Cybersecurity researcher raises concerns about Internet-connected sex toys

What happens when your sex toy gets hacked? A new post by security researcher Matt Harrigan discusses this very real and arguably comical situation.

While I do find the idea of an IP-enabled BJ machine to be utterly hilarious and at $300, a great gift for your bestie, I am super concerned about people connecting a thing to the internet that they put their junk into. Knowing everything we know about malware, embedded system attacks, etc, what are the odds that someone figures out how to get it to clamp down on you just hard enough that you absolutely pay the ransomware fees? 

Harrigan notes that these toys – which are basically motor-controlled and Internet-connected – are very similar to other pumping machinery. He writes:

I’ve worked on SCADA devices that control oil pump rotation frequency and other such weird industrial functions where one changed configuration can intentionally or unintentionally kill people. So let’s just go over the relative risks of an internet-connected bj tube, and what questions we might ask ourselves: 

• What base hardware is this thing built on? What ICs are in it? 
• Is it a reference platform like raspi? 
• Is it all custom ASICs/FPGAs? Who tested this code? 
• Does it use secure transport to talk to the internet? 
• Is the hosting service that provides “downloadable blowjobs” secure? Can someone own it and distribute malware blowjobs? 
• What IP services listen on the AutoBlow? 
• What are the upper bounds of the motor that is in it? If your dick tube gets owned, can it in fact tear your junk off?

What could happen if a sex toy get hacked?

Internet-connected sex toys, often referred to as “teledildonics,” have grown in popularity as technology has advanced. However, like all connected devices, they are susceptible to various security risks. Here’s a look at some ways such a device could be hacked:

1. Weak Passwords: One of the most common ways to hack into any device, including connected sex toys, is through weak passwords. If the device is protected by default or easily guessable passwords, it becomes an easy target.
2. Outdated Firmware: Devices running outdated firmware can be vulnerable to known exploits. Manufacturers often release security patches to correct vulnerabilities, but if devices aren’t updated regularly, they can be susceptible to attacks.
3. Man-in-the-Middle Attacks: In such attacks, hackers intercept the communication between the sex toy and the controlling application or server. This could allow them to take control of the device or eavesdrop on data being transmitted.
4. Lack of Encryption: If the data transmission between the device and the controlling app isn’t encrypted, hackers can easily read the data packets being transmitted. This could reveal sensitive user information or allow unauthorized control.
5. Application Vulnerabilities: The apps used to control these devices can have vulnerabilities themselves. If a hacker can exploit the app, they might gain control over the device or access sensitive user data.
6. Phishing Attacks: Users might be tricked into downloading malicious applications that look like official apps for the device but are actually designed to steal data or gain control over the device.
7. Insecure APIs: Some devices communicate with servers using Application Programming Interfaces (APIs). If these APIs are not secure, hackers might access information stored on the server or manipulate device behavior.
8. Physical Tampering: Though less common, it’s possible for someone with physical access to the device to install malware or other malicious tools that allow remote access or data collection.
9. Lack of Secure Pairing: If the device doesn’t have a secure method of pairing with other devices or apps, it might be susceptible to unauthorized access.
10. Network Vulnerabilities: If the device is connected to insecure Wi-Fi networks or networks with known vulnerabilities, it might be at risk. A hacker who can access the network could potentially access any device connected to it.

It’s important to note that while these vulnerabilities exist, many manufacturers are becoming increasingly aware of security risks and are working to make their devices more secure. However, users should always be cautious, ensure they keep their devices updated, use strong, unique passwords, and be wary of downloading apps or software from unverified sources.

These risks, writes Harrigan, are real and often glossed over by the literature and instructions that accompany these products. He’s calling for manufacturers to rethink their security protocols when it comes to these things.