Connected versions of sex toys can become hacked. ESET researchers have found that the industry's top sexual accessories (vibrators, masturbators, etc.) do not make clear their privacy policies and have serious security holes. Once exploited by criminals, these vulnerabilities could expose intimate information from users and even give remote control to a stranger, resulting in sexual abuse. The study was presented last Tuesday (5), during the 6th ESET Digital Security Forum in Cancun, Mexico.
Seven curiosities about smarts sex toys you didn't know
Male and female vibrators have serious safety flaws, ESET research shows Photo: Nicolly Vimercate / dnetc
Want to buy a cell phone, TV and other discounted products? Meet the Compare dnetc
Smart vibrators connect with the user's mobile phone. Through an application, you can control the rhythm of the device, choose a song or chat (text and video), send photos or give control of the "toy" to a partner. To do all this, the devices have a Bluetooth or Wi-Fi connection and you are in danger. Just like any other device with Internet access (IoT), smart toys can be intercepted.
According to the ESET security analysts who conducted the research, a malicious person's access to the gadget could have serious consequences. "If we add the value that very private information has to the vulnerabilities we find, the catastrophic result," warned Cecilia Pastorino and Denise Giusto Bilic during their presentation at the event.
Security flaws are everywhere, as research shows. They range from Bluetooth protocol problems, unprotected databases or insecure APIs to easy-to-discover passwords. "The hacker can make denial of service attacks, ransomware attacks, hijacking the device and asking for bitcoin ransom, or modify the equipment's functions to vibrate much more than it can handle until it explodes," warns Cecilia Pastorino .
ESET Security Analyst Cecilia Pastorino Explains Communication Between Sexual Gadget and Mobile App Photo: Nicolly Vimercate / dnetc
The researcher explains that Bluetooth, for example, is constantly publishing connections until it is linked to a mobile phone. With a simple app that scans the signal, you can see the name device that is looking for a connection, know that it is a vibrator model and how many decibis it operates. With another app – also easy to use – a malicious person would be able to track the location of the device and then know who is with it in the bag (or elsewhere).
Also, while some apps value users' privacy and make the conversation go away after a while, others allow them to make screen prints without the other person knowing or forwarding photos, as well as keeping the images in the recipient's gallery.
Another danger is in the password. All applications reviewed by ESET ask the user to set a four-digit security password, which is already a barrier to mobile phone users or curious "friends". However, in some cases, it is enough for a hacker to use a method called bruteforcing to test all possible combinations, and within hours, be able to access apps or conversations from multiple people.
ESET analyzed the industry's leading smart vibrators and found no information on user data security policies. Photo: Nicolly Vimercate / dnetc
- Unauthorized Information Shared
During the survey, analysts found that most sex drive manuals contain technical product specifications, but said nothing about data collection. "We found descriptions about time of use, warranty, technical specifications etc, but we found no details about what information manufacturers are using, how they are encrypting this data, where they are storing it. This is not seen in any product manual," said Denise. Thus, intimate information is shared with companies in a non-consensual manner and without users knowing what their destination is.
- Intimate data leakage
Sex toys are able to send to the manufacturer's server user location data, temperature, account data (such as email, for example), vibration pattern, times when most used etc. And, in general, they do not offer very advanced security protocols. Thus, there is scope for hackers to break into the network and discover very personal information about users.
"There are countries that have restrictions on sexuality, where the sale of banned and homosexual sexual gadgets can be arrested or sentenced to death. This type of data, once discovered, can pose several problems for the privacy of the user, their intimacy and integrity. "reflects Cecilia.
Some phones even have cameras and microphones. If these images and audio fall into the wrong hands, they can become material for extortion (or sextore).
Denise Giusto Bilic, ESET security analyst, warns of dangers of stranger accessing sex toy commands Photo: Nicolly Vimercate / dnetc
- Another person's access to sex toy without consent
Researchers also found that simply a hacker can intercept the communication between the vibrator and the cell phone. With the necessary knowledge and being less than 10 meters away from the victim (maximum Bluetooth signal range), the hacker can receive all commands that the user sends to the sex toy or send his own commands to the device, resulting in violation from the body of the victim. As Cecilia explains: "If the hacker takes control of the device when the user has not given him permission, we may even be talking about rape."
Sex robots are a separate case. Dolls and dolls that communicate with owners and learn from their actions are equipped with artificial intelligence. For this, they have a "brain", which is nothing more than an Android phone or tablet that is inside the head of the robot. That is, "all the security issues that affect cell phones can be found in sex robots as well," Cecilia explains.
Sex doll's 'brain' consists of an Android tablet or phone Photo: Nicolly Vimercate / dnetc
In contact with the manufacturer of this type of toy, ESET researchers found technical information about the products (32 GB of memory and pre-installed artificial intelligence apps, for example) but again, nothing about safety policies.
Anyone who thinks that "relating" to sexual objects or dolls is less dangerous than other human beings may be mistaken. Sex that involves technology also needs protection. Experts recommend first seeking information about previous vulnerabilities of the device to be purchased. If the manufacturer has already gone through information leakage processes, it may have improved its security policies – or not. It's worth checking before you buy.
The app for each brand is available in app stores even for those who don't have the sex device. Before purchasing, consumers can install the application on their mobile phone to learn about the available functions and read the terms and conditions of service. So you can know how the company treats your data. What information do you collect? What permissions does the app ask to work? Where is the data stored? Who can have access?
Avoid sharing photos or, when doing so, be careful to delete metadata before uploading the image. Hidden photo data may reveal location and other personal data. Speaking of them, when signing in to the app, it is recommended not to use personal email or enter the real name, number of documents or other sensitive data. A suggestion is to create another exclusive email to register for the vibrator app.
Finally, keeping your phone protected from malware using antivirus, never downloading apps outside the official Android or iPhone (iOS) stores, and avoiding using public Wi-Fi are also basic security measures that serve other technologies besides sexual accessories. "One way to keep these devices secure, as there is no specific security solution for each, is to increase network and mobile protection," says Denise.
Virtual sex also needs protection, experts warn Photo: Nicolly Vimercate / dnetc
As with any IoT device, there is still a long way to go when it comes to security. "There are so many new debates that open from devices that connect to the Internet," reflects Cecilia. Therefore, researchers warn that consumers should start worrying about their privacy and demand that the entire industry be transparent about its data policies and careful about possible security breaches. Denise adds: "As always, first comes the legal demand and then, yes, companies notice this type of issue."
* The journalist traveled to Cancn at ESET's invitation
