Bluetooth butt plug 'hacked and activated' by cybersecurity enthusiast
The claim further raises issues about security and the Internet of Things.
A cybersecurity researcher says he hacked a bluetooth-enabled sex toy and made the device activate without the need for any authentication. In a blog post, along with a YouTube video, Giovanni Mellini says that what started as a joke between him and a friend ended up with his buying a butt plug and hacking it.
The incident raises the continuing concern that companies are focusing on technological advances in the Internet of Things without due care being paid to cyber security. The theme was echoed by 2017 Safe Cities Index, a research publication which specifically mentions the security vulnerabilities cities may face if technology is adopted before work on cybersecurity.
In the blog post published on Tuesday, 17 October, Mellini describes how he hacked the Lovsense Hush butt plug using a method outlined by Simone Margaritelli. The final result, Mellini says, was that he "paired to the BLE [Bluetooth Low Energy] butt plug device without authentication or PIN from my laptop and sent the vibrate command."
In a 9-second video uploaded to YouTube, Mellini showed the command being typed in and the butt plug then vibrating.
On their website, Lovense describe the sex toy as "the world's first teledildonic butt plug: control from ANYWHERE!" The device comes with a smart phone app that can be used over Bluetooth to control the vibrations. Lovense did not immediately reply to IBTimes UK's request for comment.
"At the end is very easy to hack BLE protocol due to poor design choices." Mellini wrote in the blog post. "Welcome to 2017."
This is not the first time the security of wirelessly-enabled sex toys has come into question. In August, another security researcher reversed engineered an internet connected dildo to receive commands using the private Tor network.
"I wanted to show that you can make communication between these devices private by default, end-to-end encrypted by default, and secure by default — and without a 3rd party server collecting the information about the people who use the product," researcher, Sarah Jamie Lewis told Motherboard.