October 6, 2020 | internet | No Comments
A security flaw in an internet-enabled male chastity device allows hackers to remotely control the gadget and permanently lock in wearers, researchers disclosed today.
The Cellmate Chastity Cage, built by Chinese firm Qiui, lets users hand over access to their genitals to a partner who can lock and unlock the cage remotely using an app. But multiple flaws in the app’s design mean “anyone could remotely lock all devices and prevent users from releasing themselves,” according to UK security firm Pen Test Partners.
Even worse, as the chastity cage does not come with a manual override or physical key, locked-in users have few options to break out. One is to cut through the cage’s hardened steel shackle, an operation that would require bolt cutters or an angle grinder, and that is made trickier by the fact that the shackle in question is fastened tightly around the wearer’s testicles. The other, discovered by Pen Test Partners, is to overload the circuit board that controls the lock’s motor with three volts of electricity (around two AA batteries’ worth).
News of the security flaw was first reported by TechCrunch, and it suggests it’s worth doing your research before purchasing “smart” gadgets with more intimate use cases.
“It isn’t tremendously unusual to find an issue like this in many IoT fields, and teledildonics is no real exception,” security researcher Alex Lomas of Pen Test Partners told The Verge via direct message. “Both ourselves and other researchers have found similar issues over the years with different sex toy manufacturers. I do personally feel that the most intimate devices should be held to a higher standard however than maybe your lightbulbs.”
Past security flaws discovered in internet-enabled sex toys have let hackers potentially hijack live-streaming footage from a dildo and take control of Bluetooth-enabled butt plugs. You can see a video explaining the flaw from Pen Test Partners below:
In the case of the Cellmate Chastity Cage, the device’s manufacturers seem to have been unusually uncommunicative in responding to the flaw. Researchers at Pen Test Partners say they first disclosed the issue to Qiui in April and received a quick response, but the company didn’t fully solve the vulnerability and has since stopped responding to emails. We’ve contacted Qiui to find out more and will update this story if we hear back.
The flaws stem from an API used to communicate between the chastity cage and its mobile app. This not only allowed hackers to remotely control the device but also gain access to information, including location data and passwords. Qiui updated the chastity cage’s app in June to fix the flaw, but users who have not updated their app are still vulnerable.
As Lomas explains to The Verge, Qiui is in a bit of a bind. If it disables the old API completely, it will fix the security flaw but risk locking in users who haven’t updated the app. But by leaving the original API functional, older versions of the app will continue to work with the security flaw intact. Pen Test Partners says after talking with Qiui for months, it, and other independent researchers who discovered the same issues, has decided to go public to encourage a more complete fix. The company says its write-up of the flaw also obscures its exact nature to discourage hackers looking to take advantage of the problem.
As noted by TechCrunch, though, it seems this particular flaw is the least of the Cellmate’s problems. Reviews of the device’s mobile apps on Apple’s App Store and Google’s Play Store include many complaints from disappointed customers who say the app often stops working at random.
“The app stopped working completely after three days and I am stuck!” writes one user. “This is DANGEROUS software, do not lock yourself in!” Another one-star review reads: “App stopped opening after an update. This is terrifying given the amount of trust placed in it, and there’s no explanation on the website.” And a third complains: “My partner is locked up! This is ridiculous as still no idea if being fixed as no new replies from emailing. So dangerous! And scary! Given what the app controls it needs to be reliable.”
So what can people do to avoid this sort of security flaw when purchasing internet-enabled sex toys? Lomas says, unfortunately, there’s no guarantee when buying these products. “It’s very difficult, just by looking at a product or app, to tell whether it’s storing your data safely, or if they’re capturing verbose usage information and such,” he says. But a good start is to simply do your research before you buy.
“Hopefully some countries and states will start to introduce standards for IoT products in the future, but in the meantime have a search for ‘product name + vulnerability,’” says Lomas, “or take a look for pages that talk about security on the vendor’s website (and not just the old trope of ‘military grade encryption’!)”