Their poor Bluetooth security can land you in a heap of extortion and blackmail troubles over your forbidden pleasures!

Today’s newer, technologically-advanced sex toys are really something. Just like other smart appliances, they integrate mobile apps, messaging, video chats and web-based interconnectivity to provide even more stimulation than ever—not just to users but also the cybercriminals.

When the user of a smart adult toy gets connected to the internet, that is when uninvited ‘guests’ can also join in the fun. Vulnerabilities in the programming could allow for malware to be installed on a connected smartphone, thereby allowing hackers to capture videos and extract personal data for extortion and other nefarious acts. To address these dangers and investigate how secure smart toys are, researchers from cybersecurity firm ESET analyzed two well-known adult toys on the market using vulnerability analysis frameworks as well as direct analysis techniques to identify flaws in their implementations.

We-Vibe ‘Jive’ for women

As a wearable device, the We-Vibe Jive is prone to usage in insecure environments. The device was found to continually announce its presence in order to facilitate a connection: meaning that anyone with a Bluetooth scanner could find the device in their vicinity, up to eight meters away.

Potential attackers could then identify the device and use signal strength to guide them to the wearer. The manufacturer’s official app would not be required to gain control, as most browsers offer features to facilitate this.

The Jive utilizes the least secure of the Bluetooth Low Energy (BLE) pairing methods, whereby the temporary key code used by the devices during pairing is set to zero, and as such, any device can connect using zero as the key. The Vibe is highly vulnerable to man-in-the-middle (MitM) attacks, as an unpaired Jive could bond automatically with any mobile phone, tablet, or computer that requests it to do so, without carrying out verification or authentication.

Although multimedia files shared between users during chat sessions are saved in the app’s private storage folders, the files’ metadata remains on the shared file. This means that every time users send a photo to a remote phone, they may also be sending information about their devices and their exact geolocation.

Lovense ‘Max’ for men

This device has the ability to synchronize with a remote counterpart, which means an attacker could take control of both devices by compromising just one of them. However, multimedia files do not include metadata when received from the remote device, and the app offers the option to configure a four-digit unlock code via a grid of buttons, making brute-force attacks more difficult.

Some elements of the app’s design may threaten user privacy, such as the option to forward images to third parties without the knowledge of the owner; deleted or blocked users continue to have access to the chat history and all previously shared multimedia files.

The device does not use authentication for BLE connections either, so a MitM attack can be used to intercept the connection and send commands to control the device’s motors. Additionally, the app’s use of email addresses in user IDs presents some privacy concerns, with addresses shared in plain text among all the phones involved in each chat.

Take protective measures

ESET researchers Denise Giusto and Cecilia Pastorino recommend the following precautions for users of any smart device:

  • avoid using devices in public places or in areas with people passing through, such as hotels
  • keep any smart toy connected to its mobile app while in use, as this will prevent the toy from advertising its presence to potential threat actors

As the sex toy market advances into smart technology, manufacturers must keep cybersecurity top of mind, as everyone has a right to use safe and secure technology, they said.