Valentine’s Day is just around the corner. Some might be considering the purchase of a special kind of pleasure-giving device for their partner as a gift. But they might want to rethink those plans: the quality of cybersecurity in newfangled, connected sex toys has been unsurprisingly shocking in recent years. And it doesn’t look to be getting much better, if research released by Austrian company SEC Consult on Thursday is anything to go by.
Probing Vibratissimo’s ’Panty Buster’ sex toy for women, the researchers found the device and associated websites had multiple vulnerabilities. By far the most severe issue (and one that was thankfully immediately addressed by Vibratissimo’s owner, Amor Gummiwaren) allowed anyone to obtain a database of all customer information by simply grabbing a username and password from an open file on the vibratissimo.com website. And it was possible to grab passwords for the sex toy owner accounts, as they were left open in plain text. From there, a hacker could look at sensitive data, including explicit images, sexual orientation and home addresses, according an SEC blog post.
Remote vibrations without consent
There was more. Remote control of the toy without consent was possible thanks to a flawed feature, SEC explained. When Vibratissimo users want to allow someone far away to control the Panty Buster, they have the app create a link, which is then sent to the partner. But those links are easy to guess and the toy owner isn’t asked to confirm they want another person to take over. “The attacker could simply guess this predictable ID in order to control the victim directly,” SEC noted.
To prove how simple it was to take control of the device via this method, SEC produced a video:
Whilst the problem hasn’t yet been fully addressed by Vibratissimo’s owners, SEC believes updates are coming. Johannes Greil, who heads up SEC Consult Vulnerability Lab, told Forbes: “Initial security tests showed quite critical issues but the vendor stated that they are going to fix those other issues as well in the very near future. As always we recommend further security tests to raise the security level of such products.”
Given the popularity of Vibratissimo’s apps, users would be wise to avail themselves of updates when they can. According to Google Play figures, between 50,000 and 100,000 have downloaded the relevant Android app. It’s unclear how many iPhone owners enjoy the Panty Buster too, though SEC estimated the total number of affected users was in the six-figure ballpark.
Naughty sex toy
The Panty Buster used insecure Bluetooth too, failing to authenticate incoming connections, allowing an attacker to take control of the device just as long as they were in range. After SEC disclosed the issue to CERT-Bund, a German body that helps with disclosing security vulnerabilities to vendors, it emerged this was a feature, not a bug, according to the blog. Vibratissimo claimed its customers wanted fully open access, in particular those attending swinger parties, according to SEC’s narrative.
The issue has been addressed, though, as the researchers said the manufacturer had introduced a more secure pairing method. But as the update is in the firmware, customers have to send the device to Amor Gummiwaren to get the fix.
A further, still unresolved issue allowed anyone to view images uploaded by Vibratissimo users. The flaw was a result of images being openly searchable by simply knowing the correct URL to type in. As the identifier for each photo is just a number, incremented by one every time an image is added, it wouldn’t be too much of a stretch for outsiders to guess what to search.
Amor Gummiwaren hadn’t responded to requests for comment at the time of publication.
Expect Greil’s team to reveal more weaknesses in connected sex toys in the coming months, though. Their Internet of Dildos research project is ongoing.
Article By Thomas Fox-Brewster