‘Smart’ sex toys found to be easily hackable, privacy implications abound

You're going to need protection.


AJ Dellinger


Posted on Mar 27, 2016   Updated on May 27, 2021, 1:01 am CDT

The biggest fear of being hacked is having your privacy violated, but one security firm’s research found that hacking can get much more personal than just getting into your accounts. As it turns out, malicious intruders may also be able to take over sex toys.

At the computer expo CeBIT in Hanover, Germany, security software firm Trend Micro revealed that it was able to successfully hijack a vibrator that connect to the internet with an on-stage reveal that provided plenty of shock value.

The company’s chief technology officer Raimund Genes managed to switch on a sizable neon pink toy after hammering out a couple lines of code on a computer. The visual is striking but could quickly be dismissed as a novelty; there’s no personal information stored directly to a sex toy, after all.

Still, the precedent presents considerable concern. Trend Micro security spokesperson Udo Schneider admitted to the Daily Dot that the sex toy was chosen primarily for the optics, but noted that its vulnerability is representative of most connected devices—a market that is becoming increasingly more popular thanks to the Internet of Things.

“The basic takeaway is that the device itself and its over the air control interface is insecure in many cases,” Schneider said.

Most Internet-enabled products—sex toys included—connect to a companion app via bluetooth. Schneider explained that in the case of the vibrator, the team used “self-written software to control every aspect of the device,” just like the app would.

“This was possible because there were no security measures preventing us from accessing the device,” Schneider said. “The device was always visible via bluetooth and always in pairing mode.”

Using a PIN of 0000—the default option for most bluetooth devices—Trend Micro’s researchers were able to easily connect to the vibrator and implement its own software to take control over the device.

As for the custom-built software, it’s totally unnecessary. Trend Micro created it as a security measure to conceal the raw commands during the presentation, but a simple terminal client is all that is needed to actually issue commands to the vibrator, no programming skill is required.

Having such an intimate moment interrupted by an uninvited party is a very personal violation of privacy and presents its own moral quandaries. There’s clearly there is no consent involved in the act and it’s a very physical intrusion despite taking place remotely.

There’s potential for more unwanted probing taking place in the nebulous space where Internet-connected devices communicate. The apps that handle everything from authenticating users to handing off information between devices are often insecure and prime for data leaks. If a bad actor is able to access the command prompts for a device, they’re a step closer to the information that is moving between those same channels.

Schnieder pointed out that these apps are usually “add-ons,” not a required part of the product to make it work. Often times, it augments the primary purpose by offering features like syncing with porn or giving a partner remote control to provide stimulation from afar.

Since the apps aren’t a primary part of what’s being sold, the company that develops them are often unlikely to maintain proper security protocols and keep the app up to date with necessary patches and protections. Over time, protocols are replaced and made obsolete and if updates aren’t provided, apps become vulnerable.

The outlook provided by Schneider is less than reassuring. 

“With many of today’s devices users can neither ensure that their devices are not controlled by others nor prevent it in any way, except for shutting the device down. From a security standpoint, many devices are simply insecure or broken,” he said.

Worse yet, there’s no real way to encourage the companies to take the steps necessary to provide proper protection. Schneider suggested that financial incentive would be the best way to convince manufacturers to put in the effort, but that seems unlikely since consumers just don’t seem to care about their privacy.

A study conducted by ESET and the National Cyber Security Alliance (NCSA) found that 79 percent of people feel safe with connected devices. 40 percent of those same people failed to properly secure their wireless router, meaning they are more vulnerable and less aware of that fact.

Most connected devices haven’t given users much reason to grant that much trust. Hewlett Packard found that 90 percent of devices collected at least one piece of personal information via the device, the cloud, or its mobile application, and 70 percent used unencrypted network services to transmit that information, both through the Internet and local networks.

“Increasing awareness for the risks and a conscious buying decision are the only direct ways of influencing users have,” Schneider said, and suggested there is only one thing that might shock people into caring: an actual data breach.

Providing proper security isn’t a matter of a massive overhaul of operations for companies; some minor changes would make a significant difference. Schneider suggested everything from assigning a non-default bluetooth PIN to limiting bluetooth pairing time and adding a secure login to apps associated with a device.

Longterm, it’s just a matter of finally taking privacy seriously. Just because the product connecting to the Internet is a television or refrigerator (or giant, brightly colored vibrator) instead of a computer or smartphone, it doesn’t mean it’s acceptable to skimp on security. 

Most of these devices, sex toys included, are generating and recording data about their users. It might not be displayed prominently or easily sharable like the “daily steps taken” or run times in your fitness tracker, but it’s still sitting behind a wall that is all too often easily penetrable. One needs to look no further than cars being stopped remotely or the photos and voice recordings of children exposed by a data breach to see what can go wrong when companies choose bells and whistles over basic security measures. 

These risks should matter to manufacturers just as much as they matter to consumers, and at the moment it appears neither are all that interested. Perhaps it will take a sex toy to make it clear to people just how important proper protection is. 

H/T  Metro | Photo via jmawork/Flickr (CC BY 2.0) | Remix by Fernando Alfonso III

Share this article
*First Published: Mar 27, 2016, 11:46 am CDT