Malware in sex toys: How private is your playtime?

Editor’s Note: This post was originally published in October 2016 but has been updated to include the outcome of the lawsuit against WeVibe

In a time where fridges self-monitor their own food levels and cars can drive themselves, it was inevitable that the Internet of Things would catch up with the sex toy industry. Our playthings can now be controlled by an app and that can be paired to another person’s phone from wherever in the world they happen to be. But what would you do if you found out that the person at the other end of the controls was not your partner?

The We-Vibe, a device released by Standard Innovation, allows users to exchange text messages and engage in video chats when their smartphone is paired with the We-Connect app. It also allows a partner to control the device remotely. Beyond the security issues, such as a man-in-the-middle attack, a woman recently filed a lawsuit claiming the device measured highly personal information such as the date and time of each use, the intensity and mode chosen by the user, the email address of registered users and the device’s temperature at various times. This data was transmitted by the device back to the manufacturer with no explanation of how this information was being used.

Read the complaint (PDF).

CNET reports that “potential issues with the product came to light last month at the annual Defcon hacking convention when two researchers demonstrated how flaws in the software could let a hacker take over the vibrator while it’s in use. They also learned what kinds of data are being sent back to the company by taking the vibrator apart and studying the information it sends and receives.”

But, what if this information was stolen? Hacks of large companies, such as the recent attack on Yahoo which compromised over 500 million user demonstrate the magnitude of information that can be illegally obtained. One can only imagine the implications of large scale hack of very personal information such as the data held by Standard Innovation.

Is it sexual assault?

Couples toys that can be controlled by your partner remotely have been growing more and more popular. With built-in video calling and messaging, your partner can see you and control the device simultaneously.

It was revealed in the Defcon demonstration that an unknown person could easily hack the application, access your webcam and be in control of the toy without your knowledge. As well as being a gross violation of your privacy, some organisations are suggesting a far more serious crime is in play.

According to The Guardian, “a lot of people in the past have said it’s not really a serious issue, but if you come back to the face that we’re talking about people, unwanted activation of a vibrator is potentially sexual assault.”

Implications for manufacturers

In addition to the violation of a user’s privacy, there are significant security risks for manufacturers collecting such private information.

“If I hack a vibrator it’s just fun,” Raimund Genes, Chief Technology Officer at Tokyo-listed Trend Micro, told reporters at the CeBIT technology fair in Hannover.

“But if I can get to the back-end, I can blackmail the manufacturer,” he added, referring to the programming system behind a device’s interface.

Ransomware in the medical profession is highly profitable. A recent attack on a hospital in the US saw patient files held to ransom. The hospital felt forced to pay to ensure that the daily operation of the hospital was not interrupted and patient data could be returned. The collection of highly sensitive information such as that held by Standard Innovation is a prime target for a ransomware attack, risking the privacy of WeVibe’s users and the integrity of it’s manufacturer.

Update: Right to privacy upheld as Standard Innovation settles lawsuit

In a settlement filed Thursday 9th March in the Chicago federal court, We-Vibe manufacturers agreed to pay $5 million CDN (about $3.75 million USD) to resolve the privacy claims.

Their spokesperson told Fortune magazine:

“We are pleased to have reached a fair and reasonable settlement in this matter. At Standard Innovation we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app.”

As you can see, sex toys that can be accessed by anyone anywhere anytime have implications for users and for the toy’s manufacturers. So, how can you stay safe?

Read the User Policies upon purchase, particularly with regards to what information apps are able to collect and how this information will be used.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a nice (malware-free) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next