Security flaws in sex toys are nothing new, but one set of vulnerabilities could have been particularly dangerous — not to mention embarrassing. Pen Test Partners has disclosed (via TechCrunch) app programming interface flaws in Qiui’s Cellmate, a male chastity sex toy, that let attackers remotely lock a user’s penis in. If that happened, you’d need to force the toy open using either heavy tools (think an angle grinder or bolt cutter) or jolting certain wires with electricity. There’s no manual override.
The app flaws also let intruders collect private messages, plain text passwords and location info without the need for authentication.
Qiui’s approach was apparently frustrating as well. The company was initially responsive and ultimately fixed the “majority” of issues with a new version of the interface, but it missed three self-imposed deadlines and ultimately went quiet. Pen Test Partners decided to make the issues public after input from other researchers made it clear that poor communication was all too common. The disclosure was in the “public interest,” the security firm said.
While security problems are a reality for numerous connected devices, this incident underscores the particular dangers for sex toys. They not only tend to include sensitive info, but can sometimes give hackers an opportunity to do physical harm. As helpful as connected toys can be for remaining in touch with a partner (particularly during a pandemic), they carry a unique set of risks.