Internet Of Broken Things Jumps The Shark With IoT Chastity Penis Lock That Can Be Hacked
from the the-lock-not-the-penis dept
Say it with me now: not every last thing needs to be connected to the internet. If we've learned anything through the myriad of posts we have done on the internet of broken things, it's that far too many devices that need not be internet-connected are instead wide open to security flaws and connectivity-related flaws and outages. Pet feeders, so-called smart locks, healthcare devices: all examples of things that have been broken or broken into thanks to their being connected to the internet in wildly insecure manners.
But what if I told you that a lack of basic security could result in a device you bought potentially forcing you to have someone come at your penis with an angle grinder? Well, if you bought a Cell Mate chastity lock, you should damn well be concerned.
U.K.-based security firm Pen Test Partners said the flaw in the Qiui Cellmate internet-connected chastity lock, billed as the “world’s first app controlled chastity device,” could have allowed anyone to remotely and permanently lock in the user’s penis.
The Cellmate chastity lock works by allowing a trusted partner to remotely lock and unlock the chamber over Bluetooth using a mobile app. That app communicates with the lock using an API. But that API was left open and without a password, allowing anyone to take complete control of any user’s device. Because the chamber was designed to lock with a metal ring underneath the user’s penis, the researchers said it may require the intervention of a heavy-duty bolt cutter or an angle grinder to free the user.
A researcher at -- checks notes and chuckles -- Pen Test Partners went on to say that someone exploiting the password-less API could lock "everyone in or out" at will. With no way to override the chastity lock either, you could suddenly cause a lot of people to be locked out of their own genitalia. A more perfect example of how 2020 has 2020'd the world there could not be.
It gest worse. This vulnerability has been known about since at least June. Qiui, a Chinese company, pushed out a new API for new users, but didn't remove the API for existing users. Why? Well, because doing so would cause all existing devices to lock.
Qiui chief executive Jake Guo told TechCrunch that a fix would arrive in August, but that deadline came and went. “We are a basement team,” he said. In a follow-up email explaining the risks to users, Guo said: “When we fix it, it creates more problems.”
As someone who owns a penis, I can assure you this is not what one wants to hear when it comes to a large metal lock that determines when I can access it. Nor do I like the idea of bolt-cutters. Or angle grinders. Or tube-smashers. Fine, I made that last one up.
As of this writing, this is all still a problem. Whether any malicious actor has used it to mess with people's dangly bits has not been confirmed officially.
It’s not known if anyone maliciously exploited the vulnerable API. Several user reviews of the app complained that the app had bugs that would cause the device to stay locked.
So, a PSA: if you're going to lock your genitalia up in a small metal vault, make sure it isn't connected to the internet.
Filed Under: chastity, hacked, hacking, internet connected, iot, security
