Skip to content

Sex in the digital era – ESET reveals new research into security of smart sex toys

BRATISLAVA – Vulnerabilities in smart sex toys could leave users at risk of data breaches and attacks, both cyber and physical, according to a new white paper from global cybersecurity experts at ESET. The Sex in the Digital Era – How secure are smart sex toys? report explores the potential security and safety flaws of connected sex toys and includes an in-depth analysis of two popular devices. Amidst ongoing social restrictions due to the pandemic, sales of sex toys has risen rapidly, and associated cybersecurity concerns mustn’t be overlooked. As newer, technologically advanced models of sex toys enter the marketplace, incorporating mobile apps, messaging, video chat, and web-based interconnectivity, devices become more appealing and exploitable to cybercriminals. The consequences of data breaches in this sphere can be particularly disastrous when the information leaked concerns sexual orientation, sexual behaviors, and intimate photos. ESET researchers found vulnerabilities in the apps controlling both of the smart sex toys investigated. These vulnerabilities could allow for malware to be installed on the connected phone, firmware to be changed in the toys, or even a device being deliberately modified to cause physical harm to the user. To address these dangers and investigate how secure smart toys are, ESET researchers analyzed two of the best-selling adult toys on the market: the We-Vibe ‘Jive’ and Lovense ‘Max’. Analysts downloaded the vendor apps available on the Google Play Store for controlling the devices (We-Connect and Lovense Remote) and used vulnerability analysis frameworks as well as direct analysis techniques to identify flaws in their implementations. We-Vibe As a wearable device, the We-Vibe Jive is prone to usage in insecure environments. The device was found to continually announce its presence in order to facilitate a connection – meaning that anyone with a Bluetooth scanner could find the device in their vicinity, up to eight meters away. Potential attackers could then identify the device and use signal strength to guide them to the wearer. The manufacturer’s official app would not be required to gain control, as most browsers offer features to facilitate this. The Jive utilizes the least secure of the BLE pairing methods, whereby the temporary key code used by the devices during pairing is set to zero, and as such, any device can connect using zero as the key. The Vibe is highly vulnerable to man-in-the-middle (MitM) attacks, as an unpaired Jive could bond automatically with any mobile phone, tablet, or computer that requests it to do so, without carrying out verification or authentication. Although multimedia files shared between users during chat sessions are saved in the app’s private storage folders, the files’ metadata remains on the shared file. This means that every time users send a photo to a remote phone, they may also be sending information about their devices and their exact geolocation. Lovense Max has the ability to synchronize with a remote counterpart, which means an attacker could take control of both devices by compromising just one of them. However, multimedia files do not include metadata when received from the remote device, and the app offers the option to configure a four-digit unlock code via a grid of buttons, making brute-force attacks more difficult. Some elements of the app’s design may threaten user privacy, such as the option to forward images to third parties without the knowledge of the owner and deleted or blocked users continue to have access to the chat history and all previously shared multimedia files. Lovense Max does not use authentication for BLE connections either, so a MitM attack can be used to intercept the connection and send commands to control the device’s motors. Additionally, the app’s use of email addresses in user IDs presents some privacy concerns, with addresses shared in plain text among all the phones involved in each chat. ESET researchers Denise Giusto and Cecilia Pastorino warn: “There are precautions that need to be taken to ensure that smart sex toys are designed with cybersecurity in mind, especially due to the severity of potential dangers. Although security seems not to be a priority for most adult devices at the moment, there are steps individuals can take to protect themselves, such as avoiding using devices in public places or areas with people passing through, such as hotels. Users should keep any smart toy connected to its mobile app while in use, as this will prevent the toy from advertising its presence to potential threat actors. As the sex toy market advances, manufacturers must keep cybersecurity top of mind, as everyone has a right to use safe and secure technology.” Both developers were sent a detailed report of the vulnerabilities and suggestions of how to fix them, and, at the time of publication, all vulnerabilities have been addressed. To read more about ESET’s full analysis of the security of these smart sex toys, Sex in the Digital Era can be read here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.