security

The Internet of Dildos Is Watching You

Two hackers reverse engineered a popular internet connected dildo and found that it was streaming intimate information like body temperature and intensity settings.

Daniel Oberhaus

Daniel Oberhaus

Screengrab via YouTube.

As increasingly banal devices come online as the latest additions to the internet of things, it was inevitable that sex toys would get added into the mix. Known as teledildonics, the realm of internet connected sex toys has been heralded as the future of sex for years now, and as with all internet connected devices, these toys are liable to get hacked.

The legal and ethical risks posed by the internet of dildos was the subject of a presentation by two hackers from New Zealand at DEF CON on Friday, but they were less concerned with third party dildo exploits than the manufacturer settings that come built into the devices.

"When we started out with this research, we were wondering about the potential exploits and vulnerabilities that a third party hacker could take advantage of," said one of the presenters, who goes by the name of follower. "But when we looked more closely, it actually turns out that you might be more concerned about what the manufacturer is doing [with your dildo data]."

Along with his colleague goldfisk, follower reversed engineered the We-Vibe 4 Plus, one of the most popular internet connected dildos on the market. What the duo found was surprising: not only was the device streaming temperature data back to the manufacturer once a minute, but it was also streaming the intensity settings of the device in real time.

Goldfisk and follower speaking at DEF CON. Image: Daniel Oberhaus

"The temperature data is ostensibly related to monitoring the temperature of the motor, but we also determined that it is affected by contact with the human body." said follower during the presentation. "At minimum you can determine whether or not the device is in use even if it's not interconnected. The manufacturer is currently collecting real time data on how all of their customers are using their devices."

The streaming of this data presents a number of risks to users. In addition to opening up the dildo to hacking from third parties (which follower suggested could be considered as a new form of sexual assault, since the remote manipulation of a dildo is unwanted sexual contact), many companies are less than transparent about how they put this data to use.

Just by collecting the data in the first place, the manufacturers are opening themselves up to exploits where hackers could collect this data and use it to blackmail the company. Yet depending on where the user is located, the manufacturer could also be putting their customers in legal jeopardy: a number of places such as India, the Philippines and Alabama criminally punish the sale or possession of sex toys.

"You could make the argument that user data collection is just a standard part of mobile apps these days," follower said during the presentation. "We want to question that assumption and say you know if you you're making [intimate] devices that are controlled by mobile apps, maybe you should consider whether you should be collecting that information in the first place. If the information isn't collected, then its not vulnerable to either security or data releases and legal enforcement."

Although there are ways to turn the We-Vibe into a dumb dildo, follower and goldfisk weren't content with technological fixes. During their presentation they announced the launch of the Private Play Accord, which calls for more transparency about data collection from the manufacturers of intimate devices, from dildos to pacemakers. When I spoke with follower and goldfisk after the presentation, they said they had reached out to eight manufacturers so far about the accord, but have yet to receive a response.

"The goal is to protect the privacy of devices like these," said follower. "We want to provide transparency from the manufacturers on the data they collect so that people can make informed buying choices from manufactures that do take the privacy and security of people's intimate data seriously."