Skip to content

Sex toys and security this Valentine’s Day

By now, we’re all pretty familiar with the concept of connected devices. Not everyone has a smart fridge or app-controlled lighting, but products like a Bluetooth speaker system or an Amazon Alexa are almost commonplace. For better or worse, we’re also quite familiar with the effects of sharing vast amounts of our personal data, and the dangers that come with inadequately protected systems.

One area of personal data you might not have given as much thought to, though, is data on our sexual behavior. Hacking a fridge to find out what kind of milk someone drinks doesn’t feel very threatening, but a malicious actor accessing data on our sexual behavior is not as benign. In honor of Valentine’s Day, we’re exploring some of our own research into the not so fun part of sex toys, and why it is vital they are secured.

As new models of smart toys for adults are entering the market more and more frequently, researchers at ESET have been looking closer into the increasingly important role played by these types of devices and the vulnerabilities they might have, placing an emphasis on risks, general advice of how to stay safe.

Finding the connection
Although they have always been popular, the current health situation around the world and the social distancing measures related to COVID-19 have seen sales of sex toys rapidly increase. For smart sex toys, this also means the introduction of new features, including group chats, multimedia messages, videoconferencing, synchronization with lists of songs or audiobooks, and much more. Each time a device’s software is updated, hopefully any discovered vulnerabilities are corrected, although new vulnerabilities can be created and others remain unpatched.

Most smart toys can be controlled via Bluetooth Low Energy (BLE) from apps installed on smartphones. Unlike standard Bluetooth, BLE remains in sleep mode all the time, except when a connection is initiated. BLE also has low power requirements, in part because the devices don’t process data, they only collect and transmit it. The app controls the user’s authentication process by connecting to a cloud server where the person’s account information is stored. Because of the way these devices operate, it is quite possible to intercept the communication either between the controlling app and the device or between the app and the cloud server.

No match made in heaven
It is no surprise that the aforementioned IoT devices can be exploited. However, the stakes are much higher when dealing with sex toys due to the sensitivity of the information: names, sexual preferences, lists of sexual partners, information about device usage, intimate photos and video – this is all information that could have disastrous consequences if it were to fall into the wrong hands.

Cyber attacks on sex toys could result in sextortion or other social engineering attacks, utilizing sensitive images, videos or more. In countries where laws prohibit homosexuality, premarital and extramarital sexual activity, the publication of private information about individuals’ sexual behavior and their partners could potentially lead to their arrest. There are also vulnerabilities in sex toys’ controlling apps that could allow malware to be installed on smartphones, change the firmware in the toys, or even cause the toys to malfunction.

Avoiding heartbreak
Exploiting sex toys to gain users’ data is not new either. Back in 2016, the parent company of the popular toy brand We-Vibe was hit with a series of class action lawsuits after it was found to be collecting sensitive information without user authorization. If a manufacturer collected people’s data without permission, you can bet cybercriminals will attempt the same.

As with all smart devices, it is important that you are aware of the privacy and security implications associated with their use. Obviously, associated apps that do not require creating a user account potentially offer the most privacy. If that’s not possible, avoid registering using a name or email address that could identify you. As much as possible, avoid sharing photos or videos in which you can be identified, and pay special attention to the Terms and Conditions sections that mention data collected by the company as well as the processing of that data – vendors without a privacy policy should be avoided.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.