, then you probably shouldn’t buy from them. 

Another good thing to look for with all IoT devices (because these issues don’t just affect sex toys) is whether or not they’re regularly publishing security patches. According to Martin Hron, senior researcher at Avast, it’s a bad sign if you don’t see them.

“If you find the vendor page and see it’s served over HTTP instead of HTTPS or you see that the page was updated two years ago, that’s usually a big red flag that something is not right and you should be avoiding this product,” Hron tells Avast. “Also, if you don’t see any support section for your particular product or there are no patches or updates or these are stale and old, you either found a ‘flawless device’ or you might be dealing with so-called abandonware. ‘Abandonware’ is a term for devices that are unsupported by the vendor and aren’t getting updates or patches because they’ve been replaced by newer models.”   

And Klinger has one final piece of advice: “For the love of God, do not purchase from AliExpress for a smart device. Companies that are based outside of North America and Europe don’t take privacy and security as seriously — it’s still a barrier for them to understand that it’s an important thing for customers here.”