Quantcast
Yes, Your Smart Dildo Can Be Hacked

If it’s connected to the internet, assume pen testers have tried to hack it. That includes your teledildonics.

Like everything else these​ days, sex toys can be connected to the internet—and that means they can be hacked.

It's easiest at this point to assume everything can be hacked, but we know connected dildos are an actual risk thanks to security researchers at the perfectly named Pen Test Partners, who like breaking into smart objects; they recently taught a speaking doll to say naughty words and had a play with adult toys, too.

It sounds silly—what's a hacker going to do, make your vibrator vibrate too aggressively?—but there's a real risk around the data that's collected, said Ken Munro, a researcher at Pen Test Partners, who walked us through the process.

"The first thing we thought was 'internet plus sex toy equals fun for us,'" he said. But put the dildo down, as the easiest place to start hacking isn't the device itself. Most internet-connected devices require an app to control them and online registration with the company, and those are likely to be the weakest links.

"Imagine if you were having a teledildonic session and there was video and that was written to this same external storage area as temporary files"

"The first thing we want to look at is what's the sign-up process, and is it secured," he said. "We're not going to go hacking that, it would be illegal, but we can sit and listen to the various traffic being sent to the websites ... and try and see what's going on." In one case—Pen Test wouldn't name names—the traffic wasn't being encrypted, leaving it vulnerable to interception.​

Next, the team looked at the app: Is it demanding too many permissions, asking for access to your photo gallery and so on? Android tends to be weaker here, as Munro said Apple is more "prescriptive" about what iOS apps can access on a phone. One app Pen Test examined had enhanced permissions to write to external storage, which can refer to a removable SD card or simply a specific area of your phone's memory.

"Imagine if you were having a teledildonic session and there was video and that was written to this same external storage area as temporary files," Munro said. "Temporary files are overwritten, but not completely, not always, and not always completely. So if I was to steal your phone, borrow your phone, or access your SD card, I've potentially got access to your rather personal video sessions."

That data could be accessed by theft, hacking, or simply if you re-sold a handset and didn't wipe it properly. To keep safe, Munro's advice is to have a six-digit PIN on your phone, use the latest version of Android, and make sure you can remote wipe it—though he warned many apps don't do the job well enough, so look for one that writes random data overtop of yours to make sure it's gone.

"What are you going to do, decrease the speed of a vibrator? Is that really going to spoil someone's day?"

Finally it's time to pick up the smart sex toy and try to hack it; again, Munro is focused on the communications between the smart vibrator and your handset. That's often via Bluetooth, which is hard to crack, but you can also target the part of the app providing the chat tool. "Normally a hacker would steal their information or banking details, but in this case, which could be highly embarrassing, I want to steal the video or details of people you're sharing this contact with."

And that's key to hacking such devices: It's about the data. "What are you going to do, decrease the speed of a vibrator? Is that really going to spoil someone's day?" he said. "It's more the data and the fact that there's video content and people's contact details ... If you want to extract cash from somebody and you can't hack their bank account, what would you do next? Threaten to release some videos of them having a selfie session with someone who's not their wife or partner."

Even if your smart dildo is locked down and your handset is secure, the weak spot could be your digital sex partner: If their handset isn't protected, your data could leak from their end. "You're trusting the security of your video to someone else's device," he said.

In other words, you still need to practise safe sex, even when it's over the internet. 

This story is part of Motherboard's Sex Ed Week, a series of sex-focused science and technology stories. Check out more stories here.