Internet Of Broken Things Jumps The Shark With IoT Chastity Penis Lock That Can Be Hacked

from the the-lock-not-the-penis dept

Say it with me now: not every last thing needs to be connected to the internet. If we've learned anything through the myriad of posts we have done on the internet of broken things, it's that far too many devices that need not be internet-connected are instead wide open to security flaws and connectivity-related flaws and outages. Pet feeders, so-called smart locks, healthcare devices: all examples of things that have been broken or broken into thanks to their being connected to the internet in wildly insecure manners.

But what if I told you that a lack of basic security could result in a device you bought potentially forcing you to have someone come at your penis with an angle grinder? Well, if you bought a Cell Mate chastity lock, you should damn well be concerned.

U.K.-based security firm Pen Test Partners  said the flaw in the Qiui Cellmate internet-connected chastity lock, billed as the “world’s first app controlled chastity device,” could have allowed anyone to remotely and permanently lock in the user’s penis.

The Cellmate chastity lock works by allowing a trusted partner to remotely lock and unlock the chamber over Bluetooth using a mobile app. That app communicates with the lock using an API. But that API was left open and without a password, allowing anyone to take complete control of any user’s device. Because the chamber was designed to lock with a metal ring underneath the user’s penis, the researchers said it may require the intervention of a heavy-duty bolt cutter or an angle grinder to free the user.

A researcher at -- checks notes and chuckles -- Pen Test Partners went on to say that someone exploiting the password-less API could lock "everyone in or out" at will. With no way to override the chastity lock either, you could suddenly cause a lot of people to be locked out of their own genitalia. A more perfect example of how 2020 has 2020'd the world there could not be.

It gest worse. This vulnerability has been known about since at least June. Qiui, a Chinese company, pushed out a new API for new users, but didn't remove the API for existing users. Why? Well, because doing so would cause all existing devices to lock.

Qiui chief executive Jake Guo told TechCrunch that a fix would arrive in August, but that deadline came and went. “We are a basement team,” he said. In a follow-up email explaining the risks to users, Guo said: “When we fix it, it creates more problems.”

As someone who owns a penis, I can assure you this is not what one wants to hear when it comes to a large metal lock that determines when I can access it. Nor do I like the idea of bolt-cutters. Or angle grinders. Or tube-smashers. Fine, I made that last one up.

As of this writing, this is all still a problem. Whether any malicious actor has used it to mess with people's dangly bits has not been confirmed officially.

It’s not known if anyone maliciously exploited the vulnerable API. Several user reviews of the app complained that the app had bugs that would cause the device to stay locked.

So, a PSA: if you're going to lock your genitalia up in a small metal vault, make sure it isn't connected to the internet.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chastity, hacked, hacking, internet connected, iot, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Melvin Chudwaters, 9 Oct 2020 @ 12:26pm

    Considering their market...

    This sounds more like a feature than a bug.

    link to this | view in thread ]

  2. icon
    scotts13 (profile), 9 Oct 2020 @ 12:34pm

    You know...

    There's a Darwin Awards comment or three waiting to be made. Which one should I choose?

    link to this | view in thread ]

  3. icon
    Stephen T. Stone (profile), 9 Oct 2020 @ 12:34pm

    Man, the CBT crowd is really kicking things up a notch.

    link to this | view in thread ]

  4. identicon
    cpt kangarooski, 9 Oct 2020 @ 12:46pm

    Hacking one of those is a real dick move.

    link to this | view in thread ]

  5. icon
    zyffyr (profile), 9 Oct 2020 @ 12:54pm

    I really want to be upset over their horrid security, but my outrage keeps being overwhelmed by laughter.

    link to this | view in thread ]

  6. icon
    Code Monkey (profile), 9 Oct 2020 @ 1:06pm

    Wait, wait, wait....

    What you're essentially saying here is that these users are getting CockLockBlocked???

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 9 Oct 2020 @ 1:08pm

    Well this gives Locktober a whole new meaning...

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 9 Oct 2020 @ 1:16pm

    Someone actually did hit the lock button on the broken ones. So, uh. Yeah. That happened.

    link to this | view in thread ]

  9. icon
    That One Guy (profile), 9 Oct 2020 @ 1:23pm

    That's new

    Usually IoT security results in the users getting screwed, never seen it have the opposite effect before now.

    link to this | view in thread ]

  10. icon
    Ehud Gavron (profile), 9 Oct 2020 @ 1:29pm

    Unintentional double entendre?

    "not something I want to here"...

    I don't want those tools here either!

    E

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 9 Oct 2020 @ 1:29pm

    Re:

    sourced from here, which links to original posts on the subject: https://glaceon.social/@gardevoir/105000334435699472

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 9 Oct 2020 @ 1:47pm

    But what if I told you that a lack of basic security could result in a device you bought potentially forcing you to have someone come at your penis with an angle grinder?

    Without any emergency release mechanism, something as mundane as a dead battery or some RF interference could do the same. Remember that time when garage door openers stopped working in Ottawa Canada?

    link to this | view in thread ]

  13. icon
    Hugo S Cunningham (profile), 9 Oct 2020 @ 1:54pm

    Re: You know...

    Can the same people receive both Darwin Awards and Ig Nobel Prizes?

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 9 Oct 2020 @ 2:09pm

    I can't help but think that anyone stupid enough to buy a "chastity lock" in the 21st century deserves to be locked out of procreation for the good of the human gene pool.

    link to this | view in thread ]

  15. identicon
    David, 9 Oct 2020 @ 2:26pm

    How did the cock lock blockers find their targets?

    They employed Dick Tracy.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 9 Oct 2020 @ 2:43pm

    Re:

    I had a question with regard to that line of thought: What if the ... uh ...victim of the device is not wearing it by choice? Say, a minor with batshit parents?

    link to this | view in thread ]

  17. icon
    That One Guy (profile), 9 Oct 2020 @ 2:49pm

    Re: Re:

    That would seem to be an excellent justification for mandatory counseling for everyone involved(though for different reasons) and potentially taking the kid away for their own safety.

    link to this | view in thread ]

  18. icon
    R.H. (profile), 9 Oct 2020 @ 2:52pm

    Some Confusion

    After reading about this device, it appears that this device is only accessible over Bluetooth not the internet. That limits the damage that can be caused by this attack since you can't just get a bot-net to search for these devices and lock them all. If anything, the lack of actual internet connectivity seems to be an answer to the "don't connect things to the internet that don't need to be connected to the internet" crowd.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 9 Oct 2020 @ 2:59pm

    Re: Re:

    What if the ... uh ...victim of the device is not wearing it by choice? Say, a minor with batshit parents?

    What? You missed the obvious oneliner: Asking for a friend.

    But in answer to your question, I'd say that the minor has more important problems than just a lock on his junk. But said lock could itself be a solution to the other problem, if brought to the attention of the right agency.

    link to this | view in thread ]

  20. icon
    That Anonymous Coward (profile), 9 Oct 2020 @ 3:02pm

    Re:

    No Nut November.

    link to this | view in thread ]

  21. icon
    Tim R (profile), 9 Oct 2020 @ 3:02pm

    I'd make a comment about your penis being bricked, but that kind of sadism really belongs in other message fora....

    link to this | view in thread ]

  22. icon
    That Anonymous Coward (profile), 9 Oct 2020 @ 3:11pm

    I've been giggling like a 12 yr old since the idea of ScrewDriving first came up. Wandering around with a BT enabled device & seeing who has what devices stuffed into their orifices (Sadly Back Orifice was already a well known exploit) & then take control of them.

    I dared to ask a gay sex toy operation who were pushing yet another BT enabled device if they had done any security checks on the devices (I mean you want me to pay $200+, I should be able to make sure its only accessible to the person I chose.) they blocked me on Twitter. The porn star who was in the advertisement called me a killjoy & to lighten up.

    This all came up after a hacker had exploited a IoT buttplug & it was actually feasible to set it up to be a vector to insert (snicker) malicious code.

    The video rocks if only see see stick figure men demonstrating on the slides.
    Video: https://www.youtube.com/watch?v=CsQ2VWEfduM

    We now live in a world where an app enabled dildo can compromise a secure network.

    link to this | view in thread ]

  23. identicon
    Torinir, 9 Oct 2020 @ 3:27pm

    Re: Re:

    More like No Nut Ever Again.

    link to this | view in thread ]

  24. icon
    K`Tetch (profile), 9 Oct 2020 @ 4:49pm

    What a cock-up (or not, as the case may be)

    link to this | view in thread ]

  25. icon
    fairuse (profile), 9 Oct 2020 @ 7:53pm

    Keep it simple no longer an engineering test

    I am not sure why every thing must be app driven - marketing of course. I'm not even going to care about sex toys, party on. The idea of no fail-safe is no problem is insane but people do crazy, therefore KISS (I ran a floor buffer in a hospital - why would a guy have a broken lightbulb in his butt?)

    The lock on a penis should be mechanical key with no system app and wireless access of any kind. Unless that is a buzzkill.

    A good brand name for this one is "Bobbit".

    link to this | view in thread ]

  26. identicon
    Mr Phibb, 9 Oct 2020 @ 8:29pm

    Not sure this will bother the users

    Chastity users have often turned the keys to their device over to key holders who often don't live with them, so an internet linked version makes sense. Unfortunately, as has been noted in the past here, security is often an afterthought at best. Still, I'm not sure if the people into this will consider this a bug, or a feature, after all, the low tech version brings with it the risk of having to be cut out, so this doesn't change much.

    link to this | view in thread ]

  27. identicon
    ryuugami, 9 Oct 2020 @ 11:28pm

    a Cell Mate chastity lock

    Am I missing a more benign interpretation, or is this product's name a prison rape joke?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 10 Oct 2020 @ 4:50am

    Re: Keep it simple no longer an engineering test

    The lock on a penis ... is a stupid idea

    link to this | view in thread ]

  29. identicon
    Paul, 10 Oct 2020 @ 6:23am

    The issue was with the Smart Phone app itself, not the device.

    I work for the European distributor of this "male chastity cage," hehehe, and the bespoken issue was located within Smart Phone application itself, developed by Chinese QIUI manufacturer. This issue has already been patched by QIUI's software developers and app's newer version was submitted to both Apple and Google on-line stores. No actual issues were reported about the device itself, other than inexperienced users trying to break the device's locking mechanism open using brute force, which renders all warranties null and void.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 10 Oct 2020 @ 10:07am

    Re:

    The obvious benign interpretation is that the product is a cell. It seems like kind of a leap to infer anything about rape. Even if referring to prison sex, why not the consentual kind?

    link to this | view in thread ]

  31. identicon
    David, 10 Oct 2020 @ 12:17pm

    Re: Some Confusion

    I would guess you got that wrong. To have the whole setup make any sense, the device would be connected via Bluetooth to a smartphone (typically carried by the lock wearer), and that smartphone would be remotely contacted to lock/unlock the device. Basically the smartphone acts as a gateway so that the cock block lock does not need a SIM card and long range transceiver of its own.

    Depending on the security model, the (gateway) smartphone itself would not need to have any need for privileged information.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 10 Oct 2020 @ 6:04pm

    If someone insists in the 21st century that you use a chastity device, you run.

    RUN in the opposite direction.

    Do NOT. I repeat do not stick your dick into a remote-controlled chastity device, and definitely DO NOT stick your dick in the crazy-crazy that buys one.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 10 Oct 2020 @ 6:06pm

    Who the FUCK would buy a chastity device made by the Chinese government.

    One thats castrating thousands of people for "meditating in an unapproved way" (falun gong), stripping the internal organs from prisoners by the 10s of thousands for party members, and is engaged in mass sterilization of hundreds of thousands of citizens?

    link to this | view in thread ]

  34. icon
    Scary Devil Monastery (profile), 12 Oct 2020 @ 1:25am

    Re:

    "Who the FUCK would buy a chastity device made by the Chinese government."

    Hey don't judge. Masochism is one of the more well-known kinks out there. Anyone who feels the urge to be dominated in every aspect of their lives could probably do worse than rely on the expertise of a nation with two and a half millennias worth of successfully suppressing their citizenry.

    link to this | view in thread ]

  35. identicon
    Talmyr, 12 Oct 2020 @ 9:10am

    Re: Re: Keep it simple no longer an engineering test

    Have you met many men? ;) I suspect there are whole realms of women eager to use and exploit this for their own peace/revenge.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 12 Oct 2020 @ 11:22am

    I'd like to offer a little important info here;

    This chastity device, like almost all mass produced devices, isn't going to permanently lock the wearer's penis away. It features a solid ring that goes over the genitals, then a fancy tube-like device is slid over the penis and locked to the ring. Anyone see the glaring security flaw here?

    If the genitals, including the penis, went through the ring to begin with, having it inside a tube isn't going to prevent it from being pulled back out.

    The proximity of the tube to the ring will probably prevent the wearer from being able to remove their testicles from the device, but the penis can easily be pulled out any time the man feels the urge, and usually just back in.

    Couples who are serious about chastity play usually pay big bucks for a custom device that incorporates some type of piercing to prevent the wearer from just pulling out of it.

    And yes, some men do want to have someone else decide when they can have pleasure. Some men into chastity also want to actually shrink their penis through the use of ever smaller devices, squashing the penis down until it becomes useless. Some men also want to see their wives have sex with other, more well-endowed men, while they themselves are being denied.

    I can understand the first, but the last two leave me scratching my head. Different strokes though...

    link to this | view in thread ]

  37. icon
    Another Kevin (profile), 12 Oct 2020 @ 2:49pm

    Don't put a Qiui on your ui-ui!

    link to this | view in thread ]

  38. icon
    Mogvil20 (profile), 13 Oct 2020 @ 12:56am

    Bankwest Card Activation

    If users having some issue or facing some kind of trouble in Bankwest Card Activation then users can Activate Bankwest Card with us. And if users want to activate their Bankwest Card with us users didn’t have to do more hard things Bankwest Card Activation. Users can activate their Bankwest Card with us in the minimum time possible.

    http://philagribiz.com/bankwest-card-activation/

    link to this | view in thread ]

  39. icon
    Mogvil20 (profile), 13 Oct 2020 @ 12:56am

    Bankwest Card Activation

    If users having some issue or facing some kind of trouble in Bankwest Card Activation then users can Activate Bankwest Card with us. And if users want to activate their Bankwest Card with us users didn’t have to do more hard things Bankwest Card Activation. Users can activate their Bankwest Card with us in the minimum time possible.

    http://philagribiz.com/bankwest-card-activation/

    link to this | view in thread ]

  40. icon
    DannyB (profile), 13 Oct 2020 @ 6:39am

    Don't people realize?

    Digital Liberty. The device is intended to protect your bits.

    The problem is that the device tends to cause Vendor Lock In.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.