Deep Dives Level Up Newsletters Saved Articles Challenges

How a security flaw almost caged men in chastity belts

By Malavika Pradeep

Jan 12, 2021

COPY URL

We claim to live in an era of revolutionised sex tech. One where metal rings and a piece of polycarbonate can spruce up sex lives. One where you can have keyless access to your partner’s chastity. And, apparently, one where anyone else on the internet can also have access to your partner’s chastity.

UK-based security firm Pen Trust Partners recently unearthed this major flaw with CELLMATE, a chastity cage created by the Chinese company QIUI. Dubbed the “world’s first app-controlled chastity device,” the sex toy relies on its Bluetooth function in order to allow a trusted partner to remotely control the lock via the QIUI app.

 

Voir cette publication sur Instagram

 

Une publication partagée par House of Denial (@houseofdenialuk)

The chastity belt’s app communicates with its lock using an Application Programming Interface (API). But recently, a string of API flaws was discovered by the Pen Test Partners researchers which left individual devices vulnerable to hacking without a secure password. This essentially meant that anyone on the internet could remotely lock all devices and prevent users from releasing themselves.

Although I can imagine that the possibility of getting stuck in one of those chastity cages is also part of the thrill, the intervention of a heavy-duty bolt cutter or angle grinder in close proximity to the users’ sensitive area to free them from permanent lock-in must have been unnerving, to say the least. The only other way, as discovered by Pen Test Partners, is to overload the circuit board that controls the lock’s motor with three volts of electricity. The unsecured API further leaked precise user location data along with private chats and other personal information including names and phone numbers.

News of the security flaw was first reported by Pen Test Partners to QIUI in April 2020. After receiving an initial assurance, QIUI deployed an updated version of the app on the App Store and Google Play with lock requests being forced to authenticate. However, the new API was pushed out only for new users, leaving the old, unsecured API on existing users’ devices. According to TechCrunch, QIUI couldn’t take the vulnerable API offline as it would have locked in anyone who was already using the device.

After missing three self-imposed deadlines to fix the vulnerability, QIUI remained unresponsive to several other researchers who learned of the flaw. Pen Test Partners later decided to go public with the news via a blog post.

To date, it is unknown if anyone has maliciously exploited the vulnerable API. However, this particular flaw seems to be the least of CELLMATE’s concerns. Several user reviews state that the app stops working at random, even without hackers having a say in this, causing the device to stay locked. “The app stopped working completely after three days and I am stuck!” writes one user. Another states that they “got stuck twice already when wearing it due to the unreliable app.” A one-star reviewer even complained: “It worked for about a month until I almost got stuck in it. The device left a bad scar that took nearly a month of recovery.”

A variety of teledildonic (Bluetooth-enabled) adult toys are cropping up, each one promising something different from the last. However, the security of these devices is often compromised as their makers focus their efforts mainly on making them ‘immersive’. Similar security flaws have been discovered in the past with such internet-enabled sex toys. Some have even let hackers potentially hijack live-streaming footage from a dildo and take control of Bluetooth-enabled butt plugs.

TechCrunch states that these security problems don’t exist in non-internet-connected devices. The latest discovery indicates that the creators of such smart gadgets still have lessons to learn and suggests undertaking intensive research before purchasing one, especially when it comes to using these devices more intimately.

After all, QIUI markets the CELLMATE Chastity Cage as “a true chastity experience that keeps the wearer away from control over their own device,” with the tagline “Love Hurts.” Perhaps, in this case, loves hurts more than initially expected? It’s all about perspective…

How a security flaw almost caged men in chastity belts


By Malavika Pradeep

Jan 12, 2021

COPY URL


As sex toys continue to get hacked, the definition of sexual assault is under question

By Alma Fabiani

Sep 4, 2019

COPY URL

The rise of the teledildonics industry, also known as connected sexual pleasure products, creates new fun ways for us to pleasure ourselves and our partners, with inventions such as vibrating Wi-Fi-enabled butt plugs and webcam-connected dildos. But teledildonics, just like everything else in our modern age it seems, are another privacy nightmare ridden with security flaws. Since 2018, there have been a number of reported hacked sex toys, and the most recent case makes me wonder: should we go back to good old non-connected sex toys just to avoid them getting hacked mid-sesh?

Privacy counts across all aspects of life, especially as we live surrounded by and depending on technology. That’s why, when it comes to smart sex toys, our privacy should count even more. According to Mozilla, an internet-connected device (sex toys included) has five minimum security standards: it must use encrypted communications, have automatic security updates, require a strong password, have a system in place for vulnerability management, and, finally, have a privacy policy that is easily accessible. I don’t know about you, but I’ve personally never checked for these five conditions in a sex toy before.

Evidently, I’m not the only one. Most recently, a woman had her butt plug hacked and controlled while she was presenting on stage. It later turned out to be a stunt designed to demonstrate to the audience just how susceptible these devices are to getting hacked. This incident sparked a frenzy as people feared it would happen to them. Not only would having your vibrator hacked be very strange, but it would also be done without your consent—just like the data-collection techniques that are used by Facebook, Alexa, and most technologies.

Marloes-Haarmans

In 2017, a man called Alex Lomas walked around Berlin and had to use only his phone in order to pull up a list of Bluetooth discoverable Lovense Hush butt plugs, ready to be hacked, just to manifest how easy it was. Last year, SEC Consultants looked at sex toys from Vibratissimo and demonstrated how they could be broken into by hackers not only to “remotely pleasure” people, but also to access owners’ account details. Even more worrying, a Wi-Fi-connected dildo’s internal camera was found to be easily accessible.

What can be said about hacking sex toys and consent laws? Because these are quite uncharted territories, we don’t know just yet what to do when someone hacks a sex toy or its data. In some countries, such as the U.S., laws that define what constitutes sexual harassment or assault vary from state to state. In many countries, the law is still vague about the definition of assault and sexual harassment. In the U.K., sexual harassment is defined as: “unwanted behaviour of a sexual nature which violates your dignity, makes you feel intimidated, degraded or humiliated, and creates a hostile or offensive environment.” The lack of precision surrounding sexual harassment and assault laws prevents us from taking concrete action in the event of a sex-toy hack. Worse yet, we don’t even know whether our data can be hacked into and stolen in the first place.

While the aim of this article isn’t to inspire anxiety and ignite a global wanking paranoia, it should force you to sit back and ask yourself, “What are the privacy implications of using a Bluetooth-connected sex toy?” Last time we ignored such concerns we ended up with the Cambridge Analytica scandal, Trump as the President of the U.S., and a moronic Brexit. Even though hacking sex toys isn’t yet defined as assault or sexual harassment, it may very well be regarded so once lawmakers start tackling the issue. In the meantime, maybe it’s worth dusting off the old non-connected sex toy hidden under your bed and relieve the stress with some alone time, if you know what I mean.

As sex toys continue to get hacked, the definition of sexual assault is under question


By Alma Fabiani

Sep 4, 2019

COPY URL