This smart vibrator can be 'easily' hacked and remotely controlled by anyone

As many as 100,000 users' had their private sexual activities exposed by a related data leak.

(Image: File photo)

Thought the Internet of Things was bad? The Internet of Dildos is so much worse.

Security researchers have found that a popular internet-connected sex toy is riddled with vulnerabilities and flaws, which put users at a huge privacy risk.

The so-called Vibratissimo "panty buster" is a smart toy that connects through Bluetooth to a phone. It's designed to allow the user's partner to remotely control the vibrator -- "from home or from the other end of the world," according to the website of its maker, Amor Gummiwaren.

But, according to a vulnerability disclosure report released Thursday by SEC Consult, one of several vulnerabilities in the vibrator let anyone take remote control of the sex toy over the internet.

That's because a "quick control" feature, which allows a user to send a link by text or email to their partner to take control of the vibrator, can be incremented. Each link is a global counter that "just gets incremented by one every time a new quick control link is created," the report said.

"An attacker can guess this ID easily and therefore control the victim's sex toy directly over the internet."

Not only that -- a separate flaw in the device allowed unauthenticated Bluetooth connections, which could let an attacker nearby hijack the device.

The app doesn't ask the user to confirm the other person's ability to remote control, either.

CYBERSECURITY

After massive cyberattack, shoddy smart device security comes back to haunt

Wasn't the Internet of Things meant to help, not hinder? Well, surprise!

Read More

The researchers also found that the company's back-end cloud service for storing customer data was left wide open and exposed for anyone to find with an easily guessable web address.

Usernames, plaintext passwords, chat histories, and explicit image galleries that users created themselves were sitting in an database that an attacker could've easily dumped and downloaded, without needing a password.

An attacker could also gain access to the user's real names and home addresses.

It's not known exactly how many users were in the database. The researchers said as many as six-figures worth of users. The Android mobile app has between 50,000 and 100,000 users, according to its listing in the Google Play store.

The bugs were reported in November, though not all were fixed. The database was subsequently secured. Although the app has been fixed, the vibrator has to be sent to the manufacturer, as there's no way to remotely update the device.

We reached out to Amor Gummiwaren for comment and will update if we hear back.

It's not the first time internet-connected sex toys have been hacked. Like other Internet of Things devices, many device makers have put functionality over security, putting users at risk of attack and assault. That throws up all kinds of ethical questions -- like if a vibrator is hacked, is that a sex crime? -- that have largely yet to be answered. (Although, many might ask why hooking up a vibrator to the internet in the first place is a good idea.)

Given how sensitive and personal these devices are, researchers are continuing to focus their efforts on finding flaws in sex toys to have them fixed.

One researcher, who goes by the pseudonym RenderMan, started a Pornhub-sponsored project known as the "Internet of Dongs," to raise awareness about sex toy security issues.

Sex toy security may seem like a joke, but it is a serious topic that researchers have been far too afraid to delve into out of various cultural hangups around "adult" products," he told ZDNet in an email. "Being able to hijack a toy remotely and have a stranger controlling it can be as emotionally horrifying as a physical assault. Do users of these legal and plentiful products not deserve the same privacy and security as we are demanding of all our other gadgets?"

"I'm glad to see more researchers 'growing up' and willing to help protect users in their most intimate moments," he added.

Like the Internet of Dongs project, SEC Consult said more sex toy vulnerability reports are on the way.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All