This article is more than 1 year old
Dildon'ts of Bluetooth: Pen test boffins sniff out Berlin's smart butt plugs
You've heard of wardriving – say hello to screwdriving
Security researchers have figured out how to locate and exploit smart adult toys.
Various shenanigans are possible because of the easy discoverability and exploitability of internet-connected butt plugs and the like running Bluetooth's baby brother, Bluetooth Low Energy (BLE), a wireless personal area network technology. The tech has support for security but it's rarely implemented in practice, as El Reg has noted before.
The shortcoming allowed boffins at Pen Test Partners to hunt for Bluetooth adult toys, a practice it dubbed screwdriving, in research that builds on its earlier investigation into Wi-Fi camera dildo hacking earlier this year.
BLE devices also advertise themselves for discovery. The Lovense Hush, an IoT-enabled butt plug, calls itself LVS-Z001. Other Hush devices use the same identifier.
The Hush, like every other sex toy tested by PTP (the Kiiroo Fleshlight, Lelo, Lovense Nora and Max), all lacked adequate PIN or password protection. If the devices did have a PIN it was generic (0000 / 1234 etc). This omission is for understandable reasons. PTP explains: "The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN. Where do you put a UI on a butt plug, after all?"
The only protection is that BLE devices will generally only pair with one device at a time and their range is limited.
By walking down a regular Berlin street with a Bluetooth sniffer, a PTP researcher was able to discover a number of Lovense sex toys, identifiable from their identifiers, through passive reconnaissance.
Mischievous hackers could go easily go one step further and turn on the device using commands easily derived from an examination of the kit.
The associated app causes the Hush to start vibrating when the handle 0x000e has "Vibrate:5" written to it.
A hacker "could drive the Hush's motor to full speed, and as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations." Ooh err missus.
PTP concludes that it has identified a legitimate privacy issue which deserves public attention and red faces all round. "Having an adult toy unexpectedly start vibrating could cause a great deal of embarrassment in some situations."
The issue goes beyond the niche technology of internet-enabled sex toys. The latest versions of some hearing aids also support BLE. One such device was used by a father of a PTP researcher.
"I managed to find them broadcasting whilst we were having lunch one day," PTP researcher Alex Lomas wrote. "They have BLE in them to allow you to play back music, but also control and adjust their settings (like if you're in a noisy restaurant or a concert hall). These things cost £3,500 and need to be programmed by an audiologist so not only could an attacker damage or deprive someone of their hearing, but it's going to cost them to get it fixed."
PTP's research on BLE device insecurity – together with recommendations on how to shore them up – can be found here.
BLE advertises its presence. As a result, these toys can be located fairly accurately using triangulation. The potential privacy issues this throws up might be mitigated by using a generic BLE device name for, ahem, adult toys and other kit people might not necessarily want world+dog to stumble on.
In some ways the development of Bluetooth technology is making the risk more severe.
The specification for Bluetooth 4.0 allows for only one concurrent master and slave connection at once, so a device can't be hijacked once it is paired with a smartphone. However, Bluetooth 4.2 changes this so that slaves are permitted to have physical links to more than one master at a time, opening the door for rogue devices to talk to and control devices. ®