Security researchers have uncovered a vulnerability in an internet-powered sex toy that can be abused to literally lock down access to the user’s crotch.
The affected sex toy is a chastity cage called CellMate, which a man can wear over their genitals. The company behind the product, Chinese company Qiui, designed it so the wearer or the wearer's partner can lock or unlock access to the chastity cage via Bluetooth using a mobile app.
However, the same product contains a (kinky) flaw: a stranger can lock down access to the cage too, thanks to vulnerabilities in the mobile app’s API, according to the researchers at PenTest Partners.
The security team discovered that the API suffers from an "insecure direct object reference" vulnerability, which essentially means data requests to the app can be made without any authentication.
As result, PenTest Partners discovered you could pull a random user's personal information from the app. The data included their name, phone number, birth date, the plaintext password, and the exact GPS coordinates for when they last opened the app. “It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” wrote PenTest Partners researcher Alex Lomas in his write-up.
That alone was bad enough. However, Lomas noticed the API flaws also enabled anyone to overwrite the permissions to a user’s CellMate sex toy, cutting off access to the locking mechanism.
“And we can do that to everyone, very quickly, locking everyone in, or out,” Lomas added. “There is no emergency override function either, so if you’re locked in there’s no way out.”
Making matters worse is how the chastity cage can only be unlocked via the mobile app. So to take the cage off while locked down, the wearer would need to cut through a metal ring that clamps around their genitals. Fortunately, PenTest Partners later devised a workaround without using any sharp objects.
PenTest Partners contacted Qiui about the vulnerabilities back in April. However, the company was largely silent on the problem. According to PenTest Partners, Qiui later told an inquiring journalist in June: “they didn’t want to fix (or couldn’t) as they ‘only’ had $50,000.”
The Internet of Dongs, a project that examines sex toys for vulnerabilities, also noticed the API flaws with the Cellmate chastity cage. The group’s researcher managed to contact Qiui’s CEO, which resulted in a partial patch. But according to the Internet of Dongs, the fixes failed to fully address the leaky API while introducing new problems.
According to Pentest Partners, only today did Qiui release an update for the CellMate’s mobile app, which now requires all API requests to be authenticated. “Older API endpoints were left up though, and new APIs still returned exact user locations,” Lomas added. So owners should update to the latest version of the app.
Qiui did not immediately respond to a request for comment. However, the whole incident underscores the dangers with "smart" sex toys, and how connecting them to the internet isn't always a great idea.