Internet Of Broken Things Jumps The Shark With IoT Chastity Penis Lock That Can Be Hacked
from the the-lock-not-the-penis dept
Say it with me now: not every last thing needs to be connected to the internet. If we've learned anything through the myriad of posts we have done on the internet of broken things, it's that far too many devices that need not be internet-connected are instead wide open to security flaws and connectivity-related flaws and outages. Pet feeders, so-called smart locks, healthcare devices: all examples of things that have been broken or broken into thanks to their being connected to the internet in wildly insecure manners.
But what if I told you that a lack of basic security could result in a device you bought potentially forcing you to have someone come at your penis with an angle grinder? Well, if you bought a Cell Mate chastity lock, you should damn well be concerned.
U.K.-based security firm Pen Test Partners said the flaw in the Qiui Cellmate internet-connected chastity lock, billed as the “world’s first app controlled chastity device,” could have allowed anyone to remotely and permanently lock in the user’s penis.
The Cellmate chastity lock works by allowing a trusted partner to remotely lock and unlock the chamber over Bluetooth using a mobile app. That app communicates with the lock using an API. But that API was left open and without a password, allowing anyone to take complete control of any user’s device. Because the chamber was designed to lock with a metal ring underneath the user’s penis, the researchers said it may require the intervention of a heavy-duty bolt cutter or an angle grinder to free the user.
A researcher at -- checks notes and chuckles -- Pen Test Partners went on to say that someone exploiting the password-less API could lock "everyone in or out" at will. With no way to override the chastity lock either, you could suddenly cause a lot of people to be locked out of their own genitalia. A more perfect example of how 2020 has 2020'd the world there could not be.
It gest worse. This vulnerability has been known about since at least June. Qiui, a Chinese company, pushed out a new API for new users, but didn't remove the API for existing users. Why? Well, because doing so would cause all existing devices to lock.
Qiui chief executive Jake Guo told TechCrunch that a fix would arrive in August, but that deadline came and went. “We are a basement team,” he said. In a follow-up email explaining the risks to users, Guo said: “When we fix it, it creates more problems.”
As someone who owns a penis, I can assure you this is not what one wants to hear when it comes to a large metal lock that determines when I can access it. Nor do I like the idea of bolt-cutters. Or angle grinders. Or tube-smashers. Fine, I made that last one up.
As of this writing, this is all still a problem. Whether any malicious actor has used it to mess with people's dangly bits has not been confirmed officially.
It’s not known if anyone maliciously exploited the vulnerable API. Several user reviews of the app complained that the app had bugs that would cause the device to stay locked.
So, a PSA: if you're going to lock your genitalia up in a small metal vault, make sure it isn't connected to the internet.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chastity, hacked, hacking, internet connected, iot, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Considering their market...
This sounds more like a feature than a bug.
[ link to this | view in chronology ]
You know...
There's a Darwin Awards comment or three waiting to be made. Which one should I choose?
[ link to this | view in chronology ]
Re: You know...
Can the same people receive both Darwin Awards and Ig Nobel Prizes?
[ link to this | view in chronology ]
Man, the CBT crowd is really kicking things up a notch.
[ link to this | view in chronology ]
Hacking one of those is a real dick move.
[ link to this | view in chronology ]
I really want to be upset over their horrid security, but my outrage keeps being overwhelmed by laughter.
[ link to this | view in chronology ]
Wait, wait, wait....
What you're essentially saying here is that these users are getting CockLockBlocked???
[ link to this | view in chronology ]
Well this gives Locktober a whole new meaning...
[ link to this | view in chronology ]
Re:
No Nut November.
[ link to this | view in chronology ]
Re: Re:
More like No Nut Ever Again.
[ link to this | view in chronology ]
Someone actually did hit the lock button on the broken ones. So, uh. Yeah. That happened.
[ link to this | view in chronology ]
Re:
sourced from here, which links to original posts on the subject: https://glaceon.social/@gardevoir/105000334435699472
[ link to this | view in chronology ]
That's new
Usually IoT security results in the users getting screwed, never seen it have the opposite effect before now.
[ link to this | view in chronology ]
Unintentional double entendre?
"not something I want to here"...
I don't want those tools here either!
E
[ link to this | view in chronology ]
Without any emergency release mechanism, something as mundane as a dead battery or some RF interference could do the same. Remember that time when garage door openers stopped working in Ottawa Canada?
[ link to this | view in chronology ]
I can't help but think that anyone stupid enough to buy a "chastity lock" in the 21st century deserves to be locked out of procreation for the good of the human gene pool.
[ link to this | view in chronology ]
Re:
I had a question with regard to that line of thought: What if the ... uh ...victim of the device is not wearing it by choice? Say, a minor with batshit parents?
[ link to this | view in chronology ]
Re: Re:
That would seem to be an excellent justification for mandatory counseling for everyone involved(though for different reasons) and potentially taking the kid away for their own safety.
[ link to this | view in chronology ]
Re: Re:
What? You missed the obvious oneliner: Asking for a friend.
But in answer to your question, I'd say that the minor has more important problems than just a lock on his junk. But said lock could itself be a solution to the other problem, if brought to the attention of the right agency.
[ link to this | view in chronology ]
How did the cock lock blockers find their targets?
They employed Dick Tracy.
[ link to this | view in chronology ]
Some Confusion
After reading about this device, it appears that this device is only accessible over Bluetooth not the internet. That limits the damage that can be caused by this attack since you can't just get a bot-net to search for these devices and lock them all. If anything, the lack of actual internet connectivity seems to be an answer to the "don't connect things to the internet that don't need to be connected to the internet" crowd.
[ link to this | view in chronology ]
Re: Some Confusion
I would guess you got that wrong. To have the whole setup make any sense, the device would be connected via Bluetooth to a smartphone (typically carried by the lock wearer), and that smartphone would be remotely contacted to lock/unlock the device. Basically the smartphone acts as a gateway so that the cock block lock does not need a SIM card and long range transceiver of its own.
Depending on the security model, the (gateway) smartphone itself would not need to have any need for privileged information.
[ link to this | view in chronology ]
I'd make a comment about your penis being bricked, but that kind of sadism really belongs in other message fora....
[ link to this | view in chronology ]
I've been giggling like a 12 yr old since the idea of ScrewDriving first came up. Wandering around with a BT enabled device & seeing who has what devices stuffed into their orifices (Sadly Back Orifice was already a well known exploit) & then take control of them.
I dared to ask a gay sex toy operation who were pushing yet another BT enabled device if they had done any security checks on the devices (I mean you want me to pay $200+, I should be able to make sure its only accessible to the person I chose.) they blocked me on Twitter. The porn star who was in the advertisement called me a killjoy & to lighten up.
This all came up after a hacker had exploited a IoT buttplug & it was actually feasible to set it up to be a vector to insert (snicker) malicious code.
The video rocks if only see see stick figure men demonstrating on the slides.
Video: https://www.youtube.com/watch?v=CsQ2VWEfduM
We now live in a world where an app enabled dildo can compromise a secure network.
[ link to this | view in chronology ]
What a cock-up (or not, as the case may be)
[ link to this | view in chronology ]
Keep it simple no longer an engineering test
I am not sure why every thing must be app driven - marketing of course. I'm not even going to care about sex toys, party on. The idea of no fail-safe is no problem is insane but people do crazy, therefore KISS (I ran a floor buffer in a hospital - why would a guy have a broken lightbulb in his butt?)
The lock on a penis should be mechanical key with no system app and wireless access of any kind. Unless that is a buzzkill.
A good brand name for this one is "Bobbit".
[ link to this | view in chronology ]
Re: Keep it simple no longer an engineering test
The lock on a penis ... is a stupid idea
[ link to this | view in chronology ]
Re: Re: Keep it simple no longer an engineering test
Have you met many men? ;) I suspect there are whole realms of women eager to use and exploit this for their own peace/revenge.
[ link to this | view in chronology ]
Not sure this will bother the users
Chastity users have often turned the keys to their device over to key holders who often don't live with them, so an internet linked version makes sense. Unfortunately, as has been noted in the past here, security is often an afterthought at best. Still, I'm not sure if the people into this will consider this a bug, or a feature, after all, the low tech version brings with it the risk of having to be cut out, so this doesn't change much.
[ link to this | view in chronology ]
Am I missing a more benign interpretation, or is this product's name a prison rape joke?
[ link to this | view in chronology ]
Re:
The obvious benign interpretation is that the product is a cell. It seems like kind of a leap to infer anything about rape. Even if referring to prison sex, why not the consentual kind?
[ link to this | view in chronology ]
The issue was with the Smart Phone app itself, not the device.
I work for the European distributor of this "male chastity cage," hehehe, and the bespoken issue was located within Smart Phone application itself, developed by Chinese QIUI manufacturer. This issue has already been patched by QIUI's software developers and app's newer version was submitted to both Apple and Google on-line stores. No actual issues were reported about the device itself, other than inexperienced users trying to break the device's locking mechanism open using brute force, which renders all warranties null and void.
[ link to this | view in chronology ]
If someone insists in the 21st century that you use a chastity device, you run.
RUN in the opposite direction.
Do NOT. I repeat do not stick your dick into a remote-controlled chastity device, and definitely DO NOT stick your dick in the crazy-crazy that buys one.
[ link to this | view in chronology ]
Who the FUCK would buy a chastity device made by the Chinese government.
One thats castrating thousands of people for "meditating in an unapproved way" (falun gong), stripping the internal organs from prisoners by the 10s of thousands for party members, and is engaged in mass sterilization of hundreds of thousands of citizens?
[ link to this | view in chronology ]
Re:
"Who the FUCK would buy a chastity device made by the Chinese government."
Hey don't judge. Masochism is one of the more well-known kinks out there. Anyone who feels the urge to be dominated in every aspect of their lives could probably do worse than rely on the expertise of a nation with two and a half millennias worth of successfully suppressing their citizenry.
[ link to this | view in chronology ]
I'd like to offer a little important info here;
This chastity device, like almost all mass produced devices, isn't going to permanently lock the wearer's penis away. It features a solid ring that goes over the genitals, then a fancy tube-like device is slid over the penis and locked to the ring. Anyone see the glaring security flaw here?
If the genitals, including the penis, went through the ring to begin with, having it inside a tube isn't going to prevent it from being pulled back out.
The proximity of the tube to the ring will probably prevent the wearer from being able to remove their testicles from the device, but the penis can easily be pulled out any time the man feels the urge, and usually just back in.
Couples who are serious about chastity play usually pay big bucks for a custom device that incorporates some type of piercing to prevent the wearer from just pulling out of it.
And yes, some men do want to have someone else decide when they can have pleasure. Some men into chastity also want to actually shrink their penis through the use of ever smaller devices, squashing the penis down until it becomes useless. Some men also want to see their wives have sex with other, more well-endowed men, while they themselves are being denied.
I can understand the first, but the last two leave me scratching my head. Different strokes though...
[ link to this | view in chronology ]
Don't put a Qiui on your ui-ui!
[ link to this | view in chronology ]
Bankwest Card Activation
If users having some issue or facing some kind of trouble in Bankwest Card Activation then users can Activate Bankwest Card with us. And if users want to activate their Bankwest Card with us users didn’t have to do more hard things Bankwest Card Activation. Users can activate their Bankwest Card with us in the minimum time possible.
http://philagribiz.com/bankwest-card-activation/
[ link to this | view in chronology ]
Bankwest Card Activation
If users having some issue or facing some kind of trouble in Bankwest Card Activation then users can Activate Bankwest Card with us. And if users want to activate their Bankwest Card with us users didn’t have to do more hard things Bankwest Card Activation. Users can activate their Bankwest Card with us in the minimum time possible.
http://philagribiz.com/bankwest-card-activation/
[ link to this | view in chronology ]
Don't people realize?
Digital Liberty. The device is intended to protect your bits.
The problem is that the device tends to cause Vendor Lock In.
[ link to this | view in chronology ]