Some of the most popular smart sex toys on the market aren’t smart about user security and privacy, ESET researchers say.
The latest toys in the industry are devices with VR capabilities and AI-powered sex robots that are equipped with cameras, microphones, and have voice analysis capabilities based on AI.
As any IoT device, these toys are constantly connected to the Internet are prime targets for those who look for blackmailing and extortion opportunities.
This Thursday, Denise Giusto Bilić and Cecilia Pastorino from ESET published research in which they expose security and privacy issues with sex toy devices by two popular brands, WOW Tech Group and Lovense.
They examined We-Vibe Jive, a Bluetooth-enabled female vibrator, and Lovense Max, a male masturbation sleeve.
Both devices can be connected to the dedicated mobile apps for controlling vibrations or handing over control to a partner. And both use Bluetooth Low Energy (BLE) technology, which is not very secure.
In the case of We-Vibe Jive, the device uses an insecure BLE pairing option – a temporary code for linking is set to zero. Because of this, researchers found, the device is subject to Man-in-The-Middle (MitM) attacks.
The Jive is wearable and broadcasts its presence continually, and “anyone can use a simple Bluetooth scanner to find any such devices in their vicinity,” ESET says.
An attacker could use the device’s signal strength as a beacon to find the exact location of the person wearing it, the researchers explain.
The device is capable of sharing ultimedia files with other We-Connect users which can disclose the users’ device data and geolocation.
Another privacy issue is a lack of brute-force protection during malicious attempts at guessing the app’s PIN.
As for Lovense Max, it contained a number of “controversial” design choices, ESET says. The confidentiality of intimate images the user shares with another user could be compromised.
The receiving user can freely download and forward images to third-parties without the consent of the sender. Another issue is reliance on HTTPS with no end-to-end encryption for image transfers.
The researchers also found the Lovense Max app stored users’ email addresses in plaintext when messaging. Tokens to be shared publicly by the user are also susceptible to brute-force attacks, as they are generated with few numbers and active longer than claimed.
Lovense Max was also vulnerable to MiTM attacks because it did not authenticate BLE connections.
“The consequences of data breaches in this sphere can be particularly disastrous when the information leaked concerns sexual orientation, sexual behaviors, and intimate photos,” ESET says.
ESET reported the vulnerabilities to WOW Tech Group and Lovense. The manufacturers have released some fixes for the above issue, while Lovense is now working on enhanced privacy features.