Don’t Get Your Valentine an Internet-Connected Sex Toy

Credit to Author: Emily Dreyfuss| Date: Thu, 14 Feb 2019 15:02:40 +0000

Happy Valentine’s Day! Since it’s 2019, you and a partner could celebrate by installing an app on your phone that lets you control a vibrator your partner discreetly wears in their underwear all day. I mean, if you wanted to! Thanks to the burgeoning industry of teledildonics, as internet-connected sexual pleasure products are known, there’s a wealth of innovative options: vibrating WiFi-enabled butt plugs, webcam-connected dildos, even the CES-banned Ose vibrator uses AI to provide biofeedback. That’s all good—pleasure is great!—but like all internet-of-things devices, smart sex toys are also incredibly vulnerable. From over-exuberant manufacturers who slurp up data to security flaws that hackers could exploit, teledildonics can be a privacy nightmare.

“Privacy counts across everything, and when it comes to connected sex toys it seems like it should count even more,” says Jen Caltrider, content strategy lead at the Mozilla Foundation.

That’s why this month Mozilla released a special Valentine’s Day section of its “Privacy Not Included” guide, featuring romantic gadgets like smart beds, fitness trackers, and yes, teledildonics. Carltrider explains that they picked products based on what seemed popular online, while also trying to be inclusive of all sexual orientations, genders, and physical abilities.

So what makes for a cyber-safe sex toy? According to Mozilla, you'll want to look out for things like whether the product uses encryption, automatic security updates, strong password requirements (where applicable), an accessible privacy policy, and a way for the company to manage security vulnerabilities in its products. Mozilla considers these five things minimum security standards for connected devices. And like its other gift guides, Mozilla highlights products that appear to meet that baseline with a badge.

Of the 18 items that Mozilla assessed—a small fraction of what’s actually out there—half didn’t pass muster. Of those that did, only six could really be called teledildonic: the Lioness Vibrator, the We-Vibe Sync, and four pleasure devices from Lovense. (Mozilla counts the Lovense Nora and Max, which work together, as two products.)

“At the end of the day, this can be serious,” Caltrider says. “These [devices] exist in the world, they're likely to be gifts, and so we wanted to get people to sit back and think, What are the privacy implications?

Experts have been raising the alarm about teledildonic security risks for years. Poor teledildonic security could enable not just an invasion of your most intimate information but even, hypothetically, remote-controlled assault, wherein an attacker takes over the remote app of a sex toy without its user’s consent. Right now the only confirmed hacks have been done by security researchers studying these devices, but experts WIRED spoke to believe that the possibility of such attacks is real—and caution that it could be hard to even know if one had occurred.

“In the IoT space, [teledildonics] is one of the biggest threats that exists,” says Amie Stepanovich, US policy manager at the nonprofit advocacy group Access Now. Researchers have demonstrated how easy it is to hack into popular products time and again. “These devices, like other IoT devices, are being produced by companies that have never connected products to the internet before,” Stepanovich says. Most have never had to worry about the pitfalls of big data collection or internet security.

In Mozilla’s review, the products that failed, failed hard. Take the Vibratissimo Panty Buster. Mozilla writes that “this product seems to be made only for those who enjoy the thrill of potentially having their smart sex toy hacked.” Caltrider was baffled by how bad it was at protecting users. “The Vibratissmoo doesn’t even have a privacy policy!” she said in an interview with WIRED. An independent report commissioned by Mozilla last year concluded that “the Vibratissimo Panty Buster vendor seems to have no regards for security.” Its problems are numerous: the device allows for remote access without consent, there’s no encryption, and it connects via insecure Bluetooth. Amor Gummiwaren GmbH, the vendor, did not respond to requests for comment.

Bluetooth is a recurring pain point for IoT security. The technology has been plagued by poor security from the beginning, and what security protocols have been put in place to make Bluetooth safer are inadequate or sometimes poorly rolled out. Researchers note that old versions of Bluetooth that have been abandoned because of security risks are often still used. But even the newest versions lack robust encryption, and have flaws that let savvy bad actors within range spy on connected devices.

“Even simply opening the Bluetooth explorer on your phone will reveal nearby smart adult devices that are powered on.”

Ken Munro, Pen Test Partners

“Our research has shown no Bluetooth adult toys that implement secure ‘bonding’ when connecting to a phone. This makes hijack possible,” said Ken Munro, a researcher at security firm Pen Test Partners, in an email to WIRED. “We’ve seen problems with the mobile apps that the smart toy uses. These can allow hackers remote access to very personal and intimate data over the internet, in some circumstances.”

As far as Munro is concerned, you might not want to purchase any of these smart toys, “unless you are comfortable with others nearby knowing you have one and are using it,” he says. “Even simply opening the Bluetooth explorer on your phone will reveal nearby smart adult devices that are powered on.”

When Bluetooth is used to hack into and take over a sex toy, it’s called “screwdriving”—a term coined by Pen Test Partners in 2017, when its researchers discovered that the Lovense Hush butt plug could be found and remotely controlled via Bluetooth.

The Lovense Hush, along with three other Lovense products, now meets Mozilla’s minimum security standards. “Lovense had some problems,” Caltrider says. “They had one of their toys hacked but they learned from it. There's a link on their page that takes you to the Pen Test Partners group. It was an eye-opening thing for them.”

Lovense COO Joris Guisado told WIRED the hack had been good for the company and the industry. “These kinds of events showed us and everyone else that the standards were not high enough and made us realize we had some work to do to change that,” Guisado said. According to him, the company reached out directly to the white hat hackers who had demonstrated the vulnerability in the company’s butt plug, as well as to other researchers, and began working with them directly to improve their security.

“They helped us put in place a vulnerability disclosure program, and we started to work with a few private Pen Testers,” Guisado said. He wasn’t able to point out the exact changes that the company made in response to the researchers in time for publication, but noted that Lovense has created “really clear privacy policies that we keep updating, a completely offline mode to use our app locally, and an opt-out option to sharing anonymous data.” Mozilla's guide also notes Lovense uses encryption, has automatic security updates, and requires users to update the default password in order to use any remote functionality. That’s about as good as it gets right now.

For devices that don’t have good basic security, there’s often very little users can do to make them safer. “Check for updates for the product, as security patches may have been issued since your product was manufactured,” Munro says. “Make sure you use strong, unique passwords for your user accounts on the app that you control the toy with.”

But it shouldn’t be on you to make these toys safe—companies should make them safe by default. As they fumble along and learn, watchdogs like Internet of Dongs have sprung up in an attempt to keep track of the risks and help consumers. But sex toy companies, like most IoT companies, are still largely left to police themselves.

“Especially when technology is a gift there needs to be a path to make sure the person who is using the product is the person who is in control of the data generated by the product.”

Amie Stepanovich, Access Now

In 2017, the makers of the We-Vibe vibrators (whose Sync vibrator now has a Mozilla “meets the minimum” badge) agreed to pay $3.75 million in a class action settlement, after two customers sued the company for allegedly tracking data about how the devices were used—including vibration intensity and temperature—without their knowledge. Later that year, Stepanovich and her colleagues urged the Federal Trade Commission to investigate the webcam-connected Siime Eye vibrator, after researchers at Pen Test Partners realized it would be trivial for voyeurs to access its live feeds.

But progress on specific regulation for teledildonics—such as clear laws dealing with the possibility of remote-controlled assault, teledildonic sextortion, or required security protocols for vendors—has been slow, experts say. Stepanovich says no one is holistically keeping track of what internet-of-things regulations are being proposed across the US, let alone those that are specifically about sexual products. In her opinion, the first step needs to be strengthening internet-of-things protections generally.

Even to get policymakers to care has been a struggle. “There is a lot of judgment leveled against the people who would want to use these without considering that they could have benefits for people, not only people in long distance relationships but even people in rehabilitation from former sexual traumas,” says Stepanovich. Of all the issues she’s worked on at Access Now, she says, teledildonics has been the most plagued by “slut-shaming” and “victim blaming” from those who say that people willing to use devices like this are bringing the risk onto themselves.

None of the experts WIRED spoke to were aware of any real-world incidents of hacking into smart sex toys. “Because there likely has not been a real world situation yet we still have time to prevent and anticipate the consequences,” says Stepanovich. But don’t sigh in relief just yet. Munro notes it would be really hard to know if this had happened, unless hackers had taken the data and used it in a sextortion scheme. “It’s perhaps more likely that data is being gathered covertly for the gratification of the attacker,” he says.

Since so many toys are given as gifts from one intimate partner to another, often the person using the device is not even in control of its set-up, notes Caltrider. Stepanovich agrees this raises the stakes and likelihood for abuse. “A lot of times technology is used to oppress people in certain types of abusive relationships, so especially when technology is a gift there needs to be a path to make sure the person who is using the product is the person who is in control of the data generated by the product,” she says. She’d like to see companies bake in the ability for a person to stop the flow of data to and from their device at any time.

There’s a lot of work left to do to make teledildonics secure, from updating laws, to encouraging threat disclosure programs, to making sure companies include basic security protocols. For now, Mozilla’s gift guide is a pretty good place to start if you want a smart sex toy but don’t want your kinks and proclivities exposed for all to see.

You’ve been warned!

https://www.wired.com/category/security/feed/