Vulnerabilities in smart sex toys could leave users at risk of data breaches and attacks, both cyber and physical, a report by cyber security firm EST found.
In a study entitled Sex in the Digital Era - How secure are smart sex toys? ESET said new technologically advanced models of sex toys are entering the marketplace, incorporating mobile apps, messaging, video chat, and web-based interconnectivity, features which make them appealing to cybercriminals.
“As IoT devices continue to seep into our homes and offer an increasingly wide range of features, new concerns are beginning to arise about the security of the data processed by these devices,” said ESET.
“Though they have been subject to countless security breaches leading to the exposure of people’s login details, financial information, and geographical location, among others, there are few kinds of data with more potential to harm users.”
The consequences of data breaches can be particularly disastrous when the information leaked concerns sexual orientation, sexual behaviours, and intimate photos.
ESET explained that there are already precedents, and they help us to get a sense of the scale of the possible consequences. The attack on the Ashley Madison dating site is perhaps the first example that comes to mind. After the names of more than 30 million users of the platform for “cheats” were published, countless reports of divorces, suicides and scams based on the leaked data appeared in the media.
ESET researchers found vulnerabilities in the apps controlling both of the smart sex toys investigated. These vulnerabilities could allow for malware to be installed on the connected phone, firmware to be changed in the toys, or even a device being deliberately modified to cause physical harm to the user.
Analysts downloaded the vendor apps available on the Google Play Store for controlling the devices and used vulnerability analysis frameworks as well as direct analysis techniques to identify flaws in their implementations.
ESET: Potential attackers could then identify the device and use signal strength to guide them to the wearer.
As a wearable device, the We-Vibe Jive is prone to usage in insecure environments. The device was found to continually announce its presence in order to facilitate a connection – meaning that anyone with a Bluetooth scanner could find the device in their vicinity, up to eight meters away.
Potential attackers could then identify the device and use signal strength to guide them to the wearer. The manufacturer’s official app would not be required to gain control, as most browsers offer features to facilitate this.
The Vibe is highly vulnerable to man-in-the-middle (MitM) attacks, as an unpaired Jive could bond automatically with any mobile phone, tablet, or computer that requests it to do so, without carrying out verification or authentication.
Although multimedia files shared between users during chat sessions are saved in the app’s private storage folders, the files’ metadata remains on the shared file. This means that every time users send a photo to a remote phone, they may also be sending information about their devices and their exact geolocation.
Max has the ability to synchronise with a remote counterpart, which means an attacker could take control of both devices by compromising just one of them. However, multimedia files do not include metadata when received from the remote device, and the app offers the option to configure a four-digit unlock code via a grid of buttons, making brute-force attacks more difficult.
Some elements of the app’s design may threaten user privacy, such as the option to forward images to third parties without the knowledge of the owner and deleted or blocked users continue to have access to the chat history and all previously shared multimedia files.
Lovense Max does not use authentication for BLE connections either, so a MitM attack can be used to intercept the connection and send commands to control the device’s motors. Additionally, the app’s use of email addresses in user IDs presents some privacy concerns, with addresses shared in plain text among all the phones involved in each chat.
ESET researchers Denise Giusto and Cecilia Pastorino warned: “There are precautions that need to be taken to ensure that smart sex toys are designed with cybersecurity in mind, especially due to the severity of potential dangers. Although security seems not to be a priority for most adult devices at the moment, there are steps individuals can take to protect themselves, such as avoiding using devices in public places or areas with people passing through, such as hotels.
“Users should keep any smart toy connected to its mobile app while in use, as this will prevent the toy from advertising its presence to potential threat actors. As the sex toy market advances, manufacturers must keep cyber security top of mind, as everyone has a right to use safe and secure technology.”
According to ESET, both developers were sent a detailed report of the vulnerabilities and suggestions of how to fix them, and, at the time of publication, all vulnerabilities have been addressed.