Bluetooth 'Panty Buster' 'smart' sex toy fails penetration test

Yep, it's yet another dildon’t

By John Leyden

Posted in Security, 2nd February 2018 14:49 GMT

Security researchers have found multiple vulnerabilities in smart sex toys that open up the potential for all sorts of mischief by hackers.

The Bluetooth and internet-connected Vibratissimo Panty Buster, and its associated online services, made by German gizmo biz Amor Gummiwaren, are riddled with exploitable privacy flaws, researchers at SEC Consult said on Thursday.

The adult toy is controlled by a wirelessly connected smartphone app. You're supposed to slip this self-love gadget into your underwear, and set it off wherever you are – at home, work, etc – or have special friends control it from over the internet. It also does stuff to music. Use your imagination.

A database containing highly sensitive Vibratissimo customer data – such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc – was openly accessible on the internet. Enumeration of users' explicit images was possible due to predictable ID numbers, and missing authorisation checks.

Yes, explicit images. From a cyber-dildo. How? Social network stuff. SEC Consult explained:

The mobile apps used to control those devices are not just an ordinary remote. The apps offer multiple features for communication and socializing like search for other users, maintaining a friends list, a video chat, a message board and also a feature to create and share image galleries, where images can be stored and shared with friends in the Vibratissimo social network.

SEC Consult confirmed to The Reg that this leaky database is not accessible by the public.

Worse yet, a creepy miscreant may be able to remotely turn on the device without the consent of its owner, the infosec bods discovered. Non-consensual "tickling" could be carried out either against a nearby toy via Bluetooth, or over the internet.

Here's a video thrusting the flaws into the public eye:

Based on app download figures, tens of thousands of users are potentially affected. The research was carried out by Werner Schober in cooperation with security consultancy SEC Consult and the University of Applied Sciences St. Pölten in Austria.

The Vibratissimo Panty Buster, its associated iOS and Android applications, and the server backend, had multiple vulnerabilities, including:

SEC Consult contacted CERT-Bund – part of German Federal Office for Information Security – to help coordinate the disclosure process for the German vendor. Most of the most severe vulnerabilities have been addressed.

Wi-Fi sex toy with built-in camera fails penetration test

READ MORE

We're told the hardware manufacturer has implemented a more secure pairing method that will is included in a new version of the pleasure-gizmo's firmware.

According to the researchers, however, the adult toy slinger disputed whether remote manipulation of other people's devices by miscreants was a problem, before emitting the fix. SEC Consult alleged the manufacturer had said it was even a "desired property of the sex toy."

We've asked Amor Gummiwaren for comment.

This research was done as a part of a master's thesis with the goal of reviewing multiple smart sex toys including several teledildonics devices. ®

Sign up to our NewsletterGet IT in your inbox daily

73 Comments

More from The Register

Meet R2-DILDO: 'Star Wars' sex toys? This is where the fun begins

I have a good... er, I mean a bad feeling about this...

Game of Thrones showrunners to make Star Wars flicks

David Benioff and D.B. Weiss will write and produce series set in bits of the Lucasverse

Star Wars: Big Euro cinema group can't handle demand for tickets to new flick

Fear leads to anger. Anger leads to hate. Hate leads to nerds raging on Twitter

May the excessive force be with you: Chap cuffed after Star Trek v Star Wars row turns bloody

Poll Settle this like the illogical humans you are – vote on which is best

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

Stop your moaning, says maker of buggy Bluetooth sex toy

Companion app recorded audio you while you - ahem - played, but it never left your phone

Disney plotting 15 more years of Star Wars

First we'll get non-digital Leia and Han Solo: Young Adult with Chewie and Falcon back-story

China 'hacked' South Korea to wreck Star Wars missile shield

FireEye fingers Middle Kingdom infiltration teams

Behold, ye unworthy, the brave new NB-IoT logo

Logowatch And give thanks unto the GSMA

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated The BlueBorne ultimatum