The Internet of Things That Can Be Hacked grows daily. Lightbulbs, trucks, and fridges all have computers inside them now, and all have been hacked by someone. But at least you don’t put those inside your body.
Two years ago, someone had the good idea to put a bluetooth connection inside a vibrator, and the We-Vibe 4 Plus was born. The vibrator can connect with a smartphone app that its makers say “allows couples to keep their flame ignited – together or apart”: that is, it can be controlled remotely, while, say, making a video call.
But at the Def Con hacking conference in Las Vegas, two independent hackers from New Zealand, who go by the handles goldfisk and follower, revealed that the way the vibrator speaks with its controlling app isn’t really secure at all – making it possible to remotely seize control of the vibrator and activate it at will.
In their talk, Hacking the Internet of Vibrating Things, Follower argued that despite titters at the back of the room, the security of a sex toy should be taken seriously. “The company that makes this vibrator, Standard Innovation: They have over 2 million people using their devices, so what’s at stake is 2 million people.”
“A lot of people in the past have said it’s not really a serious issue,” he added, “but if you come back to the fact that we’re talking about people, unwanted activation of a vibrator is potentially sexual assault.”
Potentially worse still, the pair discovered that the app itself was phoning home, letting the manufacturer discover some very intimate information about users.
The app sends the temperature of the device back to Standard Innovation every minute, and every time the intensity of the vibration changes, that gets sent back too.
Between those two data points, it’s fairly easy to work out when and how often someone is using the vibrator. “What are the implications of who they’re going to give that data to,” asked goldfisk. “In their privacy policy, they say ‘we reserve the right to disclose your personally identifiable information if required to by law’, but what does that actually mean?”
In a statement, Standard Innovation said the information was sent home for “market research purposes, so that we can better understand what settings and levels of intensity are most enjoyed”.
The company’s president, Frank Ferrari, added: “Our reason for collecting CPU temperature data is purely for hardware diagnostic purposes … However, any changes in the temperature are not significant or noticeable enough to indicate the location of the product. Data is only collected when the app is in use.
“Our EULA and privacy policy does disclose that we may collect data, but we are currently in the process of reviewing our privacy & data collection protocols in an effort to provide more transparency for our customers.”
For their part, follower and goldfisk decided to seize the initiative, launching the “Private Play Accord”, an initiative to encourage sex toy manufacturers to sign up to basic standards of privacy and security. “We want to promote transparency so that people can make informed buying decisions,” follower said. They have come up with a draft rating system for products, so that users can be sure that their latest sex toy isn’t reporting the intensity of their use back to HQ.