Article Thumbnail

Calm Down, No One’s Actually Hacking Your Bluetooth Sex Toys

At least not yet...

In another life that now seems far, far away, I was a grunt worker at a sex-toy store. It was a nice one — The Pleasure Chest in L.A. — but a sex-toy store nonetheless. For me, this meant one thing: for eight hours a day, I had to demo Bluetooth vibrators for awestruck customers who came in looking for the “newest, hottest trend in toys.” Given that sex-toy technology hasn’t really evolved past batteries and USB chargers for nearly 100 years, Bluetooth vibrators — which have only been around since 2007 — definitely fit that bill.

For the uninitiated, a Bluetooth or “smart” vibrator is any toy that uses a  Bluetooth-connected app that acts as the toy’s high-tech, long-distance remote control. It can be a cock ring, butt plug, male masturbator, clit vibe, G-spot stimulator — basically, anything that vibrates. Couples love them because they’re good for “spicing it up.” You can use them for long-distance sex, playing discreetly in public and experimenting with consensual power exchange (giving your partner an app that’s synced up to the toy in your ass for them to do what they want with it is a unique date night, to say the least). Some of these toys even come locked and loaded with tiny cameras, a chat function and the ability to sync its vibration patterns to the beat of your favorite song, because nothing beats cumming to the drum solo in Phil Collins’ “In the Air Tonight.” Cool, right?

Well, yes… until they get hacked. So far, white hat hackers and security testers like SEC Consultants and PenTestPartners have discovered that Bluetooth sex toys from brands like Lovense and Vibratissimo can be hacked to “remotely pleasure” people over the internet. It’s also possible to access the video being broadcast from this endoscopic dildo’s internal camera. Further, some sex-toy makers have been sending more information back to the vendor than users may be comfortable with (though that company is no longer doing so).

Since then, the rise and proliferation of Bluetooth-enabled “smart” vibrators have raised concerns about just how secure these devices actually are. Stoking these worries is a rash of alarming articles from sites like Motherboard, Forbes and Wired which outline, in painstaking detail, what the security flaws of Bluetooth sex toys are and what kind of life-ruining effects the hacking of them could wreak on your happy home.

Problem is, if you’re a Luddite like me, you have no idea what any of this means. For instance: What the hell is an “insecure API?” Also a problem: I can’t find a single example of a real person’s sex toy being hacked outside of a penetration test (no, not that kind — get your mind out of the gutter), hacking conference demonstration or unsubstantiated Reddit claim. This, of course, paints a different picture than news headlines like “Your Dildos Will Be Hacked” or “Hackers Can Locate and Control Your Smart Sex Toys.” It also raises some important questions: How easy is it to hack one of these things, actually? More importantly, how scared should you be? Are the sock drawers and well-hidden toy chests of America truly abuzz with the haunted whir of hacked sex toys rattling on for nobody? And is it already time to revert back to analog masturbation?

To find out, I called up Brad Haines (code name RenderMan), a Canadian white hat hacker with nearly two decades of infosec experience who’s taken it upon himself to become the world’s foremost expert on sex-toy security. His advocacy website Internet of Dongs has fast become the go-to resource for sex-toy companies to learn about security best practices, for white hat hackers to present their findings to the industry and for everyday people like you and me to learn about how to keep our data safe. Figuring he’d be just the person to demystify the actual danger of hacked sex toys, I ask him to explain to me how it all works on a level an eighth grader (but like, a precocious one with good hair) could understand.

According to Haines, there are multiple ways a Bluetooth sex toy can be hacked. The first is to use a Bluetooth scanner app on a phone or specialized hardware like Bluefruit or Ubertooth to intercept the signal between the device and the app that controls it.  But since no user data is stored on the toy itself, a hacker can’t see all that much using this method; Haines says hacking a device’s Bluetooth only reveals the basic commands used to control it. That means they can tell that it’s on, see what speed and pattern you’re using and even take remote control of the device itself. Meanwhile, in 2017, a report by PenTestPartners revealed that many Bluetooth-enabled sex toys beacon out a default name that disclose the device’s presence, making them vulnerable to this kind of attack (if it’s not already connected to their phone).

However, while the actual hacking skills you need to do this are pretty minimal, Haines says this type of hack is highly unlikely to occur in the wild. For one, the device has to be on (or in sleep mode) to be hacked. Even if you use your toy every day — which you probably don’t — the chances of you using it for more than 30 minutes at a time are slim, something that gives hackers an incredibly small and random window during which your device is available to be broken into. Hackers also have to be within Bluetooth range of your toy to pick up its signal, which is problematic because, according to Haines, a Bluetooth signal can only travel about 4 to 5 feet if you factor in the walls, furniture and body tissue that stand between a toy and an app (or scanner).

“Let’s just say that if someone is hacking your sex toy via Bluetooth, there’s a good chance they’re right next to you and should probably get punched in the face,” he says. Also, many newer devices make it possible to change the name of your default Bluetooth signal, so if you felt like concealing your Vibrating G-Spot Delight from prying eyes, you could easily just rename it “AirPods” or something innocuous like that (though you’d have to remember what you named it to connect to it in the future).

In other words, if you turn off your toy completely when you’re not using it, make sure no uninvited guests are within 4 to 5 feet of you, and christen your toy’s Bluetooth with a nondescript name, the chances of it being hacked via Bluetooth are pretty much nil.

That, however, doesn’t mean you’re in the clear — hackers can attack the servers that store user data and accounts from Bluetooth sex-toy apps. One way they do so is by “intercepting proxies” to view and tinker with information like login info; email addresses; control commands for the device such as speed or pattern; chat logs; dates and times the toy was used; and information about who it was used with. Some companies even store GPS data, which means a hacker could see exactly where you are in real-time as your toy is being used. And though this data is often encrypted, Haines says hacking it isn’t particularly difficult; In fact, he’s seen a 14-year-old use an intercepting proxy to figure out a toy’s control commands.

On their own, these data points might not seem like a big deal (big whoop if someone knows that time of day you masturbate), but Haines says sex-toy companies often underestimate the risk of hackers using these data points to exploit, harass or out their users, the consequences of which could be dire. “Attacking the vendor’s system could allow you to compromise account information, exploit someone for blackmail, hijack accounts, control the device remotely from anywhere without someone’s consent or impersonate an authorized partner,” says Haines. All of that is illegal and could be prosecuted as some form of cybercrime, but in many states, the latter two could also be charged as rape or sexual assault. “Being deceived or having your consent violated through a hack can be just as traumatizing as an assault in real life,” he says. “That’s why it’s so important that vendors take this stuff seriously.”

He also cautions that leaking this sort of information could be particularly risky for people who live in countries where sex toys or certain sexual expression are illegal. For example, if two men are found to be using something like the Kiiroo Onyx male masturbator together in Saudi Arabia, where both homosexuality and sex toys are illegal, they could face fines, prison time or worse. Or if a stalker were to hack into a company’s server, they might be able to see exactly where their victim is (if the company is logging GPS, that is). Haines even says he’s waiting for the day sex-toy data is used to prove a spouse is cheating in divorce court. “It’s not a matter of,” he believes. “It’s when.”

That said, not everyone sees these kinds of hacks as inherently threatening. “How dangerous a sex-toy hack is depends on who you are,” says sextech expert, sex therapist and clinical psychologist Holly Richmond. “Personally, I couldn’t care less if someone knows when I’m masturbating or what toys I’m using. Everyone masturbates, and for me, that’s not point of shame or secrecy. But I’m a sexuality professional who works in sex tech. I already put this information about myself out in the public to some extent, so I don’t find the idea of people knowing those details about my sex life to be particularly damning.” And though she fully acknowledges that other people might not be in a position to say the same thing, she says she just doesn’t see sex-toy hacking as the looming sexpocalypse it’s been made out to be.

“There’s a little bit of sensationalism to stories about sex-toy hacking,” she says. “We still view sex as something that’s private and shameful, so we tend to balk at the idea of our sex-toy data being hacked more than we do our emails or credit card accounts. In reality, there isn’t a lot of additional information hackers can get from your sex toys that they can’t from anywhere else.”

All of which brings us back to the question at hand: How scared should you actually be that some crazed maniac in a Guy Fawkes mask is going to discover that you use your buttplug every Wednesday at 1:47 p.m., and then again at 8:15 p.m.?

“Not very,” says Richmond. “While it’s obvious that hacking sex toys is possible and potentially harmful in certain situations, I’ve never even read anecdotally about a real user’s toy getting hacked. Mostly, this stuff happens at conferences, in labs or in hacking circles just to prove it’s possible.”

In fact, to my knowledge, and to the knowledge of the experts quoted in this piece, there hasn’t been a single known example of a customer’s sex toy getting hacked by anyone with malicious intent, ever. Quite the opposite actually: According to Haines, as far as anybody knows, the only hacks that are happening right now are being done by responsible parties in the service of keeping everyday users safe. That’s a serious departure from Wired’s assertion that “smart dildos keep getting hacked,” or Metro’s that Bluetooth sex toys make it possible for hackers to “pleasure you remotely over the internet,” exaggerated claims that make it sound like your vibrator is going to crawl out of your drawer and up your leg at midnight like some sort of X-rated Gremlins reboot. And while what they’re saying is technically possible, it’s important to note that as of now, a world full of sex-toy data blackmails and remote sexual assaults is one that doesn’t exist yet.  

Still, security flaws do exist and their implications are very real. That’s why people like Haines are trying to get ahead of them by approaching companies with the results of their white hat experiments in the hopes it’ll open their eyes to weaknesses in their product’s security. Already, he’s helped a handful of companies like LELO, Kiiroo, OhMiBod and Lovense improve their security, and he’s currently conducting audits of dozens of other companies so he can do the same for them. At the moment, he’s the only person conducting regular, comprehensive audits of this nature.

One of the most significant changes a company has made thanks to white hat hacking of a Bluetooth toy comes from We-Vibe. In 2016, a pair of hackers at Defcon created an app that mimicked We-Vibe’s We-Connect app to demonstrate it could be remotely controlled via Bluetooth by an unauthorized party. Following that incident (and a lawsuit over the company’s data collection methods), We-Vibe completely overhauled its app’s security, going so far as to stop collecting individualized data on users at all. As We-Vibe’s Marketing Communication Manager Denny Alexander tells me, users must opt-in to share their anonymized and aggregated data if they want to… but there’s no longer any way to connect a device with any one person. Instead, should a hacker feel inclined to take a peek at what’s there, all they’d find would be aggregate data, things like “481 We-Vibe devices are currently in use” or “most people use the highest setting.”

“Since users don’t register within the app, they don’t share any personal info with We-Vibe, and we much prefer the security benefits of doing it this way,” says Alexander. Even Haines approves — he lists We-Connect on the Internet of Dongs (IoD) site as one of the most secure sex-toy apps on the market.

For other Bluetooth sex toys, Richmond recommends a few precautions you can undertake yourself. First, she says, buy toys that are set up with something called “Bluetooth Encryption Mode 3” and make sure the apps you’re using with them have undergone a security code review (both of which you can do by checking out a company’s FAQ section, sending them an email or giving them a call; unfortunately, most companies don’t specify these things on the product packaging or website). Next, if your toy or your toy’s app has GPS, turn it off when you’re not using it, and turn off your toy completely when you’re done to avoid discovery by Bluetooth scanners. Finally, you can always visit the IoD website to see what your sex toy’s security strengths and vulnerabilities are (they don’t have every toy on there, but you can see some of the more popular ones here).

Of course, none of that will make you completely invulnerable to attack, but as Richmond says, it might allow you to enjoy what you set out to do in the first place: treat yourself to a much-deserved good time by enjoying your toy alone or with a partner. “The positives of Bluetooth-enabled sex toys like long-distance sex, public play and VR far outweigh the negatives, which, if you think about it, are really just the possibility of someone knowing that you’re masturbating,” she says. “That’s not to say I want anyone controlling my device or using my data against me, but the chances of that happening are so minuscule that I don’t think they’re worth sacrificing the pleasure and connection you could have with a Bluetooth toy.”

And if you’re still not convinced? Revert to the old-school way: masturbating with your hands, a less high-tech toy or any safe and comfortable object that can’t be downed by a massive Y2K-style event. Classics are classics for a reason.