Gadgets for humans

This sex toy’s security flaw could literally cockblock you for life

Chastity belts have been around for centuries. If you go to sex museums around the world, you’ll see different kinds of devices with all kinds of locks and keys to deny access to your junk. If you lost the key, you’d have to force your way out of them with a hammer and tongs.

But what if your chastity belt is connected to the internet and a hacker locks it forever? A remote cockblocking attack would be a thing. This could’ve actually happened to anyone using Qiui’s Cellmate internet-connected chastity lock

As reported by TechCrunch first, UK-based security firm Pen Test Partners said that a bug on the internet-connected sex device could’ve allowed an attacker to lock a user’s penis forever.

The device has you or a trusted partner controlling its locking functionality via a mobile app that connects to an online service — there’s no physical key for it. However, the API that talks to the app was left open without proper security protocols; an attacker could control your device and deny you access to it, without any recourse.

You read that right, there’s no way to unlock the device without the app. As Pen Test Partners explains in the video below, the tube is locked onto a metal ring that’s worn at the base of the penis. So you’ll need to use a heavy-duty grinder or drill to cut it open. Good luck with that.

The security firm said that there was a trick workaround of opening the circuit board part of the device and using a special technique called spiking to disable the device.

The unsecured API also leaked the private data of users including names, birthdays, the location of these devices, and password to the accounts controlling them. Attackers could choose to target these users and make their information public to potentially shame them.

What’s worrying is that after Pen Test Partners contacted the company in April, it didn’t fix bugs for the longest time even after acknowledging them. After researchers contacted Qiui along with Renderman from the Internet of Dongs, a site that tests the privacy and security of sex toys, a new API was released in June. However, there are still issues with endpoints of API version 1 accessible that can potentially harm customers.

It’s advisable to avoid internet-connected sexual pleasure devices that might not have a fail-safe in case of an emergency. Plus, device makers should also focus on ensuring the security and privacy of its users while making these gadgets smart.

Published October 7, 2020 — 06:25 UTC