When your internet-connected lightbulb gets hacked, a university gets DDoS’d. But when the same thing happens to your internet-connected vibrator? Well, let’s just say the ramifications are a tad more personal.
Welcome to the wild, wonderful, and oh-so vulnerable world known to security researchers as the internet of dildos. A subdomain of the internet of things, IoD encompasses the bevy of connected sex toys adding a little digital spice to our love lives — just maybe not the kind of spice anyone had in mind.
This was made all too clear by a Feb. 1 report from SEC Consult, a security research company specializing in security audits and penetration testing, that revealed the dirty little secret behind a popular IoD device. Namely, the security surrounding it is garbage.
Specifically, the company looked at the Vibratissimo Panty Buster.
This is not the first time something in the teledildonic universe has shown to be lacking in security.
Just how, exactly, was this device vulnerable to abuse? The vibrator comes with a neat feature that allows you to text or email a friend a unique ID. Once the friend has that, he or she can remotely control the device.
Pretty cool, right? Well, sort of.
“This wouldn’t be a problem in general if the link containing the unique ID would be random and long enough,” notes the report. “Apart from that, it would be quite useful if the receiving user has to confirm the remote control before being controlled by the other user. This is currently not the case.”
So what was the case?
“The IDs are again a global counter, which just gets incremented by one every time a new quick control link is created,” the report explains. “The attacker could simply guess this predictable ID in order to control the victim directly.”
In other words, a random person on the internet could guess your unique ID and control your vibrator remotely. This made possible a very 21st century form of assault, where the attacker and victim could be separated by thousands of miles and never see each other’s faces.
You can’t just advertise safe, discreet, remote play and then allow anyone & everyone to connect to your production database (which stores everything in the clear) and then our your users at risk of sexual assault.
— Sarah Jamie Lewis (@SarahJamieLewis) February 1, 2018
But that’s not all. Researchers discovered “[exposed] administrative interfaces,” which would have given an attacker access to everything from “full user information (real name, home address, passwords in cleartext, etc),” to “image galleries.”
Notably, this is not the first time something in the teledildonic universe has shown to be lacking in security. In April of 2017, we learned that a vibrator equipped with a camera was super easy to hack. And in 2016, researchers claimed that it would be easy to remotely take control of the We-Vibe 4 Plus — a so-called “couples vibrator.”
Importantly, the researchers at SEC Consult contacted the manufacturer, and write that the vendor assured them that “the most critical issues were already resolved.”
So that’s good.
What’s not good is that these vulnerabilities existed in the first place. If companies expect us to connect our sex lives to the interent via their toys, then they need to make sure we’re not putting our privacy and safety at risk in the process.
Because while the internet of dildos has a nice ring to it, it also comes with significant risk. After all, there’s a lot more at stake than a ransomwared smart thermostat. The companies trying to sell us connected vibrators would do well to keep that in mind.