Vulnerabilities in smart sex toys could leave users at risk of data breaches and attacks, both cyber and physical, according to a new white paper from global cybersecurity experts at ESET. The Sex in the Digital Era – How secure are smart sex toys? report explores the potential security and safety flaws of connected sex toys and includes an in-depth analysis of two popular devices. Amidst ongoing social restrictions due to the pandemic, sales of sex toys has risen rapidly, and associated cybersecurity concerns mustn’t be overlooked.
As newer, technologically advanced models of sex toys enter the marketplace, incorporating mobile apps, messaging, video chat, and web-based interconnectivity, devices become more appealing and exploitable to cybercriminals. The consequences of data breaches in this sphere can be particularly disastrous when the information leaked concerns sexual orientation, sexual behaviors, and intimate photos.
ESET researchers found vulnerabilities in the apps controlling both of the smart sex toys investigated. These vulnerabilities could allow for malware to be installed on the connected phone, firmware to be changed in the toys, or even a device being deliberately modified to cause physical harm to the user.
Some of the vulnerabilities discovered:
- Prone to usage in insecure environments by being discoverable by Bluetooth devices.
- The use of not particularly secure BLE pairing methods.
- An unpaired sex toy could potentially bond automatically with any mobile phone, tablet, or computer that requests it to do so, without carrying out verification or authentication.
- Sending of one’s geo-location
- Sharing one’s email address in chats
There are precautions that need to be taken to ensure that smart sex toys are designed with cybersecurity in mind, especially due to the severity of potential dangers.
To address these dangers and investigate how secure smart toys are, ESET researchers analyzed two of the best-selling adult toys on the market: the We-Vibe ‘Jive’ and Lovense ‘Max’. Analysts downloaded the vendor apps available on the Google Play Store for controlling the devices (We-Connect and Lovense Remote) and used vulnerability analysis frameworks as well as direct analysis techniques to identify flaws in their implementations.
We-Vibe
Every time users send a photo to a remote phone, they may also be sending information about their devices and their exact geolocation.
As a wearable device, the We-Vibe Jive is prone to usage in insecure environments. The device was found to continually announce its presence in order to facilitate a connection – meaning that anyone with a Bluetooth scanner could find the device in their vicinity, up to eight meters away. Potential attackers could then identify the device and use signal strength to guide them to the wearer. The manufacturer’s official app would not be required to gain control, as most browsers offer features to facilitate this.
The Jive utilizes the least secure of the BLE pairing methods, whereby the temporary key code used by the devices during pairing is set to zero, and as such, any device can connect using zero as the key. The Vibe is highly vulnerable to man-in-the-middle (MitM) attacks, as an unpaired Jive could bond automatically with any mobile phone, tablet, or computer that requests it to do so, without carrying out verification or authentication.
Although multimedia files shared between users during chat sessions are saved in the app’s private storage folders, the files’ metadata remains on the shared file. This means that every time users send a photo to a remote phone, they may also be sending information about their devices and their exact geolocation.
Lovense
an attacker could take control of both devices by compromising just one of them.
Max has the ability to synchronize with a remote counterpart, which means an attacker could take control of both devices by compromising just one of them. However, multimedia files do not include metadata when received from the remote device, and the app offers the option to configure a four-digit unlock code via a grid of buttons, making brute-force attacks more difficult.
Some elements of the app’s design may threaten user privacy, such as the option to forward images to third parties without the knowledge of the owner and deleted or blocked users continue to have access to the chat history and all previously shared multimedia files. Lovense Max does not use authentication for BLE connections either, so a MitM attack can be used to intercept the connection and send commands to control the device’s motors. Additionally, the app’s use of email addresses in user IDs presents some privacy concerns, with addresses shared in plain text among all the phones involved in each chat.
ESET researchers Denise Giusto and Cecilia Pastorino warn: “There are precautions that need to be taken to ensure that smart sex toys are designed with cybersecurity in mind, especially due to the severity of potential dangers. Although security seems not to be a priority for most adult devices at the moment, there are steps individuals can take to protect themselves, such as avoiding using devices in public places or areas with people passing through, such as hotels. Users should keep any smart toy connected to its mobile app while in use, as this will prevent the toy from advertising its presence to potential threat actors. As the sex toy market advances, manufacturers must keep cybersecurity top of mind, as everyone has a right to use safe and secure technology.”
Both developers were sent a detailed report of the vulnerabilities and suggestions of how to fix them, and, at the time of publication, all vulnerabilities have been addressed. To read more about ESET’s full analysis of the security of these smart sex toys, Sex in the Digital Era can be read here.
Editor in Chief of Ikon London Magazine, journalist, film producer and founder of The DAFTA Film Awards (The DAFTAs).