The internet of things is famously insecure - but people keep connecting all kinds of random things to the web anyway. Including (essentially) their private parts—and that’s a state of affairs that can lead to some bad vibes, man. Literally.
Security researcher and founder of Pen Test Partners Ken Munro, in a recent session at SteelCon appropriately called “Dicking Around,” showed just how easy it is to hack a sex toy’s camera, intercepting and viewing a feed from the device and, with a bit more effort, taking control of it directly through the firmware.
“Firmware?” That’s what she said! Ho! High five? Anyone? No?
Ahem. To continue: “The IoT brings the opportunity to attach any old nonsense to the internet,” Munro explained. “The sex toy industry is no exception. App enabled dildos, dildo APIs, cameras embedded in IoT dildos and sex dolls are all out there, so we thought we’d poke around.” Pun intended, natch.
He demonstrated that it’s a trivial process to essentially war-drive your way around a neighborhood, hacking into connected dildos and hijacking their camera feeds over wifi.
Talk about your 'penetration testing', ha ha. Sorry, I can't help myself, low-hanging fruit and all that. ANYWAY.
The device in question is the $249 Svakom Siime Eye dildo, which as its name suggests, has a small camera on the tip, allowing users to stream a video to their partners (or to a website, if you’re into that kind of thing). Findings show that anyone within wifi range of the dildo can plug in the easily brute-forced default password (which is "88888888) to watch the video stream, unbeknownst to the user.
Further, by using the mobile app that goes with the dildo, it’s possible to access its web server and gain access to the camera pretty much any time, from internet connection. It’s a voyeur’s paradise.
But aside from the cringe factor, the real issue here is physical proximity. This 'screwdriving', as it’s called, means that the hacker can trace the user’s wifi AP, roll right on up to the front of the user’s house and commence a really concerning stalking initiative if they want to.
This isn’t the only vulnerable sex toy device out there, of course. One of Munro’s colleagues, Alex Lomas, recently wandered the streets of Berlin taking control of Lovense Hush buttplugs. They use the short-range Bluetooth Low Energy (BLE) protocol to enable communications between a mobile app and the personal device, which is easily intercepted. The communications aren’t encrypted, plus the devices accept pairing requests without a PIN code—meaning that anyone can take control of them.
Further, every Hush has the same BLE device beacon— LVS-Z001—so it’s easy to spot them while scanning.
“The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication,” said Lomas. And once connected, the user can do nothing about it.
The ramifications of this are myriad. During his perambulations, he discovered one Hush plug “ready and waiting for anyone to connect to it, on a public street.” He added, “Now one could drive the Hush’s motor to full speed, and as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations.”
Some people may be into that sort of thing, but as Lomas pointed out, “Having an adult toy unexpectedly start vibrating could cause a great deal of embarrassment.”
Or worse.
Moral of the story? Change the default passwords. Turn off Bluetooth when you’re not using the device.
“Adult toys appeal to a huge spectrum of people and their ubiquity allows people to enjoy a sex-positive life, however we think that these same people should be able to use them without fear of compromise or injury,” Lomas said. “Talking about these issues will hopefully lead the industry to improve the security of its toys.”