The digitalization of our everyday objects, which is supposed to be synonymous with progress and comfort, does not necessarily mean security. This is the case of our connected dildos. As these adult toys become more popular, discoveries about security breaches are multiplying. A few months ago, a connected and radio-controlled sex toy from Lovense, Hush, was in the news because of its insecure Bluetooth, allowing anyone in the vicinity to remotely operate the object. Recently, a study carried out by the Austrian security specialist SEC Consult, has identified numerous vulnerabilities on an unusual sextoy, the Vibratissimo Panty Buster. This vibrator, which is worn in the panties and can be remotely controlled with mobile applications (we let you imagine the rest), contains many vulnerabilities as well as the company’s website. Indeed, the vibratissimo.com site is vulnerable because it leaves its database interface (MySQL) open to anyone, so an attacker can access sensitive information about users.
Private files left in public directories
The most serious problem (and which fortunately was immediately addressed by the owner of Vibratissimo, Amor Gummiwaren) allowed anyone to obtain the database of all customer information by simply entering a username and password from a file opened on the Vibratissimo.com site. It was also possible for researchers to enter passwords on accounts of connected sextoy owners. The file, containing the login and password of about 50,000 users, was unencrypted and a hacker was able to access the profile and download the confidential data and photos that the users themselves had uploaded. From there, a hacker could access sensitive data, including explicit images, sexual orientation and personal addresses, according to an article in the SEC blog.
Remote vibration without consent
This first security flaw was corrected by the company, but SEC Consult researchers identified a technique for a hacker to remotely activate the vibrator. The Panty Buster application allows the owner to share a unique bond with a contact of his choice, letting him take control of the vibrations of the toy. Indeed, the mobile application of Vibratissimo offers customers the possibility to use a feature called “Quick Control”, which allows them to send a link with a unique identifier to a friend by email or SMS, in order to control the sextoy connected remotely. Unfortunately, the links sent are not random: they are defined via a global counter, which is incremented each time a new “Quick Control” link is created. There is also no obligation for the connected sextoy user to confirm remote access by another user beforehand. In addition, SEC Consult researchers have discovered that these links can be discovered by hackers because they are easy to guess.
If Bluetooth Low Energy (BLE) can bring more comfort and spice to the handling of a sextoy, it is often at the expense of privacy protection. SEC Consult’s researchers have identified a security flaw in Bluetooth that links the vibrator to the smartphone where the application is located. This other flaw allows an attacker, however close to the victim, to activate the device remotely. This flaw has been fixed by Vibratissimo, but to be active, users must send the device back to the company, as it is an update of the vibrator firmware that can only be done in the factory.
Although the problem has not yet been fully solved by the owners of Vibratissimo, the SEC believes that updates are coming. Johannes Greil, who heads the SEC Consult Vulnerability Lab, told Forbes magazine: “The first safety tests revealed some rather critical problems, but the seller said he would solve these other problems in the very near future. As always, we recommend further safety tests to increase the safety level of these products.” Given the popularity of Vibratissimo applications, it would be wise for users to take advantage of updates when they can. According to Google Play figures, between 50,000 and 100,000 people have downloaded the corresponding Android app.
If connected sextoys manufacturers continue to provide their products with ever more implausible functionalities (alarms, notifications, flash registrations) without worrying about the possible consequences in terms of security, the problem could become really serious. Vibrators with approximate code and expeditious encryption are invading the market, and bedrooms around the world could suffer the consequences. It would be a shame if an uninterrupted evening of fun suddenly turned into PayPal account hacking.
CERTs give these vulnerabilities the following CVSS score according to the following criteria:
Vector of attack: usable remotely
Complexity of access: easy
Authentication: not required
CERTs give it a CVSS score of 7.8