Security researchers have found multiple vulnerabilities in smart sex toys that open up the potential for all sorts of mischief by hackers.
The Bluetooth and internet-connected Vibratissimo Panty Buster, and its associated online services, made by German gizmo biz Amor Gummiwaren, are riddled with exploitable privacy flaws, researchers at SEC Consult said on Thursday.
The adult toy is controlled by a wirelessly connected smartphone app. You're supposed to slip this self-love gadget into your underwear, and set it off wherever you are – at home, work, etc – or have special friends control it from over the internet. It also does stuff to music. Use your imagination.
A database containing highly sensitive Vibratissimo customer data – such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc – was openly accessible on the internet. Enumeration of users' explicit images was possible due to predictable ID numbers, and missing authorisation checks.
Yes, explicit images. From a cyber-dildo. How? Social network stuff. SEC Consult explained:
The mobile apps used to control those devices are not just an ordinary remote. The apps offer multiple features for communication and socializing like search for other users, maintaining a friends list, a video chat, a message board and also a feature to create and share image galleries, where images can be stored and shared with friends in the Vibratissimo social network.
SEC Consult confirmed to The Reg that this leaky database is not accessible by the public.
Worse yet, a creepy miscreant may be able to remotely turn on the device without the consent of its owner, the infosec bods discovered. Non-consensual "tickling" could be carried out either against a nearby toy via Bluetooth, or over the internet.
Here's a video thrusting the flaws into the public eye:
Based on app download figures, tens of thousands of users are potentially affected. The research was carried out by Werner Schober in cooperation with security consultancy SEC Consult and the University of Applied Sciences St. Pölten in Austria.
The Vibratissimo Panty Buster, its associated iOS and Android applications, and the server backend, had multiple vulnerabilities, including:
- Customer database credential disclosure
- Exposed administrative interfaces on the internet
- Cleartext storage of passwords
- Unauthenticated Bluetooth LE connections
- Insufficient authentication mechanism
- Insecure direct object reference
- Missing authentication in remote control
- Reflected cross-site scripting
SEC Consult contacted CERT-Bund – part of German Federal Office for Information Security – to help coordinate the disclosure process for the German vendor. Most of the most severe vulnerabilities have been addressed.
Wi-Fi sex toy with built-in camera fails penetration testREAD MORE
We're told the hardware manufacturer has implemented a more secure pairing method that will is included in a new version of the pleasure-gizmo's firmware.
According to the researchers, however, the adult toy slinger disputed whether remote manipulation of other people's devices by miscreants was a problem, before emitting the fix. SEC Consult alleged the manufacturer had said it was even a "desired property of the sex toy."
We've asked Amor Gummiwaren for comment.
This research was done as a part of a master's thesis with the goal of reviewing multiple smart sex toys including several teledildonics devices. ®