Hackers do not understand limits when it comes to carrying out a targeted attack, be it on a mega corporation or a healthcare facility. From an incandescent lamp to a smart refrigerator, they all have components that were compromised by someone. And the sex toys are not exempt to this wave of cybercrime that increased with the coronavirus pandemic.
Precisely, these devices can achieve unthinkable functionalities and allow couples to “keep their flame burning, together or apart”, as the creators often say when promoting them. In many cases they work through a specific app that connects to the device via Bluetooth.
Recently, a security breach discovered on an internet-connected male chastity device can allow it to be permanently blocked by a cybercriminal.
Cellmate, from the Qiui company, is a sex toy that is considered to be the “world’s first app-controlled chastity device.”
According to the British security company Pen Test Partners, the flaw would allow anyone to remotely lock this device.
Cellmate allows one person to lock and unlock another user’s device remotely via Bluetooth and via a mobile app, which communicates with the device using an API.
Being a wearable device, such as smart watches that deal with health care, they use the protocol Bluetooth low energy, common among IoT equipment.
However, the manufacturer left that API open and no password, allowing anyone to completely take control of any user’s device, according to the TechCrunch site.
“In any of the phases, the cybercriminal could intrude or interrupt the process to steal data or take control of this device”, says specialist Denise Giusto Bilic from ESET.
And he adds: “These teams publish constant information that could have serious consequences in the hands of criminals. The data ranges from the mode and time of use to even measuring the temperature.”
The Cellmate product is offered on Amazon. It costs $ 189. Photo: capture.
For his part, Pen Test Partners researcher Alex Lomas indicated that a hacker can block devices very quickly and stressed that there is no emergency function that allows unlocking the device, so if it is blocked “there is no way out” .
“There is also no emergency override feature, so if you are locked up there is no way out“, wrote.
Likewise, the company has indicated that the API also allowed access to private messages and the location of the application of users.
Asked by TechCrunch, Qiui CEO Jake Guo said that a solution would be available in August, but the new version that would patch the application never made it to the Google Play or App Store. “We are a basement team”he had told them.
In another follow-up email explaining the risks to Cellmate users that a hacker could remotely lock the device, Guo said, “When we fix it, it creates more problems.”
In the end, Qiui did not meet the three self-imposed deadlines to repair the vulnerable API, Alex Lomas said.
Qiui is part of a long list of sex toys with security problems on devices connected to the Internet.
In 2016, researchers say that a bug in an “erotic lingerie” connected via Bluetooth allowed anyone to remotely control the sex toy over the Internet.
The following year, the Canadian manufacturer We-Vibe had to pay in a lawsuit the sum of 3.75 million dollars after being accused of collecting and recording “very intimate and sensitive data” of its users.