Just because almost any device or appliance can be connected to the internet doesn't mean it should. Failures can make these "smart" devices unusable, and many use weak security that makes them easily hackable.
And, as security researchers recently discovered, the consequences of a serious vulnerability in a popular sex toy could have been catastrophic to tens of thousands of users.
UK based security company Pen Test Partners The flaw in Qiui Cellmate's internet-connected chastity lock, dubbed the “world's first app-controlled chastity belt”, could have enabled anyone to remotely and permanently lock the user's penis.
The Cellmate chastity lock enables a trusted partner to remotely lock and unlock the chamber using a mobile app via Bluetooth. This app communicates with the lock via an API. However, this API was left open with no password so anyone could take complete control of a user's device.
Because the chamber was designed to be locked under the user's penis with a metal ring, researchers may need to use a heavy-duty bolt cutter or angle grinder to free the user.
Alex Lomas, a researcher at Pen Test Partners, said in a blog post that an attacker could very quickly "lock anyone in or out". "There is also no emergency override feature. So when you are locked up there is no way out," he wrote.
The unsecured API also made it possible to access the private messages and exact location through the user's app.
theinformationsuperhighway first learned of the vulnerability in June. The researchers contacted Qiui, based in China, about the flawed API. Taking the vulnerable API offline would have locked anyone using the device. The developer released a new API for new users, but left the unsecured API for existing users.
Qiui CEO Jake Guo told theinformationsuperhighway that a resolution would arrive in August, but that deadline came and went. "We're a cellar team," he said. In a follow-up email explaining the risks to users, Guo said, "If we fix the problem, more problems will arise."
In the end, Qiui missed the three self-imposed deadlines to fix the vulnerable API, Lomas said.
The decision to go public was made after Pen Test Partners learned of a separate security issue from another researcher who also found it difficult to get a response from Qiui. "This confirmed our decision to publish: it was clear that others were likely to find these issues independent of us, so the public interest case was brought up in our minds," Lomas wrote.
It is unknown if anyone maliciously exploited the vulnerable API. Several user reviews of the app complained that the app had bugs that caused the device to stay locked.
"The app stops working after three days and I'm stuck!" said one user. Another said they "have already gotten stuck twice while wearing because of the unreliable app".
“It worked for about a month before I almost got stuck in it. Luckily it unlocked by chance and I was able to leave it. The device left a bad scar that took almost a month to restore, ”said another review.
Qiui joins a long list of sex toys with safety issues that are inherently absent on devices without an internet connection. In 2016, researchers say that a bug in a Bluetooth-powered panty buster allows anyone to remotely control the sex toy over the Internet. In 2017, a manufacturer of intelligent sex toys settled a lawsuit after it was accused of collecting and recording "very intimate and sensitive information" from its users.
Practice safe sex; Do not use a smart device.