Vulnerabilities have been identified in a male chastity device that could be exploited to cause the device to permanently lock. Should that happen, and you don’t have an angle grinder or the nerve to use one, it could prove to be a very embarrassing emergency room trip or fire department callout.
The reason Bluetooth connectivity has been added to the Cell Mate male chastity device is to allow a trusted individual to be provided with control of the device through a mobile phone app. The problem is the flaws, of which there are more than one, would allow control of the device to be obtained by anyone.
Since the device does not have a physical unlock mechanism and can only be unlocked via the app and Bluetooth connection, once hacked and locked there is no easy escape. The design of the device makes removal somewhat problematic and unpleasant. The device is slipped over the penis and locked in place with a hardened steel ring that is placed around the testicles. Power tools would be required to cut through the steel ring to allow it to be removed.
The vulnerabilities were identified by Pen Test Partners, who found that not only could the device be remotely hacked quite easily due to API and mobile app flaws, the user’s personal data (name and phone number) and their exact location could be obtained without authentication.
The API endpoints could be accessed with either a “MemberCode” that is generated when the device is purchased or a six-digit friend code. The researchers note that both codes “are deterministic and easily guessable”. The researchers said, “It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database for the device and use it for blackmail or phishing.”
They also said its possible to hack multiple devices simultaneously remotely, or via Bluetooth Low Energy (BLE) connections, with the latter requiring an attacker to be within range of the device. The vulnerabilities are likely to be attractive for hackers due to the blackmail and phishing potential.
After discovering the flaws, the researchers reported them to the manufacturer which set a deadline of 3 months for addressing the flaws; however, six months on and the flaws have not been fully fixed. The decision to go public was made because the flaws had not been addressed and had also been identified by another researcher. If two security researchers can find the flaws, hackers could too.
The flaws clearly highlight the need for security by design when developing devices with IoT and Bluetooth, connectivity, especially in the field of teledildonics.
The report on the vulnerabilities was released in connection with the Internet of Dongs Project: A group of security researchers who hack sex toys to identify security vulnerabilities and privacy issues, to ensure those privacy, security, and safety flaws are addressed by the manufacturers.