Many smart sex toys have significant security vulnerabilities. According to researchers, the vulnerabilities emanate in particular from the devices’ apps. For users, data theft would be devastating, as intimate recordings could end up on the Internet unintentionally.
Researchers discover security vulnerabilities in smart sex toys
Sex toys are also becoming more advanced. While they used to be usable only for the one – obvious – purpose, they are now already a kind of complex multimedia station that can be controlled via app and networked with other devices. So there are more similarities to modern smartphone devices than to classic sex toys.
But the blessing of progress always has a downside, as we all know. Not different in this case. Intelligent sex toys may have functions such as Bluetooth, data storage, data transfer, synchronization with music and controllability via app, but they are also vulnerable to hacker attacks.
Researchers at the security software company ESET have discovered that the We-Vibe “Jive” and the Lovense “Max”, two absolute bestsellers on the sex toy market during the Corona pandemic, have a number of vulnerabilities. This is because cybercriminals can install malware on the smartphones used via the apps that control the devices.
Dangers to users – from physical harm to data theft
ESET researchers Denise Giusto and Cecilia Pastorino explain, “IT security must be a high priority, especially when developing smart sex toys. The potential dangers are high for the user; no one wants to be blackmailed with intimate recordings or conversations.” He continued, “With most current sex toys, the security aspect has been criminally neglected by manufacturers. This urgently needs to change as these devices evolve.”
But what specific dangers do users of smart sex toys face due to security vulnerabilities? The greatest danger is probably physical damage. If hackers use malware to gain access to the smartphone that controls the sex toy via app, it can no longer be controlled only by the owner. The criminals also have the option of controlling the device. This means that if it is in use while third parties are accessing it, they can, for example, set a vibration mode that is too high, which could lead to significant injuries to the user.
Another danger is the theft of sensitive data – personal information, private messages, intimate photos or videos. Anyone who has stored nude photos on their smartphone, for example, would have to reckon with them ending up on the Internet involuntarily. And the possible consequences of this are well known and need no further explanation.
Of course, the cybercriminals would have nothing to gain from harming their victims without any reason – or rather: without demanding anything in return. In plain language, this means that hackers who exploit security vulnerabilities in smart sex toys do so with the aim of blackmailing their victims. And usually with the threat that the stolen data will be published on the Internet if a certain amount of money is not paid.
We-Vibe “Jive” and Lovense “Max”: These vulnerabilities exist
The biggest security vulnerability of the We-Vibe “Jive” is the Bluetooth function. This is because it is so insecure that the device is constantly detectable with a Bluetooth scanner and the temporary key code can be changed quite easily by third parties when establishing a connection between devices. There is also a problem with exchanges between users during chat sessions, in that information about the devices used and the location could also be shared when sending data.
With Lovense “Max”, on the other hand, there is a risk that when synchronizing with a remote counterpart, hackers could take control of both devices at once, even though only one has been compromised. In addition, the use of email addresses in the app’s user IDs raises privacy concerns, since the addresses are visible in plain text to all participants in a chat session.