Security Researchers Hacked a Bluetooth-Enabled Butt Plug
The quest for a secure wireless sex toy continues.
The Hush butt plug. Image: Giovanni Mellini
The device in question is Hush by Lovense, which is billed by the company as "the world's first teledildonic butt plug" that you can "control from anywhere!"
Unfortunately for Lovense, the butt plug has also joined a host of other teledildonic products that are remarkable for being insecure. In other words, even though you can control your butt plug "from anywhere," it would appear that anyone within Bluetooth range can control it, too.
Read More: The Internet of Dildos is Watching You
As detailed by Mellini in his blog post, he was able to hack the butt plug using a Bluetooth Low Energy (BLE) scanner developed by Simone Margaritelli and freely available on Github. Bluetooth is considered to not be the most secure way to send information wirelessly, but its low energy version is even more vulnerable to attacks. Still, it has found wide use in Internet of Things (IoT) devices because it drains less battery to use.
As Margaritelli wrote about the scanner used in the butt plug hack, "BLE is a cheap and very insecure version of Bluetooth, in which you have no channel hopping and no built in protocol security." This means it's relatively easy to execute a man-in-the-middle attack, in which a hacker would trick the butt plug into thinking it's talking to the user's phone and to capture information packets being sent between the devices (aka sniffing).
So why would anyone put BLE on a device then? Per Margaritelli's blog post, "If you wanna build and sell some IoT-smart-whatever crap, and you wanna do it quickly because your competitor is about to go on the market with the same shit, you take Bluetooth, you strip it from the very few close-to-decent things it has and voilá," you have a BLE-enabled device.
Using this tool in tandem with the Lovense phone app, Mellini said he was able to remotely pair with the butt plug without any sort of authentication, password, or PIN. After he had paired with the butt plug, he was able to make it vibrate on command.
The device can be remotely operated from up to 30 feet away while the user is standing, or up to 10 feet away while the user is sitting, according to Lovense's website. This means a ne'er-do-well would have to be pretty close to the butt plug in question to commandeer it. Still, the Lovense app is connected to the internet, which means an enterprising hacker could take advantage of the vulnerabilities discovered by Mellini for a truly remote butt plug hack.
According to Mellini, this hack likely could've been avoided by choosing a less insecure wireless protocol.
"It is very easy to hack BLE protocol due to poor design choices," Mellini wrote. "Welcome to 2017."
Motherboard reached out to Lovense for comment and will update this post if we hear back.
The sex toy industry has made a valiant effort to reinvent itself by connecting pleasure gadgets to the internet, but so far the nascent teledildonics space has been plagued by insecure smart dildos.
Privacy will be key if teledildonics are ever going to be adopted in a big way. But for now, these intimate objects are a little too public.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .
- Simone Margaritelli
- Giovanni Mellinni