A hacker took control of people's internet-connected chastity cages and demanded a ransom to be paid in Bitcoin to unlock it.
"Your cock is mine now," the hacker told one of the victims, according to a screenshot of the conversation obtained by a security researcher that goes by the name Smelly and is the founder of vx-underground, a website that collects malware samples.
In October of last year, security researchers found that the manufacturer of an Internet of Things chastity cage—a sex toy that users put around their penis to prevent erections that is used in the BDSM community and can be unlocked remotely—had left an API exposed, giving malicious hackers a chance to take control of the devices. That's exactly what happened, according to a security researcher who obtained screenshots of conversations between the hacker and several victims, and according to victims interviewed by Motherboard.
A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely "locked," and he "could not gain access to it."
"Fortunately I didn’t have this locked on myself while this happened," Robert said in an online chat.
Do you know of any similar security vulnerability or data breach? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
"I wasn’t the owner of the cage anymore so I didn’t have full control over the cage at any given moment," another victim who goes by the name RJ told Motherboard in an online chat. RJ said he got a message from the hacker, who said they had control of the cage and wanted a payment to unlock it.
These hacks show once again that just because you can connect something to the internet, it doesn't mean you have to—especially if you then don't take care of securing the device or its connection. It's incidents like these that make some people think the Internet of Things is just a marketing term for the Internet of Hackable Things, as we call it, or even the Internet of Shit, as others call it.
Qiui, the China-based manufacturer of the device, which is aptly called Cellmate, did not respond to a request for comment. A US distributor said in an email that the flaw that allowed the hacker to lock the victims’ cages was fixed in the latest version of the app.
Alex Lomas, a security researcher at Pentest Partners, who audited the Cellmate device, confirmed that some users received the extortion messages, and said this highlights the need for better security practices.
"Almost every company and product is going to have some kind of vulnerability in its lifetime. Maybe not as bad as this one, but something," Lomas said in an online chat. "It’s important that all companies have a way for researchers to contact them, and that they keep in touch with them."
As usual, be careful what devices you trust with your data or, in this case, with your genitals.
This story was updated to include comment from a US distributor, which reached out after the story was published.