Common vulnerabilities in IoT devices are especially prevalent in adult toys too.
Speaking in a session “Hacking Adult Toys” at Infosecurity Europe, Ken Munro from Pen Test Partners looked at a number of adult devices, some of which had basic authentication levels, static ID which enabled them to be controlled remotely and open ports for identification.
Munro highlighted some toys which were paired for multiple user sessions, while the Lovense vibrator has a standard Bluetooth PIN of 0000 and can be controlled by an Android app which stores, and never deletes, temporary image files.
Referring to research by Alberto Segura, Munro said that the Chrome plug-in for the toy could identify a user as an online camera model simply by identifying the email address.
In another case, a male toy could be controlled by Bluetooth, and inflate the inside of the toy remotely. Another toy’s mobile app “continuously probes for outbound connections” and if a user has connected this to a work phone, the person’s IT department will face multiple alerts. “By using this device you’re effectively telling your employer that you’re a cam model,” Munro said.
In other cases, Munro showed a Fleshlight toy that has a static link that never changes, while butt plugs can be geolocated and controlled via Bluetooth.
Munro demonstrated that code from a camera drone was used in a sex toy with a camera, and with a static IP address “admin” as the username, meaning it could stream video in real time “completely unprotected.”
In terms of disclosure, Munro said that a number of emails had been sent to manufacturers, but they had received no response.
“We have pushed hard for manufacturers to improve security, and porn is big business and we were shocked at the state of adult toys,” he said. “Vulnerabilities we knew about ten years ago are being sold to people and used in intimate situations.”
He concluded by naming Brad Render for his work in disclosure to adult toy manufacturers, and encouraged delegates to start making manufacturers listen “to get their security sorted” as SSL is not in place, there is pinning and pairing and no encryption used,” and the firmware is a train wreck - so do have a play and see security flaws and tell us and get them fixed.”