The English company PenTest Partners has been known for years on how unsafe sex technology can be. Since 2015, they have been hacking WiFi-enabled vibrators, Bluetooth butt plugs and group sex apps to alert users to the risks that arise if manufacturers neglect IT security in product development. Now they discovered a kind of networked chastity belt from China and found several weak points - with potentially serious consequences for customers.
The device called Cellmate by Qiui encloses the wearer's penis between two rings made of hardened steel and can only be unlocked via an accompanying app that communicates with the Cellmate via Bluetooth. The idea is that the wearer leaves that power to someone else they trust. However, Alex Lomas from Pen Test Partners found that completely different people can take control of the locking device.
"We have a very good reputation for examining various devices and publishing the results responsibly," Lomas writes to SPIEGEL. "That's why someone told us about the Cellmate on Twitter. A few minutes with the app were enough to tell that we'd find something interesting here. So we bought a device."
Blackmail or Phishing Attempts
Lomas and his colleagues found an unsecured interface in the app. Using six-digit numbers that were comparatively easy to guess, they could read out names, telephone numbers, location data and the membership code of any user. "An attacker would not need more than a few days to read out the entire user database and use it for blackmail or phishing attempts," says the IT experts' blog post.
Withdraw Permission to Unlock
They could in turn view and change the settings of any Cellmates via the unsecured interface: They could remotely withdraw permission from the wearer of any device to unlock and thus lock the penis as long as desired.
The Cellmate does not have an emergency function, which is why a rescue action would either require the extremely careful use of an angle grinder or bolt cutter or short-circuiting the closing motor, as Lomas describes in the blog post.
Lomas first contacted the Chinese company in April, but it took until June before they updated their app and thus at least removed some of the problematic vulnerabilities for new customers - but not for existing customers.
A TechCrunch reporter, who was privy to it early on, also tried to reach Qiui afterwards but got answers like
"We're just a basement company" and "If we fix it, we'll create new problems".
After Qiui apparently allowed three self-set deadlines to elapse without fixing all the errors, and after other security researchers found other vulnerabilities in the Cellmate, Pen Test Partners decided to publish it "in the public interest". "Obviously, others were able to discover these problems independently of us," says the blog post - by which not only researchers but also criminals are meant.
Lovely 🔥