Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things
from the masturbatory-metadata dept
At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.
Unsurprisingly, the sex toy division of the internet of broken things is no exception to this rule. One "smart dildo" manufacturer was recently forced to shell out $3.75 million after it was caught collecting, err, "usage habits" of the company's customers. According to the lawsuit, Standard Innovation's We-Vibe vibrator collected sensitive data about customer usage, including "selected vibration settings," the device's battery life, and even the vibrator's "temperature." At no point did the company apparently think it was a good idea to clearly inform users of this data collection.
But security is also lacking elsewhere in the world of internet-connected sex toys. Alex Lomas of Pentest Partners recently took a look at the security in many internet-connected sex toys, and walked away arguably unimpressed. Using a Bluetooth "dongle" and antenna, Lomas drove around Berlin looking for openly accessible sex toys (he calls it "screwdriving," in a riff off of wardriving). He subsequently found it's relatively trivial to discover and hijack everything from vibrators to smart butt plugs -- thanks to the way Bluetooth Low Energy (BLE) connectivity works:
"The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication. I should say at this point that this is purely passive reconnaissance based on the BLE advertisements the device sends out – attempting to connect to the device and actually control it without consent is not something I or you should do. But now one could drive the Hush’s motor to full speed, and as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations."
Lomas found that hearing aids that also use the BLE standard are similarly vulnerable, letting an attacker easily disrupt functionality of the devices. He proceeds to note that this could all be prevented via any number of improvements to these devices, including usage of a unique PIN, the need for local physical interaction (like a button push) to connect, or lowering the Bluetooth signal strength.
But as we've noted previously, a big part of the security and privacy apathy coming from router and IOT device makers is due to the fact that nobody in these supply chains has the financial incentive to try very hard (if at all), so most will be off hyping the next iteration of their magical, intelligent butt plug -- instead of shoring up the problems with the last generation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, iot, security, sex toys
Reader Comments
Subscribe: RSS
View by: Time | Thread
You could make them hear things, edit the world, screw up the settings...and then you have to go back to a trained person to have them reset for a nice fee.
There are all of these hidden features & abilities, just an unprotected connection away.
I'd say we need to demand better, but people will keep buying these things because they need them. The market is controlled by a few players who have no interest in a 5 cent reduction in profits to do even basic security.
[ link to this | view in thread ]
So how does one test bluetooth security on a hearing aid?
I'd like to check out my gadget BEFORE some "prankster" blows out the only working ear I've got.
Thanks in advance.
[ link to this | view in thread ]
Not just sex toys
The frustrating things are:
1. I researched the model of pacemaker before it was implanted and rejected two options because they were known to be lacking in security.
2. If I want to have another, more secure pacemaker implanted, it would appear that it will not be covered by my medical insurance since my current one has a battery life of 11 more years. Just for giggles, let me tell you that just the wires used (2 or 3, depending) cost $5,000.00 each. Think about that. Less than 1 meter of copper wire, collect $5,000.00. Sucks to be me. The device itself runs around $80,000.00 USD.
I don't know about you, but there are only so many moderately priced houses I can buy. In 2015, I paid out of pocket $110,000.00, in 2016, I paid out of pocket $102,000.00, and in 2017 to date I've paid out of pocket $77,500.00. And I have pretty good insurance, and I don't have complex or rare medical conditions.
[ link to this | view in thread ]
Screwdriving...
[ link to this | view in thread ]
term of the year
Saw this story elsewhere, and one of the comments was "now I can run around my office turning on butt plugs to see who twitches".
Which at least had me on keyboard alert.
[ link to this | view in thread ]
WTF?
[ link to this | view in thread ]
Which means that the NSA has been doing it for years.
"A communications disruption can only mean one thing... Invasion."
[ link to this | view in thread ]
I'm trying to recall whether AT&T's You Will commercials mentioned internet-connected butt plugs.
Because that sounds more like a Comcast sort of thing.
[ link to this | view in thread ]
I have one very important question:
Like, could a virus in your fridge transfer itself to your computer? Could malware be hidden amongst the information collected by dildos?
Could someone compromise your 'smart toys' and turn them into zombies (computer-science-wise, not zombie-zombies) to spread more malware and gain access to all kinds of information? Or just hold the world ransom?
[ link to this | view in thread ]
NSFW
Why would anyone want to be using a smart butt plug at work? Or anywhere else?
A better question might by why would anyone want to be using any 'smart' sex toy, or for that matter any 'smart' anything?
Someday, hopefully soon, consumers will begin to understand that anything that has any connectivity that is not in their direct control is a problem. That such connectivity is not clearly and loudly and explicitly announced prior to purchase, along with a scathingly detailed explanation of the potential consequences, without explicit customer approval prior to sale will be illegal (regardless of country of origin). Sex toys not withstanding, but encompassing your new toaster as well.
[ link to this | view in thread ]
Re: NSFW
[ link to this | view in thread ]
Re: Screwdriving...
[ link to this | view in thread ]
Re: Re: NSFW
There is no problem in my mind if someone (else) wishes to put their sexual activities on line, but it should be an opt in, with plenty of what could be done with such a connection and the resultant expression, prior to allowing such a connection. And, no downgrade of the product if the option is opted to not connect.
There is no instance of some device actually needing an Internet connection to work, unless it is designed to require an Internet connection, then one really needs to ask why, and there are very few instances where the answer to that is reasonable. At least to me.
This idea should not be limited to sex toys, but to every 'IoT' device. Devices should not connect to the Internet unless there is a non-data collection reason to do so, without regimental prior disclosure of what is being collected and with whom it is being shared primarily and secondarily and etc..
[ link to this | view in thread ]
Re: NSFW
A better question might by why would anyone want to be using any 'smart' sex toy, or for that matter any 'smart' anything?
BDSM culture.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: NSFW
[ link to this | view in thread ]
Re:
I don't know about most common, but it has certainly been useful, as in about 189 times. But compared to the number of articles published, it might seem a small percentage.
Then again, just how relevant was the term, in each of its uses?
Your ability to attack is mitigated by how much you are believed, as well as how much your attacks assert something relevant.
[ link to this | view in thread ]
Re: So how does one test bluetooth security on a hearing aid?
Did you have to enter a key to pair your phone to the hearing aid? (something other than 0000)
IIRC when I scanned the researchers page I saw an app being used that listed possible BT connections in the area & if they could connect.
[ link to this | view in thread ]
Re: WTF?
Being able to press a button on your phone & your partner than has to deal with the toy doing things while out in public.
Being away & add that extra little bit to your sexting.
We live in a society where there are people who get off on being "Cash Slaves" to Masters who belittle them & demand cash. Anything is possible.
[ link to this | view in thread ]
Re: I have one very important question:
Look at flash drives, everyone has them now. Very few people know (read the stories here & be scared) that the drive programming takes a tiny part of the available chip that runs it. You can add more code to this chips firmware & it can do all sorts of horrible things. I doesn't have to carry a payload itself, it can just ping a server to get it. Its not hard to figure out what OS you are invading once you own the machine, and request the right code to complete compromising it.
People find "lost" flash drives and the next thing they do is plug it in to locate the owner & then your airgapped centrifuges are running funny and exploding.
I saw a tweet from someone who had a North Korean made flash drive & wondered how to test it without compromising their machine, people liked my suggestion of drop it in a parking lot.
[ link to this | view in thread ]
Re: NSFW
[ link to this | view in thread ]
Re: Re: NSFW
Bluetooth, for me, is a problem. For others it is an assistance. For both, it really requires significant disclosure and that is, to date, not forth coming.
I use an APP on Android to read books. It want's access to stuff. It does not need access to stuff. I don't like that it needs access to stuff. I still use it because it is easy to use, and it does what I want. I still don't like that it wants access to stuff, and I am not able to eliminate its access to stuff and still use it. Does the developer make money off whatever it collects? Maybe. But I am dreary enough that what they learn is of little consequence to me. I still don't like it, and would opt out if it was available.
[ link to this | view in thread ]
Re: Not just sex toys
I hope those wires are not copper, but something much less reactive, because if they are they will not last long in the body.
[ link to this | view in thread ]
Re: Re: I have one very important question:
With the side effect that the general-purpose computers that they use have all the same vulnerabilities of normal computers, moreso since they likely aren't running up-to-date antiviral software.
And that in turn means that sneaky malware can stay on it for ages and ages, updating to the latest viruses, keeping an eye on incoming and outgoing information until it can spread someplace important, like the computer you use for your banking.
Have I got the right idea?
[ link to this | view in thread ]
Re: Re: WTF?
In fact, it wouldn't surprise me if this "vulnerability" gets turned into another fetish; the possibility of having strangers remotely getting you off.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: I have one very important question:
Sadly, the best security comes from the company cutting so many corners that the device doesn't have the capacity to run capable malware (exotic CPU that nobody codes for, or insufficient RAM to hold the payload, or insufficient storage to retain the payload once fetched, or such a pathetically slow downlink that it can't download much malware per second, etc.). As functionality for Systems-on-Chip increases, that pseudo-security will become less effective. It's probably already ineffective. Given the advertised functionality of these vulnerable devices, they must be relatively capable general systems already. I expect the only major limitation holding back mass infection is that the operating system running on the device is exotic enough that attackers need malware customized to the vendor, if not to the individual product line, rather than using a one-size-infects-all as works for Windows, where a Windows/x86 virus can be written to work properly on Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10 -- and to run on both x86 and x64 variants of the platforms that have both. Smart devices don't have that level of portability yet, and might not gain it since there's no great benefit to the vendor to having it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
That doesn't always work.
yours Barbarella.
[ link to this | view in thread ]
Re:
Well. Unless you use the device on the Wi-Fi at Starbucks or McDonalds.
[ link to this | view in thread ]
Re: Re: Re: WTF?
[ link to this | view in thread ]
Re:
If Ajit Pai were a plug, you wouldn't see so much crap coming out of the FCC.
[ link to this | view in thread ]
Truth is Stranger than Fiction*
Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things
Who are these people buying sex toys connected to the intertubes?
Have they lost their minds?
“Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't.”
~ Mark Twain, Following the Equator: A Journey Around the World*
[ link to this | view in thread ]
Re: Not just sex toys
Everything is more expensive in the medical industry. $10 bandaids, $5 cotton swabs, etc.
[ link to this | view in thread ]
Re: Re: I have one very important question:
So does that mean that there is software available to change the code and/or examine what's there already?
Seems like if there's a way to change that code, there should be a way to block it from running until it's been checked to make sure there's nothing extra in it.
[ link to this | view in thread ]
Re: Bluetooth unsecured IOT
I know the police and ISP took action, as I had given them free access to all my devices, and I saw their connection on my computer. Shortly afterwards several of the hackers moved out of the area, possibly due to fines or injunctions. Hacking and interfering with medical devices is a crime after all.
They did not damage the programs on the RCU but used it to do DOS attacks on devices with bluetooth or attached BT transmitters.
Now, most hearing aids have bluetooth.
[ link to this | view in thread ]