Nowadays, everything can be hacked, people and electronic devices of all sorts. We recently wrote about the IoT thermostat hack demonstrated during the DEF CON 24 in Las Vegas. Today we are about to tell you about a similar hack, taken from the same conference, but slightly more… scandalous. Two security researchers, going by the names follower and gOldfisk made a curious revelation – We-Vide 4 Plus, an adult toy, collects user data and sends it home, to its manufacturer. Even though this type of data collection is normal, because of the sensitivity of the subject, it can lead to various complications.
Their presentation is titled “Breaking the Internet of Vibrating Things: What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys“.
The two researchers’ appeal to users goes like that:
Learn the reverse engineering approach we took–suitable for both first timers and the more experienced–to analyze a product that integrates a Bluetooth LE/Smart wireless hardware device, mobile app and server-side functionality. More parts means more attack surfaces! Alongside the talk, we are releasing the “Weevil” suite of tools to enable you to simulate and control We-Vibe compatible vibrators. We invite you to bring your knowledge of mobile app exploits, wireless communication hijacking (you already hacked your electronic skateboard last year, right?) and back-end server vulnerabilities to the party. It’s time for you to get to play with your toys more privately and creatively than before.
What Is We-Vibe 4 Plus?
It’s a next-generation IoT vibrator. It’s advertised as “the No.1 couples vibrator” that has an app and can be used from distance. This is known as “teledildonics”, a technology for remote sex. The IoT self-pleasure device sends usage telemetry via Bluetooth to a neighboring mobile phone running the We-Vibe app. However, the app sends some of this data, every minute, to We-Vibe servers.
What data is being sent home? The device’s temperature, vibration level, vibration mode the user has chosen.
Why is this data being collected and transmitted? According to the manufacturer, this data is gathered and used only for debugging and fine-tuning, which is something all vendors and manufacturers do. However, the two researchers warn that this type of data collection, regardless of the fact it’s used only for “good” purposes, can lead to implications.
The Implications of Adult Toys Data Collection
For one, if a data breach occurs, this sensitive information will be made public. Furthermore, the researchers warn that the mobile app connected to the toy has terms and conditions that are ambiguous. Like, the company reserves the right to share this data with authorities upon request.
In addition, there are many people and authorities around the world who consider self-pleasure an act of crime. Some of the cruelest punishments for such deeds include public lashings in Saudi Arabia and 32-months imprisonment in Indonesia!