Sex toys and security this Valentine’s Day

James Shepperd

By now, we’re all pretty familiar with the concept of connected devices. Not everyone has a smart fridge or app-controlled lighting, but products like a Bluetooth speaker system or an Amazon Alexa are almost commonplace. For better or worse, we’re also quite familiar with the effects of sharing vast amounts of our personal data, and the dangers that come with inadequately protected systems. 

One area of personal data you might not have given as much thought to, though, is data on our sexual behavior. Hacking a fridge to find out what kind of milk someone drinks doesn’t feel very threatening, but a malicious actor accessing data on our sexual behavior is not as benign. In honor of Valentine’s Day, we’re exploring some of our own research into the not so fun part of sex toys, and why it is vital they are secured.

As new models of smart toys for adults are entering the market more and more frequently, researchers at ESET have been looking closer into the increasingly important role played by these types of devices and the vulnerabilities they might have, placing an emphasis on risks, general advice of how to stay safe.  

Finding the connection
Although they have always been popular, the current health situation around the world and the social distancing measures related to COVID-19 have seen sales of sex toys rapidly increase. For smart sex toys, this also means the introduction of new features, including group chats, multimedia messages, videoconferencing, synchronization with lists of songs or audiobooks, and much more. Each time a device’s software is updated, hopefully any discovered vulnerabilities are corrected, although new vulnerabilities can be created and others remain unpatched.

Most smart toys can be controlled via Bluetooth Low Energy (BLE) from apps installed on smartphones. Unlike standard Bluetooth, BLE remains in sleep mode all the time, except when a connection is initiated. BLE also has low power requirements, in part because the devices don’t process data, they only collect and transmit it. The app controls the user’s authentication process by connecting to a cloud server where the person’s account information is stored. Because of the way these devices operate, it is quite possible to intercept the communication either between the controlling app and the device or between the app and the cloud server.

No match made in heaven
It is no surprise that the aforementioned IoT devices can be exploited. However, the stakes are much higher when dealing with sex toys due to the sensitivity of the information: names, sexual preferences, lists of sexual partners, information about device usage, intimate photos and video – this is all information that could have disastrous consequences if it were to fall into the wrong hands.

Cyber attacks on sex toys could result in sextortion or other social engineering attacks, utilizing sensitive images, videos or more. In countries where laws prohibit homosexuality, premarital and extramarital sexual activity, the publication of private information about individuals’ sexual behavior and their partners could potentially lead to their arrest. There are also vulnerabilities in sex toys’ controlling apps that could allow malware to be installed on smartphones, change the firmware in the toys, or even cause the toys to malfunction.

Avoiding heartbreak
Exploiting sex toys to gain users’ data is not new either. Back in 2016, the parent company of the popular toy brand We-Vibe was hit with a series of class action lawsuits after it was found to be collecting sensitive information without user authorization. If a manufacturer collected people’s data without permission, you can bet cybercriminals will attempt the same.

As with all smart devices, it is important that you are aware of the privacy and security implications associated with their use. Obviously, associated apps that do not require creating a user account potentially offer the most privacy. If that’s not possible, avoid registering using a name or email address that could identify you. As much as possible, avoid sharing photos or videos in which you can be identified, and pay special attention to the Terms and Conditions sections that mention data collected by the company as well as the processing of that data – vendors without a privacy policy should be avoided.