The hidden security loophole in Bluetooth-connected sex toys

6 Oct 201721 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Some smart adult toys are not entirely secure. Image: Eillen/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Research shows many BLE-enabled devices for use on the body can be compromised.

BLE is the little brother of Bluetooth connectivity. It consumes less power than traditional Bluetooth would, which means it is used in lots of devices that can run on a battery for several years at a time, when minimal data exchange is required.

BLE is ubiquitous in many internet of things (IoT) devices that people are using day to day, from light bulbs and thermostats to watches. While being a useful advance in technology, many people have noted that BLE is not the most secure connectivity method.

BLE and sex toy security flaws

Alex Lomas, a security researcher for Pen Test Partners, told Siliconrepublic.com: “Many people have done great work in showing how potentially insecure BLE is as a communications protocol. They often stopped at the point that they decipher the traffic though, so we wanted to show that tampering with these devices can actually have real-world physical effects.”

These effects, it turns out, can have somewhat intimate consequences, according to research carried out by Lomas. It turns out that BLE-connected sex toys can be found and exploited by outside attackers. The whole concept of connected smart adult toys plays into the idea of someone using the product while a partner remotely controls its effects.

Lomas explained why the team chose to research a smart butt plug called the Lovense Hush to further explore the vulnerabilities evident in BLE devices: “‘Intimate wearables’ are pretty useful for this research. They use BLE, have motors and things rather than just software  – so we can demonstrate something happening – and generally have companion apps and websites – so we can look at the whole ecosystem.”

“We had to give this a name. It didn’t take long: hunting for Bluetooth adult toys equals ‘screwdriving’.” This is a play on the term ‘wardriving’, which is a term for finding Wi-Fi networks on a device while you’re driving.

Internet of things leaves people vulnerable

Lomas searched for vulnerabilities using a digital forensics and penetration-testing (no pun intended) program and he noticed that most of the BLE devices don’t possess PINs or passwords. As Lomas pointed out, there’s a challenge here: where exactly on a BLE device – like a sex toy or other body-worn device – should makers put a UI to set PINs or passwords?

Lomas explain that “BLE is baked into a lot of products, but often without any real security. Many of the devices we’ve looked at don’t ‘pair’ – they don’t exchange cryptographic keys to stop just anyone using them. Even if they do, that pairing password is often hardcoded to be 0000 or 1234.” Pretty easy for someone to just guess outright.

You might wonder, could you find a smart adult toy outside the home that could be infiltrated? The answer is yes, as Lomas found when he was walking around Berlin with a Bluetooth discovery app. He saw the Bluetooth name for the Hush pop up, which meant anyone on a public street could connect. Of course, the team didn’t connect to any device without consent.

Not just sex toys at risk

As well as smart sex toys, BLE-enabled hearing aids are also vulnerable to similar problems. Lomas’s dad’s BLE hearing aids were discovered by the researcher as they had lunch together. “These things cost £3,500 and need to be programmed by an audiologist, so not only could an attacker damage or deprive someone of their hearing, but it’s going to cost them to get it fixed.”

Lomas wants people to know that “the things they’re carrying around with them can be read or interfered with by people with malicious intent. The biggest safeguard manufacturers have come up with is that they’ve assumed the radio range isn’t that large, and I think we’ve shown that isn’t really a good assumption.

“There are mechanisms that can be deployed to better secure these types of device and I hope vendors do make some improvements.” Said improvements could include a unique PIN created for each BLE-enabled device, forbidding devices to connect unless a button push is prompted, and lowering BLE signal strength to make sure that the device controlling the toy is close to the toy itself.

 ‘Adult toys appeal to a huge spectrum of people and their ubiquity allows people to enjoy a sex-positive life. However, we think that these same people should be able to use them without fear of compromise or injury’
– ALEX LOMAS 

There are some things that can’t be fixed, though, like advertisement of BLE presence making it possible for toys to be located using triangulation. Lomas suggests generic device names.

Lomas also emphasised this was not an admonishment of those who use adult toys: “Adult toys appeal to a huge spectrum of people and their ubiquity allows people to enjoy a sex-positive life. However we think that these same people should be able to use them without fear of compromise or injury.

“Talking about these issues will hopefully lead the industry to improve the security of its toys.”

Ellen Tannam is a writer covering all manner of business and tech subjects

editorial@siliconrepublic.com