Deep Dives Level Up Newsletters Saved Articles Challenges

How a security flaw almost caged men in chastity belts

By Malavika Pradeep

Jan 12, 2021

COPY URL

We claim to live in an era of revolutionised sex tech. One where metal rings and a piece of polycarbonate can spruce up sex lives. One where you can have keyless access to your partner’s chastity. And, apparently, one where anyone else on the internet can also have access to your partner’s chastity.

UK-based security firm Pen Trust Partners recently unearthed this major flaw with CELLMATE, a chastity cage created by the Chinese company QIUI. Dubbed the “world’s first app-controlled chastity device,” the sex toy relies on its Bluetooth function in order to allow a trusted partner to remotely control the lock via the QIUI app.

 

Voir cette publication sur Instagram

 

Une publication partagée par House of Denial (@houseofdenialuk)

The chastity belt’s app communicates with its lock using an Application Programming Interface (API). But recently, a string of API flaws was discovered by the Pen Test Partners researchers which left individual devices vulnerable to hacking without a secure password. This essentially meant that anyone on the internet could remotely lock all devices and prevent users from releasing themselves.

Although I can imagine that the possibility of getting stuck in one of those chastity cages is also part of the thrill, the intervention of a heavy-duty bolt cutter or angle grinder in close proximity to the users’ sensitive area to free them from permanent lock-in must have been unnerving, to say the least. The only other way, as discovered by Pen Test Partners, is to overload the circuit board that controls the lock’s motor with three volts of electricity. The unsecured API further leaked precise user location data along with private chats and other personal information including names and phone numbers.

News of the security flaw was first reported by Pen Test Partners to QIUI in April 2020. After receiving an initial assurance, QIUI deployed an updated version of the app on the App Store and Google Play with lock requests being forced to authenticate. However, the new API was pushed out only for new users, leaving the old, unsecured API on existing users’ devices. According to TechCrunch, QIUI couldn’t take the vulnerable API offline as it would have locked in anyone who was already using the device.

After missing three self-imposed deadlines to fix the vulnerability, QIUI remained unresponsive to several other researchers who learned of the flaw. Pen Test Partners later decided to go public with the news via a blog post.

To date, it is unknown if anyone has maliciously exploited the vulnerable API. However, this particular flaw seems to be the least of CELLMATE’s concerns. Several user reviews state that the app stops working at random, even without hackers having a say in this, causing the device to stay locked. “The app stopped working completely after three days and I am stuck!” writes one user. Another states that they “got stuck twice already when wearing it due to the unreliable app.” A one-star reviewer even complained: “It worked for about a month until I almost got stuck in it. The device left a bad scar that took nearly a month of recovery.”

A variety of teledildonic (Bluetooth-enabled) adult toys are cropping up, each one promising something different from the last. However, the security of these devices is often compromised as their makers focus their efforts mainly on making them ‘immersive’. Similar security flaws have been discovered in the past with such internet-enabled sex toys. Some have even let hackers potentially hijack live-streaming footage from a dildo and take control of Bluetooth-enabled butt plugs.

TechCrunch states that these security problems don’t exist in non-internet-connected devices. The latest discovery indicates that the creators of such smart gadgets still have lessons to learn and suggests undertaking intensive research before purchasing one, especially when it comes to using these devices more intimately.

After all, QIUI markets the CELLMATE Chastity Cage as “a true chastity experience that keeps the wearer away from control over their own device,” with the tagline “Love Hurts.” Perhaps, in this case, loves hurts more than initially expected? It’s all about perspective…