Intimate "Smart" Gadgets Reveal IoT Security Flaws

December 22, 2020

The spread of intimate "smart" toys against the backdrop of self-isolation and the lack of security these gadgets feature has fueled the interest of cybercriminals. 
Threatening to expose sensitive information that would otherwise remain hidden from society, these criminals play on one's feelings of shame and fear of losing reputation. Doing so increases their chances of success while effectively earning an impressive income through blackmail.

The "Cybersecurity Trends 2021: Staying secure in uncertain times" report released by ESET highlights this upward trend in ransomware threats. The document also speaks of "embracing a new reality" caused by a shift away from the office, which has left companies' networks vulnerable to attack. 

It's no secret that IoT devices have a number of weaknesses, which force gadgets to use a zero encryption key, or vulnerabilities in-home hubs, which are used to control smart homes, and therefore, the ideal link for accessing data and controlling cameras.

However, despite the overwhelming evidence that smart gadgets have many security flaws that threaten the privacy of users' data, new app-connected sex toys are constantly appearing on the market. Studies have shown that it's possible to intercept information and remotely control the device, as well as gain access to photos, videos, and other personal data. At this time, it's evident that users cannot safely use such gadgets without putting themselves at risk of cyber-attack. 

This Issue is No Laughing Matter

Nevertheless, the era of app-connected smart toys is only just beginning. Due to the coronavirus pandemic and social distancing regulations, the sale of intimate toys has drastically increased. The latest advancements in this area are models with VR capabilities and artificially intelligent robots with cameras, microphones, and voice analysis functions. This is both impressive and worrying at the same time.

Experts emphasize that any data processed by these devices, including the user's name, sexual orientation, partners, intimate photos, and videos, is extremely confidential. Should this information fall into the wrong hands, the consequences could be catastrophic. This is especially true in countries with oppressively strict anti-sex laws, such as those where homosexuality is punishable by death. In situations like these, how can "smart" sex toys possibly be considered safe?

Most of these devices are controlled via BLE (Bluetooth Low Energy). In simple terms, sex toys are sensors that collect and send data, which is then processed by the app. To control the device, it must establish a connection via Wi-Fi to a cloud-based server, where account information is stored. 

In some cases, the program can also act as an intermediary between two users or allow a second connection through web applications, which ultimately expands the functionality, but increases the risk of attack.

A cybercriminal can either intercept the connection between the control application and device, the application and cloud server, or between the smartphone and cloud server. They will then launch malware previously installed on the phone or take advantage of bugs in the operating system.

Steps To Tackle This:

1.  Look for devices that do not require an account. This means you will have to abandon joint management, but safety should be a priority. 
2.    Avoid sharing photos or videos that identify you.
3.    Do not use your real name and primary email address to register. 
4.    Do not use the device in a public place connected to a public network. 
5.    Make sure your home network is secure.
6.    Test the application before purchasing the device. 
7.    Read the user agreement.
8.    Install antivirus software on your smartphone.
9.    Remember to update your smartphone software regularly. 

Final Verdict

As mentioned above, the lack of secure pairing and vulnerabilities within authentication are clear causes for concern. At this time, the legal consequences of intercepting intimate devices without permission and whether such action could be considered an act of violence has yet to be discussed. Currently, there is no legal punishment for these "crimes," which strikes a blow to sexual, physical, and psychological safety in the digital arena. 
The concept of cybercrime in this article takes on a different form as we focus on the invasion of privacy, abuse of power, and lack of consent to sexual intercourse. Should users think twice before purchasing intimate "smart" toys? Considering their obvious security flaws, do they deserve exploitation, even at the cost of the user's security, mental health, and dignity?