Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

from the masturbatory-metadata dept

At this point we’ve pretty well documented how the “internet of things” is a privacy and security dumpster fire. Whether it’s tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn’t be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy — posing a potentially fatal threat to us all.

Unsurprisingly, the sex toy division of the internet of broken things is no exception to this rule. One “smart dildo” manufacturer was recently forced to shell out $3.75 million after it was caught collecting, err, “usage habits” of the company’s customers. According to the lawsuit, Standard Innovation’s We-Vibe vibrator collected sensitive data about customer usage, including “selected vibration settings,” the device’s battery life, and even the vibrator’s “temperature.” At no point did the company apparently think it was a good idea to clearly inform users of this data collection.

But security is also lacking elsewhere in the world of internet-connected sex toys. Alex Lomas of Pentest Partners recently took a look at the security in many internet-connected sex toys, and walked away arguably unimpressed. Using a Bluetooth “dongle” and antenna, Lomas drove around Berlin looking for openly accessible sex toys (he calls it “screwdriving,” in a riff off of wardriving). He subsequently found it’s relatively trivial to discover and hijack everything from vibrators to smart butt plugs — thanks to the way Bluetooth Low Energy (BLE) connectivity works:

“The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication. I should say at this point that this is purely passive reconnaissance based on the BLE advertisements the device sends out ? attempting to connect to the device and actually control it without consent is not something I or you should do. But now one could drive the Hush?s motor to full speed, and as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations.”

Lomas found that hearing aids that also use the BLE standard are similarly vulnerable, letting an attacker easily disrupt functionality of the devices. He proceeds to note that this could all be prevented via any number of improvements to these devices, including usage of a unique PIN, the need for local physical interaction (like a button push) to connect, or lowering the Bluetooth signal strength.

But as we’ve noted previously, a big part of the security and privacy apathy coming from router and IOT device makers is due to the fact that nobody in these supply chains has the financial incentive to try very hard (if at all), so most will be off hyping the next iteration of their magical, intelligent butt plug — instead of shoring up the problems with the last generation.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

The really sad thing is the hearing aids, his dads, cost several thousand dollars… had no security.
You could make them hear things, edit the world, screw up the settings…and then you have to go back to a trained person to have them reset for a nice fee.

There are all of these hidden features & abilities, just an unprotected connection away.

I’d say we need to demand better, but people will keep buying these things because they need them. The market is controlled by a few players who have no interest in a 5 cent reduction in profits to do even basic security.

Marilyn Weate (profile) says:

Re: Bluetooth unsecured IOT

I have been a victim of Hearing Device hacking. My remote control unit has a hackers first choice for a password. However, I was determined enough to bring several of the hackers to justice. But I had to be bloody minded to get my ISP to take me seriously, but the police did take action when I gave them evidence + articles from about BT hacking and medical device hacking. And I paid $6000 + a government subsidy for the privilege of being repeatedly hacked. Most people believe the BS about “discovery mode” etc. Forget firewalls. Even with VPN they can hack at the device level, rendering VPN useless. You can be hacked simply by turning a BT device on. Android have a bluetooth firewall and wireless killer which help a bit in showing hacking.

I know the police and ISP took action, as I had given them free access to all my devices, and I saw their connection on my computer. Shortly afterwards several of the hackers moved out of the area, possibly due to fines or injunctions. Hacking and interfering with medical devices is a crime after all.

They did not damage the programs on the RCU but used it to do DOS attacks on devices with bluetooth or attached BT transmitters.

Now, most hearing aids have bluetooth.

That Anonymous Coward (profile) says:

Re: So how does one test bluetooth security on a hearing aid?

Do you have a 2nd device with Bluetooth?
Did you have to enter a key to pair your phone to the hearing aid? (something other than 0000)

IIRC when I scanned the researchers page I saw an app being used that listed possible BT connections in the area & if they could connect.

Discuss It (profile) says:

Not just sex toys

I was playing around with an SDR and discovered that I could down load quite a lot of information from my pacemaker. Since I’m not suicidal, I didn’t try to change anything, but I have (opinion here folks) little confidence that the security to change settings is any more secure than to download everything (EG: No security at all.)

The frustrating things are:
1. I researched the model of pacemaker before it was implanted and rejected two options because they were known to be lacking in security.
2. If I want to have another, more secure pacemaker implanted, it would appear that it will not be covered by my medical insurance since my current one has a battery life of 11 more years. Just for giggles, let me tell you that just the wires used (2 or 3, depending) cost $5,000.00 each. Think about that. Less than 1 meter of copper wire, collect $5,000.00. Sucks to be me. The device itself runs around $80,000.00 USD.

I don’t know about you, but there are only so many moderately priced houses I can buy. In 2015, I paid out of pocket $110,000.00, in 2016, I paid out of pocket $102,000.00, and in 2017 to date I’ve paid out of pocket $77,500.00. And I have pretty good insurance, and I don’t have complex or rare medical conditions.

Rekrul says:

Re: Not just sex toys

Just for giggles, let me tell you that just the wires used (2 or 3, depending) cost $5,000.00 each. Think about that. Less than 1 meter of copper wire, collect $5,000.00. Sucks to be me. The device itself runs around $80,000.00 USD.

Everything is more expensive in the medical industry. $10 bandaids, $5 cotton swabs, etc.

That Anonymous Coward (profile) says:

Re: WTF?

You name it, there is a fetish for it.

Being able to press a button on your phone & your partner than has to deal with the toy doing things while out in public.

Being away & add that extra little bit to your sexting.

We live in a society where there are people who get off on being “Cash Slaves” to Masters who belittle them & demand cash. Anything is possible.

Roger Strong (profile) says:

He subsequently found it’s relatively trivial to discover and hijack everything from vibrators to smart butt plugs…

Which means that the NSA has been doing it for years.

…and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication.

"A communications disruption can only mean one thing… Invasion."

Daydream says:

I have one very important question:

Could an unsecured device be used as an attack vector by malicious software?

Like, could a virus in your fridge transfer itself to your computer? Could malware be hidden amongst the information collected by dildos?

Could someone compromise your ‘smart toys’ and turn them into zombies (computer-science-wise, not zombie-zombies) to spread more malware and gain access to all kinds of information? Or just hold the world ransom?

That Anonymous Coward (profile) says:

Re: I have one very important question:

It depends on what corners they cut.

Look at flash drives, everyone has them now. Very few people know (read the stories here & be scared) that the drive programming takes a tiny part of the available chip that runs it. You can add more code to this chips firmware & it can do all sorts of horrible things. I doesn’t have to carry a payload itself, it can just ping a server to get it. Its not hard to figure out what OS you are invading once you own the machine, and request the right code to complete compromising it.

People find “lost” flash drives and the next thing they do is plug it in to locate the owner & then your airgapped centrifuges are running funny and exploding.

I saw a tweet from someone who had a North Korean made flash drive & wondered how to test it without compromising their machine, people liked my suggestion of drop it in a parking lot.

Daydream says:

Re: Re: I have one very important question:

So, like, instead of going to the trouble of manufacturing or commissioning custom hardware and a unique OS limited to the tasks its supposed to perform, companies just buy common computer bits and program them to do the stuff they want.

With the side effect that the general-purpose computers that they use have all the same vulnerabilities of normal computers, moreso since they likely aren’t running up-to-date antiviral software.

And that in turn means that sneaky malware can stay on it for ages and ages, updating to the latest viruses, keeping an eye on incoming and outgoing information until it can spread someplace important, like the computer you use for your banking.

Have I got the right idea?

Anonymous Coward says:

Re: Re: Re: I have one very important question:

Generally, yes, that can happen. In many cases, there may not be an anti-virus for the platform at all.

Sadly, the best security comes from the company cutting so many corners that the device doesn’t have the capacity to run capable malware (exotic CPU that nobody codes for, or insufficient RAM to hold the payload, or insufficient storage to retain the payload once fetched, or such a pathetically slow downlink that it can’t download much malware per second, etc.). As functionality for Systems-on-Chip increases, that pseudo-security will become less effective. It’s probably already ineffective. Given the advertised functionality of these vulnerable devices, they must be relatively capable general systems already. I expect the only major limitation holding back mass infection is that the operating system running on the device is exotic enough that attackers need malware customized to the vendor, if not to the individual product line, rather than using a one-size-infects-all as works for Windows, where a Windows/x86 virus can be written to work properly on Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10 — and to run on both x86 and x64 variants of the platforms that have both. Smart devices don’t have that level of portability yet, and might not gain it since there’s no great benefit to the vendor to having it.

Rekrul says:

Re: Re: I have one very important question:

Look at flash drives, everyone has them now. Very few people know (read the stories here & be scared) that the drive programming takes a tiny part of the available chip that runs it. You can add more code to this chips firmware & it can do all sorts of horrible things.

So does that mean that there is software available to change the code and/or examine what’s there already?

Seems like if there’s a way to change that code, there should be a way to block it from running until it’s been checked to make sure there’s nothing extra in it.

Anonymous Anonymous Coward (profile) says:


This is a disturbing thought, yet it occurs to me that someone using a smart butt plug during some critical meeting that gets some kind of ‘jolt, during a presentation might actually change the course of that meeting.

Why would anyone want to be using a smart butt plug at work? Or anywhere else?

A better question might by why would anyone want to be using any ‘smart’ sex toy, or for that matter any ‘smart’ anything?

Someday, hopefully soon, consumers will begin to understand that anything that has any connectivity that is not in their direct control is a problem. That such connectivity is not clearly and loudly and explicitly announced prior to purchase, along with a scathingly detailed explanation of the potential consequences, without explicit customer approval prior to sale will be illegal (regardless of country of origin). Sex toys not withstanding, but encompassing your new toaster as well.

Anonymous Anonymous Coward (profile) says:

Re: Re: NSFW

There is a difference if one proactively makes that connection and when that connection is made by default and surreptitiously, as in not clearly announced, with all the gory details of the possible outcomes of that connection, in advance, and before opening the package or (ahem) installing the item. One is disturbing, the other should be illegal.

There is no problem in my mind if someone (else) wishes to put their sexual activities on line, but it should be an opt in, with plenty of what could be done with such a connection and the resultant expression, prior to allowing such a connection. And, no downgrade of the product if the option is opted to not connect.

There is no instance of some device actually needing an Internet connection to work, unless it is designed to require an Internet connection, then one really needs to ask why, and there are very few instances where the answer to that is reasonable. At least to me.

This idea should not be limited to sex toys, but to every ‘IoT’ device. Devices should not connect to the Internet unless there is a non-data collection reason to do so, without regimental prior disclosure of what is being collected and with whom it is being shared primarily and secondarily and etc..

Anonymous Anonymous Coward (profile) says:

Re: Re: NSFW

OK, so tell us why your toaster, or refrigerator, or butt plug might need remote control, without significant disclosure and opt in? That significant disclosure should include whether your employer or significant other might have access to the information? It just might be that one would like the ‘experience’ without others actually knowing about it. Though, I would not want to be a witness. I cannot imagine why one would want to tell anyone else how much milk they buy, or how dark they like their toast, or if they like a ‘surge’ during meetings at work.

Bluetooth, for me, is a problem. For others it is an assistance. For both, it really requires significant disclosure and that is, to date, not forth coming.

I use an APP on Android to read books. It want’s access to stuff. It does not need access to stuff. I don’t like that it needs access to stuff. I still use it because it is easy to use, and it does what I want. I still don’t like that it wants access to stuff, and I am not able to eliminate its access to stuff and still use it. Does the developer make money off whatever it collects? Maybe. But I am dreary enough that what they learn is of little consequence to me. I still don’t like it, and would opt out if it was available.

Anonymous Anonymous Coward (profile) says:

Re: Re:

I don’t know about most common, but it has certainly been useful, as in about 189 times. But compared to the number of articles published, it might seem a small percentage.

Then again, just how relevant was the term, in each of its uses?

Your ability to attack is mitigated by how much you are believed, as well as how much your attacks assert something relevant.

Anonymous Coward says:

What if I do not want appliances that connect to the internet? Will I still be able to purchase a fridge that simply keeps food cold? Will I be able to brew a cup without having to watch an ad first? Some might say, “just don’t use that function” – well, why should I pay for it then. It’s already to the point where you can not purchase a vehicle without all those bells and whistles, all I want is transportation – I do not need to be entertained during the entire experience.

Personanongrata says:

Truth is Stranger than Fiction*

Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

Who are these people buying sex toys connected to the intertubes?

Have they lost their minds?

“Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn’t.”
~ Mark Twain, Following the Equator: A Journey Around the World*

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...