Male Chastity Device Comes with Massive Security Flaws

iot rsa conference 2019

Smart sex toy vulnerable to hacks, researchers say — which could expose users’ most sensitive bits (of data) to cybercriminals.

Researchers at Pen Test Partners recently uncovered concerning security issues with a connected male chastity device and are calling on the entire connected sex toy industry — known as “teledildonics” — to make security a priority.

The Qiui Cellmate chastity cage has a Bluetooth lock that could easily be hacked by almost anyone, researchers said — leaving the wearer stuck in the device.

“There is no physical unlock,” according to a Pen Test Partners report, issued Tuesday, in concert with a group named the “Internet of Dongs.” “The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.”

Threatpost Webinar Promo Retail Security

Click to Register!

Besides the nightmare scenario of having to call the paramedics for help with a stuck chastity cage, researchers have significant concerns about the device’s data privacy as well. The report said that the API endpoints were accessible with either a “memberCode” generated at the time of purchase or a six-digit “friend” code, which unlocks a staggering amount of information about the customer, including their name, phone number, birthday and exact location. Both codes are deterministic and guessable, researchers said — so attackers could potentially automate queries to retrieve large amounts of information.

“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database for the device and use it for blackmail or phishing,” the report warned.

The researchers redacted many of the technical details on the vulnerabilities, but noted that it’s possible to lock or unlock the devices en masse both remotely and over Bluetooth Low Energy connections.

This and similar ongoing work by the Internet of Dongs is meant to pressure the teledildonics industry, which has notoriously disregarded security as a priority, by holding companies accountable for security flaws, Pen Test Partners researcher Alex Lomas told Threatpost, adding that romance is increasingly becoming a digital affair.

From dating apps to connected sex toys, consumers are exposing their most sensitive bits to the internet and security must keep up; the ongoing pandemic has only accelerated this trend in remote intimacy, Lomas pointed out.

“We’re not here to kink-shame, and using toys with remote partners is a perfectly valid thing to do, especially in the age of a pandemic!” Lomas told Threatpost. “The Internet of Dongs project can give people a good steer on how to embark and disclose in this space.”

IoT Security: Not Just Sex Toys

And while a vulnerable sex toy might seem like a niche concern, it is just the most recent example of how perilous it could be if hackers gain access to this and similar internet-connected devices. Last March researchers at Palo Alto Networks’ Unit 42 warned that more than half of internet of things (IoT) devices are vulnerable to attack, adding that enterprises are sitting on a “ticking time bomb.”

Researchers like those at Pen Test Partners are pushing for some type of global regulation of IoT devices, and while they’re seeing some traction in the U.K., a worldwide effort seems far off, Lomas said.

“I think the main takeaway from my perspective is that there is a class of IoT devices including Teledildonics — and dating apps — that should really be held to more stringent standards than say an IoT lightbulb,” Lomas told Threatpost. “It’s promising that some countries and states are embarking on regulation, but in the meantime it’s very difficult for consumers to know how a product they’re buying or using will store their most intimate of data.”

As for the Qiui Cellmate chastity cage, researchers said the company was initially responsive to their vulnerability reports, but eventually missed three of its own remediation deadlines and refused to engage further.

Threatpost has reached out to Qiui Cellmate for comment.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar. 

Suggested articles