Smart Sex Toys Come With Bluetooth And Remote Hijacking Weaknesses

Today, researchers have exposed common weaknesses lurking in the latest smart sex toys that can be exploited by attackers.

As more as more adult toy brands enter the market, given that the COVID-19 situation has led to a rapid increase in sex toy sales, researchers believe a discussion around the security of these devices is vital.

In examples provided by the researchers, technologies like Bluetooth and inadequately secured remote APIs make these IoT personal devices vulnerable to attacks that go beyond just compromising user privacy.

Increased connectivity means a greater attack surface

Today, ESET security researchers Denise Giusto Bilić and Cecilia Pastorino have shed light on some weaknesses lurking in smart sex toys, including the newer models.

The main concern highlighted by the researchers is, that newer wearables like smart sex toys are equipped with many features such as online conferencing, messaging, internet access, and Bluetooth connectively.

This increased connectivity also opens doors to these devices being taken over and abused by attackers.

The researchers explain most of these smart devices feature two channels of connectivity.

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

Firstly, the connectivity between a smartphone user and the device itself is established over Bluetooth Low Energy (BLE), with the user running the smart toy’s app.

Secondly, the communication between a remotely located sexual partner and the app controlling the device is established over the internet.

To bridge the gap between one’s distant lover and the sex toy user, smart sex toys, like any other IoT device, use servers with API endpoints handling the requests.

“In some cases, this cloud service also acts as an intermediary between partners using features like chat, videoconferencing and file transfers, or even giving remote control of their devices to a partner,” explained Bilić and Pastorino in a report.

But, the researchers state that the information processed by sex toys consists of highly sensitive data such as names, sexual orientation, gender, a list of sexual partners, private photos and videos, among other pieces, which, if leaked can adversely compromise a user’s privacy.

This is especially true if sextortion scammers get creative after getting their hands on such private information.

From Man-in-the-Middle to intense vibration

More importantly, though, the researchers express concern over these IoT devices being compromised and weaponized by the attackers for malicious actions, or to physically harm the user.

This can, for example, happen if the sex toy gets overheated.

“And finally, what are the consequences of someone being able to take control of a sexual device without consent, while it is being used, and send different commands to the device?”

“Is an attack on a sexual device sexual abuse and could it even lead to a sexual assault charge?” Bilić and Pastorino further stress.

To demonstrate the seriousness of these weaknesses, the researchers conducted proof-of-concept exploits on the Max by Lovense and We-Vibe Jive smart sex toys.

Both of these devices were found to use the least secure “Just Works” method of Bluetooth pairing.

Using the BtleJuice framework, and two BLE dongles, the researchers were able to demonstrate how a Man-in-the-Middle (MitM) attacker could take control of the devices and capture the packets.

The attacker can then re-broadcast these packets after tampering with them to change settings like vibration mode, intensity, and even inject their other commands.

Likewise, the API endpoints used to connect a remote lover (sexual partner) to the user make use of a token which wasn’t awfully hard to brute-force.

“The Lovense app’s list of options for its remote-control features includes the option to generate a URL in the format https://api2.lovense.com/c/, where is a combination of four alphanumeric characters.”

This architecture of the API endpoints makes it possible for users to remotely control the devices by simply entering these URLs into web browsers.

“Surprisingly for such a short token with relatively few possible combinations (1,679,616 possible tokens on an app with over a million downloads), the server does not have any protection against brute-force attacks,” explained the researchers.

Along with these blatant security flaws, the devices also lacked any end-to-end encryption or certificate pinning when obtaining firmware updates.

“This is an extremely serious vulnerability, as it allows an attacker to easily carry out remote hijacking of devices that are expecting connections through active tokens, without the user’s consent or knowledge,” the researchers continued.

ESET had emailed the device manufacturers WOW Tech Group and Lovense on June 19th, 2020 to report these vulnerabilities.

The WOW Tech We-Connect version 4.4.1 released on August 3rd contained the fixes for the flaws.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

The company told ESET:

“Given the intimate nature of our products, the privacy and security of our customers’ data is of utmost importance to WOW Tech Group.
We take reports and findings by external sources about possible vulnerabilities very seriously. That is also why we are in close contact with ESET about the results of their research and are thankful for their work.
We had the opportunity to patch the vulnerabilities before the presentation and the publication of this report and have since updated the We-Connect App to fix the problems that are described in this report.

In detail, we have added a timeout whenever a pin is entered incorrectly to reduce the risk of automized hacking attacks.
We have updated the app to remove multimedia metadata before transmission and delete files at the end of each chat session – no metadata is stored or saved within the app or on our servers. These improvements were already tested by ESET and found to have removed the previous security issues” 

Additionally, all of the vulnerabilities reported by the researchers were fixed by Lovense in version 3.8.6 with the updated app released on Google Play Store.

“Putting the health and safety of our users first, Lovense works tirelessly to improve the cybersecurity of its products and software solutions.
Thanks to productive cooperation with ESET Research Lab, we were able to detect some vulnerabilities which have been successfully eliminated.
Lovense will continue to cooperate with cybersecurity testers to ensure maximum security for all users of Lovense products,” Lovense told ESET.

ESET has released a white paper with detailed research findings. 

Suffice to say, as the market for smart sex toys is growing, so is the possibility of real-world exploitation due to the overt security risks that come with these devices.

Earlier this year,  BleepingComputer had reported on the ChastityLock ransomware that locked victims in their smart chastity belts unless a ransom amount was paid.

While we are yet to find a concrete solution to secure smart sex toys, users are advised to assess the privacy risks associated with the adult toys.

At the very least, considering the services used by these devices may reveal sensitive information if compromised, discretion should be used as to how much the users opt to share about themselves online.