Security researchers have discovered a vulnerability in smart sex toys, including those made in the US, that allows hackers to easily take control of the devices from the street.
Walking through the streets of Berlin, Alex Lomas, a researcher from security group Pen Test Partners, said he was “genuinely surprised” to see an adult sex toy pop up on his phone.
Using a technique Lomas dubbed “screwdriving” – a play on “wardriving,” a term hackers use for locating Wi-Fi networks while driving – Lomas showed how hackers could “fairly accurately” locate a Bluetooth Low Energy (BLE)-enabled sex toy using triangulation.
“We went hunting…and found some devices in an exploitable state…in people,” Lomas wrote in a blog.
BLE, also known as Bluetooth Smart, is a wireless personal area network technology that was made to consume less power than Bluetooth, allowing devices to run on a smaller battery for longer. The technology has most commonly been used in fitness trackers, health monitors and computer accessories like keyboards and mouses. However, BLE is not known for having good security measures.
The Lovense Hush is a BLE-connected butt plug that allows users to control the speed of the vibrations through their smartphones. The device is advertised to be used by long-distance couples through a mobile application, or for “solo play” and “discreet public play” with BLE.
Lomas said that these BLE devices “advertise themselves for discovery” by using the same identifier across all devices. He found that all Hush devices are named LVS-Z001.
Researchers tested several other devices, including American-based sex toy Kiiroo Fleshlight, and Lelo, Lovense Nora and Max, and found that none of them used a PIN or password, or, if they did, it was generic and static.
“In fact, we’ve found this issue in every Bluetooth adult toy we’ve looked at!” Lomas said.
Lomas said it was understandable that sex toys do not include a us er interface (UI), which would allow a user to connect their sex toy to another device with a pairing PIN.
“I accept that putting a keypad on a butt plug is a bit of a non-starter!” Lomas said. “Where do you put a UI on a butt plug, after all?”
Since the BLE signals between the phone and the sex toys are not encrypted, Lomas was able to intercept the transmissions between the phone and the sex toy using only a Bluetooth “dongle” and an antenna. He then showed how a few simple commands would allow a hacker to connect to the devices from the street and take control of them.
Additionally, since BLE devices use point-to-point (P2P) topology for one-to-one device communications, Lomas said that “as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations.”
Lomas said that he was not trying to “kink-shame” anyone for using these devices, rather he hoped that the industry would learn to improve the security measures in their devices.
I really do hope IoT toy makers address security issues in their products.
Another disclosure coming soon too…
If it’s your first foray into stunt hacking, you may as well go big.
— Alex Lomas (@alexlomas) September 29, 2017
“How comfortable do you feel knowing that if you wore such devices in public, that you might be discovered?” Lomas said. “Having an adult toy unexpectedly start vibrating could cause a great deal of embarrassment.”
Lomas suggested that sex toys should include a button that would need to be pushed before they could be paired to another device. He also suggested sex toys should be renamed so they could not be distinguished from a printer or a regular Bluetooth device.