The recent discovery that internet connected sex toys have major security and privacy flaws should come as no shock but this does raise the issue of how to both satisfy the consumer’s needs while providing maximum protection. The most recent flaw was discovered in the Lovense Hush sex toy – an IoT-enabled butt plug – by Pen Test Partners.
The flaw involves Bluetooth Low Energy (BLE) technology and the poor security design of sex toys themselves. According to Pen Test, the Hush could be located even on a city-wide basis and can be easily hacked if not connected to a cell phone.
First, the device makes itself known on Bluetooth under the Hush BLE name, LVS-Z001. Simple scans using an ordinary cell phone or Blue tooth enabled notepad can identify such devices at a fairly good distance. The simple naming feature will clearly show that someone has the sex toy nearby even if it is connected or “paired” with a Bluetooth control device such as a personal cell phone. While this does present privacy issues with in-home use – the device may also be found on users in public.
“Recently I was in Berlin, walking with a Bluetooth discovery app, this one is Lightblue,” noted the PTP researcher. “I was genuinely surprised to see the Hush BLE name, LVS-Z001, pop up.”
“BINGO! This is genuinely the discovery of a Hush plug, ready and waiting for anyone to connect to it, on a public street.”
BLE technology also enables these toys to be located using radio triangulation techniques. It is possible with multiple trackers to identify the specific individual who may be carrying one. There are other methods such as gateway scanners placed in storefronts will trigger a hit on the device as one passes through the entrance.
This raises the likelihood that large organizations can use a combination of camera facial recognition and scanning to identify the specific individual equipped with a sex toy or if the gateway scanner is placed at a check-out/purchase register – commercial stores could identify the specific user and obtain account information along with marketing data from the device itself.
The PTP researchers used Bluefruit hardware to see the BLE command packets sent by the sextoy using Wireshark software. The PTP researchers noted this low cost hacking enabled them to see control command codes sent to the Hush device. The commands themselves can be reproduced and replayed using a simple BLE dongle available for about £5 ($7 US dollars). A hacker could send short hex character strings to command the Hush to turn on, vibrate at various levels or turn off.
The BLE connection did not require any pin entry so there was no security present to command the Hush device. This security problem with Bluetooth is not uncommon with most devices. In fact, most Bluetooth devices either have no pin or a fixed pin value of 0000 or 1234. This poor security issue is shared by a wide variety of IOT sex toys tested by PTP including the Kiiroo Fleshlight, Lelo and Lovense Nora and Max.
“Loading a configuration at the factory could allow for a unique PIN to be created for each adult toy. This is an expensive option, as devices will have to be powered up and flashed. A PIN sticker per device will also add cost.” continues PTP researchers.
There are problems inherent with Bluetooth itself that lends toward security and privacy breaches. Current Bluetooth devices will resort to an open status once the battery runs out or when they become disconnected from the controlling cell phone. Once this occurs, a hacker can establish complete control. Current Bluetooth 4.0 technology also specifies that only one cell phone can control your Bluetooth device. This protocol makes it hard to either reset the authorization or jam the connection. However, Bluetooth 4.2 is very different. The 4.2 protocol allows multiple cell phones to control a single device, complicating the situation and making it far easier for a hacker to gain illicit access.
These sex toys are bound to become more sophisticated in the near future; storing additional usage data locally, recording sessions, and as we have seen, become equipped with other sensors such as cameras and GPS location devices. The fact that they are also connection to the Internet or to devices that are Internet connected raises the specter of both security and privacy issues. The possibility that a public figure may be embarrassed is only one of a myriad of privacy concerns such as collection of mass surveillance information using these devices to track, monitor, and monetize through marketing.
While at present unlikely, there is also a danger of physical harm since similar technology is already in a number of other devices such as Bluetooth hearing aids and medical devices. Several recent research efforts have focused in on the danger posed by unsecure IOT devices and shown that they can be enabled to cause physical damage and even kill.
While manufacturers could adopt a higher level of security – this will add to both the expense and complexity controlling such devices. The Bluetooth naming convention could be altered to display a randomized string or mac address rather than the fixed name of “LVS-Z001” – thus solving the privacy issue of being detected by a wireless search. In addition, the user could be required to program the device upon first use with a secure pin, thus disabling any attempt to hack it.
Manufacturers are unlikely to address these issues since they are viewed as “overhead” and not a prime concern. In fact, as I noted, some makers may already be working with other large corporations to provide data mining on a scale never before imagined by marketing wizards. It is therefore not in the interest to reduce potential monetization but instead maximizing it with no security nor privacy.
The challenges of security and privacy in the Internet connected world have gone from the office, to the factory, to the home even into the bedroom and beyond. It is certain that the “giggle” factor of involving sex will distract some from the real problems lurking behind the weak security attached to these devices. The consumer and governmental watchdogs have yet to catch up to the risk posed to the general public. It may be uncomfortable to ask questions and raise such issues but they must be addressed before someone gets hurt.
Charles R. Smith is CEO of Softwar Inc. a US-based information warfare company and a former national security journalist. You can find Softwar at https://www.softwar.net
About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.
(Security Affairs –Bluetooth, sex toys)