Hackers are getting into your sex toys

Hackers are getting into your sex toys

CultureJanuary 25, 2017 By Lindsey Kline

Living in a technological world means that every little household item can now connect to the internet, sync up with an app, and store information in the omnipresent “cloud.” But while this inter-connectivity may allow us to take control over all the insignificant settings of our light bulbs, refrigerators, and toilets, it also allows these devices to be hacked.

Unfortunately, the same cruel fate follows for “smart” sex toys, playthings that can link to the internet and be controlled from an app. So yes, if your sex toys can connect to the internet, they can also be hacked.

This issue goes beyond some sweaty man in his grandmother’s  basement shifting up your vibration level. Although that pervert’s unwanted activation might warrant a sexual assault, what he’s more likely looking for is access to private information.

This wouldn’t be a problem if our dildos didn’t collect data that penetrates our privacy. But many smart sex toys collect their owner’s most intimate details with each session of self-pleasure.

A recent lawsuit against a smart sex toy manufacturer revealed a series of smartphone-connected vibrators that collected private details without users’ knowledge, such as when the device was used and which vibration intensity the user selected. That data was then transmitted back to the company (for research purposes, of course) at the moment of collection.

What’s worse, intimate data saving isn’t unique to just one manufacturer. Researchers have discovered a number of smart sex toys amassing sensitive information, such as the Nora and Max toys from Lomense allowing storage of intimate videos and the We-Vibe recording the date and time of each use, the chosen vibration pattern, and the user’s email address.

This personal data assemblage creates a frightening privacy threat: What if the company is hacked and those details are released? Or even if the data is kept secure, some customers might not want countless employees to have access to the dirty details of how they spend their me-time.

But in this early stage of internetting all things, exploiting security flaws is easy to do. To prove just how simple it can be, two independent programmers at Def Con hacking conference in Las Vegas hacked an app-controlled vibrator and activated it at will.

In their talk, Hacking the Internet of Vibrating Things, the hackers argued that despite the audible laughter, the security of a sex toy should be taken seriously. “The company that makes this vibrator [that we hacked] has over 2 million people using their devices, so what’s at stake is 2 million people,” they said.

Surprisingly, the simplest place to start hacking a sex toy isn't the device itself. Most internet-connected devices require online registration with the company and an app to control their settings, and those are likely to be the weakest links.

From there, a hacker can identify your email address and contact details. If your gadget happens to be a teledildonic toy, an app-controlled device that lets long-distance partners take command of one another’s settings, you suffer an added hazard. Teledildonics’ typical “Body Chat” feature, which is like Skype exclusively for virtual sex,  saves your videos in the removable storage of your device.

As Ken Munro, a security researcher who hacks into smart objects for a living, told Forbes, “It doesn’t take much to realize that in the event of a lost, stolen, or sold phone, I’ve potentially got access to naked selfie masturbation videos.”

But even though Munro and the Def Con programmers have non-maliciously hacked into several sex toys to demonstrate the hazards of that information falling into the wrong hands, no instances of ill-intentioned hacks or leaks have been reported so far. So while the public exposure of sex toys’ intimate information hasn’t claimed any victims, the palpable peril looms.

Connecting sex toys to the internet can leave them open to hackers, especially when protecting them hasn’t been taken into consideration in the manufacturing process.

And sadly, there's not much the user can do to prevent digital intrusion. Security measures (like encryption of log-in processes, videos, and storage) need to be implemented by the device manufacturer. That's why non-profit groups like Builditsecure.ly have emerged, pressuring producers to think of security and privacy from the start of their design processes.

But in the meantime, you’ll still need to practice safe sex, even when it’s over the internet.