![](\"https:\/\/media.wired.com\/photos\/5c631d5f210b35696012a277\/master\/pass\/Hack-SexToy.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Emily Dreyfuss| Date: Thu, 14 Feb 2019 15:02:40 +0000<\/strong><\/p>\n Happy Valentine\u2019s Day! <\/span>Since it\u2019s 2019, you and a partner could celebrate by installing an app on your phone that lets you control a vibrator your partner discreetly wears in their underwear all day. I mean, if you wanted to! Thanks to the burgeoning industry of teledildonics, as internet-connected sexual pleasure products are known, there\u2019s a wealth of innovative options: vibrating WiFi-enabled butt plugs, webcam-connected dildos, even the CES-banned Ose vibrator<\/a> uses AI to provide biofeedback. That\u2019s all good\u2014pleasure is great!\u2014but like all internet-of-things devices, smart sex toys are also incredibly vulnerable. From over-exuberant manufacturers who slurp up data to security flaws that hackers could exploit, teledildonics can be a privacy nightmare.<\/p>\n \u201cPrivacy counts across everything, and when it comes to connected sex toys it seems like it should count even more,\u201d says Jen Caltrider, content strategy lead at the Mozilla Foundation.<\/p>\n That\u2019s why this month Mozilla released a special Valentine\u2019s Day section<\/a> of its \u201cPrivacy Not Included\u201d guide, featuring romantic gadgets like smart beds, fitness trackers, and yes, teledildonics. Carltrider explains that they picked products based on what seemed popular online, while also trying to be inclusive of all sexual orientations, genders, and physical abilities.<\/p>\n So what makes for a cyber-safe sex toy? According to Mozilla, you'll want to look out for things like whether the product uses encryption, automatic security updates, strong password requirements (where applicable), an accessible privacy policy, and a way for the company to manage security vulnerabilities in its products. Mozilla considers these five things minimum security standards<\/a> for connected devices. And like its other<\/a> gift guides<\/a>, Mozilla highlights products that appear to meet that baseline with a badge.<\/p>\n Of the 18 items that Mozilla assessed\u2014a small fraction of what\u2019s actually out there\u2014half didn\u2019t pass muster. Of those that did, only six could really be called teledildonic: the Lioness Vibrator, the We-Vibe Sync, and four pleasure devices from Lovense. (Mozilla counts the Lovense Nora and Max<\/a>, which work together, as two products.)<\/p>\n \u201cAt the end of the day, this can be serious,\u201d Caltrider says. \u201cThese [devices] exist in the world, they're likely to be gifts, and so we wanted to get people to sit back and think, What are the privacy implications?<\/em>\u201d<\/p>\n Experts have been raising the alarm about teledildonic security risks<\/a> for years. Poor teledildonic security could enable not just an invasion of your most intimate information but even, hypothetically, remote-controlled assault, wherein an attacker takes over the remote app of a sex toy without its user\u2019s consent. Right now the only confirmed hacks have been done by security researchers studying these devices, but experts WIRED spoke to believe that the possibility of such attacks is real\u2014and caution that it could be hard to even know if one had occurred.<\/p>\n \u201cIn the IoT space, [teledildonics] is one of the biggest threats that exists,\u201d says Amie Stepanovich, US policy manager at the nonprofit advocacy group Access Now. Researchers have demonstrated how easy it is to hack into popular products time and again. \u201cThese devices, like other IoT devices, are being produced by companies that have never connected products to the internet before,\u201d Stepanovich says. Most have never had to worry about the pitfalls of big data collection or internet security.<\/p>\n In Mozilla\u2019s review, the products that failed, failed hard. Take the Vibratissimo Panty Buster<\/a>. Mozilla writes that \u201cthis product seems to be made only for those who enjoy the thrill of potentially having their smart sex toy hacked.\u201d Caltrider was baffled by how bad it was at protecting users. \u201cThe Vibratissmoo doesn\u2019t even have a privacy policy!\u201d she said in an interview with WIRED. An independent report<\/a> commissioned by Mozilla last year concluded that \u201cthe Vibratissimo Panty Buster vendor seems to have no regards for security.\u201d Its problems are numerous: the device allows for remote access without consent, there\u2019s no encryption, and it connects via insecure Bluetooth. Amor Gummiwaren GmbH, the vendor, did not respond to requests for comment.<\/p>\n Bluetooth is a recurring pain point<\/a> for IoT security. The technology has been plagued by poor security from the beginning, and what security protocols have been put in place to make Bluetooth safer are inadequate or sometimes poorly rolled out. Researchers note<\/a> that old versions of Bluetooth that have been abandoned because of security risks are often still used. But even the newest versions lack robust encryption, and have flaws that let savvy bad actors within range spy on connected devices.<\/p>\n \u201cEven simply opening the Bluetooth explorer on your phone will reveal nearby smart adult devices that are powered on.\u201d<\/p>\n Ken Munro, Pen Test Partners<\/p>\n \u201cOur research has shown no Bluetooth adult toys that implement secure \u2018bonding\u2019 when connecting to a phone. This makes hijack possible,\u201d said Ken Munro, a researcher at security firm Pen Test Partners, in an email to WIRED. \u201cWe\u2019ve seen problems with the mobile apps that the smart toy uses. These can allow hackers remote access to very personal and intimate data over the internet, in some circumstances.\u201d<\/p>\n As far as Munro is concerned, you might not want to purchase any of these smart toys, \u201cunless you are comfortable with others nearby knowing you have one and are using it,\u201d he says. \u201cEven simply opening the Bluetooth explorer on your phone will reveal nearby smart adult devices that are powered on.\u201d<\/p>\n When Bluetooth is used to hack into and take over a sex toy, it\u2019s called \u201cscrewdriving\u201d\u2014a term coined by Pen Test Partners in 2017, when its researchers discovered that the Lovense Hush butt plug<\/a> could be found and remotely controlled via Bluetooth.<\/p>\n The Lovense Hush, along with three other Lovense products, now meets Mozilla\u2019s minimum security standards. \u201cLovense had some problems,\u201d Caltrider says. \u201cThey had one of their toys hacked but they learned from it. There's a link on their page that takes you to the Pen Test Partners group. It was an eye-opening thing for them.\u201d<\/p>\n Lovense COO Joris Guisado told WIRED the hack had been good for the company and the industry. \u201cThese kinds of events showed us and everyone else that the standards were not high enough and made us realize we had some work to do to change that,\u201d Guisado said. According to him, the company reached out directly to the white hat hackers who had demonstrated the vulnerability in the company\u2019s butt plug, as well as to other researchers, and began working with them directly to improve their security.<\/p>\n \u201cThey helped us put in place a vulnerability disclosure program, and we started to work with a few private Pen Testers,\u201d Guisado said. He wasn\u2019t able to point out the exact changes that the company made in response to the researchers in time for publication, but noted that Lovense has created \u201creally clear privacy policies that we keep updating, a completely offline mode to use our app locally, and an opt-out option to sharing anonymous data.\u201d Mozilla's guide also notes Lovense uses encryption, has automatic security updates, and requires users to update the default password in order to use any remote functionality. That\u2019s about as good as it gets right now.<\/p>\n For devices that don\u2019t have good basic security, there\u2019s often very little users can do to make them safer. \u201cCheck for updates for the product, as security patches may have been issued since your product was manufactured,\u201d Munro says. \u201cMake sure you use strong, unique passwords for your user accounts on the app that you control the toy with.\u201d<\/p>\n But it shouldn\u2019t be on you to make these toys safe\u2014companies should make them safe by default. As they fumble along and learn, watchdogs like Internet of Dongs<\/a> have sprung up in an attempt to keep track of the risks and help consumers. But sex toy companies, like most IoT companies, are still largely left to police themselves.<\/p>\n \u201cEspecially when technology is a gift there needs to be a path to make sure the person who is using the product is the person who is in control of the data generated by the product.\u201d<\/p>\n Amie Stepanovich, Access Now<\/p>\n In 2017, the makers of the We-Vibe vibrators (whose Sync vibrator now has a Mozilla \u201cmeets the minimum\u201d badge) agreed to pay $3.75 million<\/a> in a class action settlement, after two customers sued the company for allegedly tracking data about how the devices were used\u2014including vibration intensity and temperature\u2014without their knowledge. Later that year, Stepanovich and her colleagues urged the Federal Trade Commission<\/a> to investigate the webcam-connected Siime Eye vibrator, after researchers at Pen Test Partners realized it would be trivial for voyeurs to access its live feeds.<\/p>\n