Researchers have found that Vibratissimo sex toys manufactured by a German company are vulnerable to attacks that could expose sensitive user information and allow hackers to take remote control of someone’s sex toy.
Most people using smart sex toys might like to think their activities are private, but security researchers have proven once again that might not be the case, especially as adult toys like vibrators spout wireless connections and companion mobile applications.
Researchers discovered “multiple critical vulnerabilities” in popular Internet-connected dildos called Vibratissimo and their related cloud platform, creating severe privacy and data-protection concerns for users of the product line as well as potentially giving strangers remote access to the sex toy, according to a report from the firm SEC Consult.
The research–the basis for a master’s thesis by University of Applied Sciences St. Polten student Werner Schober in cooperation with SEC Consult—isn’t the first example of a smart sex toy being infiltrated. However, it is a good example of the insecurity of the Internet of Things (IoT) devices, which are often pushed to market without proper security protections and then become interconnected through mobile and Web protocols.
Hackers can take ‘quick control’
German company Amor Gummiwaren GmbH manufactures and distributes the Vibratissimo smart sex toys, which have a common feature of contemporary vibrators that allows someone’s partner to take remote control of the device by request.
It’s this “quick control” feature of a product called the Vibratissimo Panty Buster that easily can be exploited for a variety of security and privacy breaches, researchers said. A user with a unique e-mail address or telephone can use the quick control feature to send a link by text or e-mail to hand the reins of the vibrator over to a partner.
“This wouldn’t be a problem in general if the link containing the unique ID would be random and long enough,” according to a blog post by the firm. “Furthermore, it would be quite useful if the receiving user must confirm the remote control before being controlled by the other user.”
Unfortunately, this is not the case. Instead, the quick control IDs are generated by a global counter that gets incremented by one every time a new link is created. “An attacker can guess this ID easily and therefore control the victim’s sex toy directly over the Internet,” according to the post.
Even more unnerving (or titillating, if you’re into that sort of thing) is that a remote attacker could game the feature and use the vibrator on someone without their consent or awareness. This is possible if an attacker is within Bluetooth range of the victim or even over the Internet, researchers found.
On the privacy front, the vulnerabilities also allow for enumeration of explicit images of sex toy users through the exploitation of predictable numbers and missing authorization checks, researchers added.
Not only can hackers directly access the device, but its related cloud platform also has vulnerabilities that can render a database containing all the customer data basically readable for everyone on the Internet, researchers found.
Would-be hackers can easily access and download without a password a database that stores Vibratissimo app usernames, plaintext passwords, chat histories, sexual orientation, e-mail addresses, and people’s personal explicit image galleries, researchers said. The real names and home addresses of users also are accessible.
[ You might also be interested in reading “Researchers Warn of Physics-Based Attacks on Sensors”]
While it’s unknown exactly how many users are at risk due to the vulnerabilities, between 50,000 to 100,000 people use the toy’s Android mobile app, according to the Google Play store.
To protect Vibratissimo users from unwanted remote access or other security breaches, SEC Consult recommends they update their apps to the newest version available and immediately change their passwords. Moreover, if passwords have been used for multiple services, they should just change them all, researchers advised.
Users also can update firmware for their dildos, but this means sending the toys back to Amor Gummiwaren GmbH for refurbishment, the company said.