Hacking in Bed: How Digital Sex Toys are Targeted by Hackers

It is no secret that Internet of Things devices that are connected to the network are often targets of cyberattacks. At the same time, digital sex toys are often targeted by hackers - the threat of data leakage using pleasure devices is one of the cybersecurity trends this year. Why this problem is urgent and what is the threat of hacking intimate gadgets - in the material.

The world of cybercrime has re-evaluated the value of intimate private information on the black market. The authors of the report by the international antivirus company ESET  have included the threat of personal data leakage through digital devices for pleasure in the cybersecurity trends of 2021.

The pandemic has spurred the digital sex toy industry, the gadgets themselves are getting cheaper, like smartphones in their time, and the number of users of such devices is growing. Cybercrime responded and became interested in the increased volume of user information about those who have something to hide.

ESET experts Cecilia Pastorino and Denise Welch conducted an analysis of threats to users of sex gadgets, and their conclusion is disappointing: the sex entertainment industry does not take serious measures to protect customers with regard to the safety of personal data. 

A target for burglars

Most of the devices for intimacy can be controlled via Bluetooth Low Energy (BLE) from the application installed on the smartphone. Thus, sex toys act as sensors that only collect data and send it to the application for processing. The app is then responsible for configuring any settings on the device and managing the user authentication process. To do this, it connects via Wi-Fi to a server in the cloud where the person's account information is stored.

This architecture has several weaknesses that can be exploited to compromise data security: interception of local communication between the control application and the device; between the application and the cloud; between a remote phone and the cloud, as well as an attack directly on the server-side.

This year, ESET's Latin America research team unveiled a new paper on unsafe smart sex toys at DEF CON IoT Village. The investigation was based on two gadgets: the Jive wearable device made by We-Vibe and the Max male masturbator from Lovense. It was revealed that both devices have vulnerabilities in the implementation of BLE communication, which allows attackers to intercept the sent data and remote control of devices using BLE MitM (man-in-the-middle) attacks.

This means that anyone can use a simple Bluetooth scanner to find and control these smart sex toys in their immediate vicinity.

This vulnerability is very common in IoT devices, as most of the models available on the market do not implement secure pairing that prevents anyone from connecting and controlling them. As for the Lovense Remote app, a group of researchers found threats to the safety of confidential intimate images sent by users.

There was no end-to-end encryption in the app, screenshots weren't disabled, and the “delete” option in chat didn't actually erase messages from the remote phone.

In addition, attackers can find out the email addresses associated with any username, and vice versa.

As 5G networks roll out, the number of smart gadgets, including sex toys, will increase dramatically, dramatically increasing the network's vulnerability to large-scale, multi-vector cyberattacks, said Oded Vanunu, head of vulnerability research at Check Point Software Technologies.

“Hackers can use backdoors to gain access to a user's personal data, including images, chat history, sexual preferences, passwords, and so on. Also, a sex toy can be hacked via Bluetooth, a home Wi-Fi network, or a server connected to it. In addition, the device-related cloud platform also has vulnerabilities that can reveal the personal information of users. The most vulnerable are toys that support the ability to make video calls - by hacking a computer or smartphone, a cybercriminal will be able to steal video recordings, ”explains Vanunu.

The expert believes that sex toys are dangerous not only because they put the most intimate information in the wrong hands - through them, but an attacker can also gain access to other devices and to the entire network.

Since most modern sex gadgets have sophisticated technological features such as Wi-Fi connectivity, webcam, or even AI-powered biofeedback support, they should be taken seriously from a cybersecurity perspective.

"Smart" toys for adults collect the most confidential data about us, so the manufacturer's task is to provide reliable protection of devices from hacking, "the expert said.

Ethics issue

It's no secret that the information processed by smart sex toys is extremely private: names, sexual preferences, and orientations, a list of partners, information about using the gadget, intimate photos and videos - all this data can lead to disastrous consequences if it falls into the wrong hands.

“In addition, many countries have laws that explicitly prohibit citizens from engaging in certain sexual practices,” says ESET cyber researcher Cecilia Pastorino. What happens if the local authorities launched a repressive campaign based on the forcible seizure of data from the companies that process it? Unofficial government orders are also possible for hacker groups to search for or use errors and weaknesses in sex devices in order to identify and prosecute representatives of sexual minorities or those whose sexual views contradict the dogma that has been established in society. "

Also, sex toys do not exclude the possibility of hacking through cyber attacks.

The most common method is to attack an application that controls certain functions of sex gadgets, including VR systems. Having found a vulnerability in the application, an attacker can go further and take over or block control of the smartphone directly on which the application is installed.

An equally unpleasant and dangerous scenario is the introduction of a directly intimate digital toy into the settings.

“Violation of the operation of an electronic device can cause physical harm to the user, due to overheating, explosion, unexpected changes in the speed and power of work. This problem raises a new question for society - the problem of virtual sexual violence. What are the consequences of someone being able to control a sexual device without consent? Can this be called an act of sexual violence?

Cybercrime takes on a different dimension when we look at it in terms of invasion of privacy, abuse of power, and lack of consent to sexual intercourse.

Consent obtained through fraud is not consent at all, and this legislative gap will need to be addressed globally to ensure the sexual, physical, and psychological safety of digital service users, ”says Pastorino.

Post a Comment