Smart sex toys emphasize security issues in IoT

Умные секс-игрушки подчеркивают проблемы безопасности в IoT

The company ESET has released a report on trends in cybersecurity 2021, which emphasizes the trend of rising threats from ransomware. Recall that recently about this issue, said in his report to Acronis. However, the document refers to “a new Chapter” in the history of the Internet of things, which can not but cause concern.

The intimate distribution of “smart” gadgets on the background of self-isolation, and weaknesses in the security architecture of such devices, piques the interest of cyber criminals to the whole data segment that the company decided to hide with the utmost care. The game is on the sense of shame and fear of losing reputation can bring cyber criminals an impressive income, while the chances of success increase significantly.

For anybody not a secret that IoT devices have a number of weaknesses, such as KrØØk (CVE-2019-15126), forcing gadgets to use a null encryption key, or vulnerabilities in home hubs according to the type of Fibaro Home Center Lite, Important Central Control Unit (CCU2) and the eLAN-RF-003, which are used to manage smart buildings, and therefore are an ideal element to gain access to data and controlling cameras.

On the market there are always new models of devices for sex, but studies have shown that the gadgets have a number of drawbacks from the point of view of security that threaten the confidentiality of user data. In particular, discovered during the experiments, the vulnerability allowed to intercept information and remotely control devices as well as to access photos, videos and other personal data owners. We are really far from being able to use such gadgets without putting themselves at risk of cyber attacks.

The problem may seem funny, or just curious

However, it should be noted that the sale of intimate toys are growing rapidly on the background of social distancing for a pandemic. The era of smart devices for adults just beginning. The latest achievements in this field — models with possibilities of virtual reality and robots based on artificial intelligence with cameras, microphones and voice analysis. It is impressive and disturbing at the same time.

Experts emphasize that the information that they process, is extremely sensitive: the names, sexual preferences and orientation, a list of partners data on the use of the gadget, intimate photos and videos — all these details can lead to disastrous consequences if it falls into the wrong hands. Especially if we’re talking about countries where similar topics are particularly taboo, and homosexuality can literally be punished with death. So, how safe toys in this case? And were there taken the necessary measures to protect the data and privacy of individuals?

Even if we’re not going to talk about how the government can run a campaign based on the withdrawal of these data, there is an obvious detail that should be emphasized is the app through which the device communicates with a smartphone. Maybe someone not too concerned about the interception of control “smart” vibrator, but the anxiety level increases dramatically when it comes to the phone. And what about mass lockpicking male chastity? After such “failure” can only be removed with angle grinder or similar tool, but your location data, personal information and correspondence no one will return.

Most of these devices are controlled via BLE (Bluetooth low energy). Thus, we can consider sex toys as sensors that collect data and send them to the processing application, making it can specify the necessary parameters. To control the gadget connects via Wi-Fi to a server in the cloud, where information is stored about the account. In some cases, the program can also act as a mediator between two users, or allow a connection through the web application, which ultimately extends the functionality, but increases the field for attacks.

An attacker could intercept local communications between the control application and the device, between the application and the cloud or data between the remote smartphone and the cloud. Then it can run malicious SOFTWARE, previously installed on the phone, or use the errors in the operating system.

Experts cite the example applications such as Remote Lovense, We-Connect, etc. In the first case, apart from the lack of end-to-end encryption, as it is not prohibited to take screenshots, does not actually erase data from your smartphone when using the function “delete” allows you to upload and share content from other users without warning, and learn the email address, user name and preferences. In the second application are not deleted confidential metadata, which allow to determine the precise geolocation of a person. In 2016, the researched has demonstrated how data is sent to the server without any anonymity.

What to do with all this? Unfortunately, it is possible to give some rather General advice:

  • Look for devices that allow them to manage it without account creation. Yes, will have to abandon co-management, but security in this matter is more important.

  • If possible, avoid sharing photos or videos, which you can be identified.

  • Do not use for the registration of the official name and main email.

  • Do not use toys in public places with a connection to public networks and take care to protect your home network.

  • Test the app before buying the device itself, to understand it, than to have to face. And Yes, read the user agreement.

  • Protect your smartphone with antivirus software and don’t forget to update the software.

Finally once again will raise the issue of the lack of secure pairing and vulnerabilities in authentication. At the moment, we are never told what the consequences of taking control of the sex gadgets without consent, and if you can call it an act of violence. The concept of cybercrime in this topic has changed and if we look at it from the point of view of invasion of privacy, abuse of authority and lack of consent to sexual contact. The legislation never fixed the punishment for such things that strikes sexual, physical and psychological security in the digital arena.

Information security, Smart gadgets

Eset

Go to our cases Get a free quote