An internet security company discovered that some smart sex toys have companion apps with such bad vulnerabilities that anyone could know your identity and where you’re using the toy.
ESET, the company in question, compiled a report that explored the potential security and safety flaws of connected sex toys and why these shortcomings must not be overlooked. This report was titled “Sex in the Digital Era – How secure are smart sex toys?”
ESET researchers analysed two of the best-selling adult toys in the market, the We-Vibe Jive and Lovense Max and the apps that control them, for their test. They reported using vulnerability analysis frameworks as well as direct analysis techniques to identify flaws in their implementations.
It was found that We-Vibe Jive, a vibrator for women, was vulnerable in insecure environments; the device continuously announced its presence via Bluetooth to create a connection. This means anyone with a Bluetooth scanner could find the We-Vibe Jive in their vicinity up to eight metres away. Potential attackers could then use the device’s Bluetooth signal strength to guide them to the wearer.
Anyone could also connect to and control the We-Vibe Jive even without the manufacturer’s official app as most browsers offer features as a substitute to facilitate such a connection. The device also uses the least secure of the Bluetooth Low Energy (BLE) pairing methods; the temporary code the app and the device generate during paring is set to zero, meaning any device (and by extension, anyone) can connect to it using zero as the key. An unpaired We-Vibe Jive could automatically bond with any mobile phone, tablet or computer that requests to do so without properly verifying the device asking for connection.
ESET researchers also discovered that whenever the app of the We-Vibe Jive sends photos, it may also be sending information about the device being used to send the photo and the user’s exact geolocation. This is possible due to the file’s metadata remaining on the shared file.
Lovense’s Max, a fleshlight for men, has its own set of vulnerabilities. It has the ability to synchronise with its remote counterpart. An attacker could then choose to compromise either of the two devices to control both. Thankfully, multimedia files do not include their metadata when they are received from the device’s remote device. Additionally, a user can configure a four-digit unlock code to secure these multimedia files, unlike We-Vibe “Jive.”
The design of Max’s mobile app may threaten a user’s privacy; an image could be forwarded to a third party without the permission of its owner. Deleted or blocked users, meanwhile, could still access a chat’s history and previously shared multimedia files prior to them being blocked or removed from someone’s contacts. Lovense Max also doesn’t go through an authentication process for BLE connections, just like the We-Vibe Jive. Max’s app was noted to use the user’s email address in user IDs as it is displayed in plain text in each chat.
ESET researchers Denise Giusto and Cecilia Pastorino warn that precautions are needed in order to ensure cybersecurity is also considered when designing a sex toy. They also informed users not to use adult toys in public places or areas with people passing through like hotels. They also added that the sex toys should always be connected to their app when in use to prevent the toy from “advertising its presence to potential threat actors.” “Manufacturers must keep cybersecurity top of mind as everyone has a right to use safe and secure technology,” the researchers said.
ESET has sent a detailed report to both sex toy developers along with suggestions on how to fix them. They have also stated that the vulnerabilities of both devices have been addressed at the time of their report’s publication.
Written by John Paul Joaquin