Smart devices for the bedroom: A security turn-off

Tips & tricks
7 mins
security-risks-of-smart-sex-toys (1)

In 2020, adult toy manufacturer QIUI was caught in a sticky situation. The brand’s most famous product, a chastity cage called the Cellmate, came under fire when researchers found that the app linked to the device had significant security vulnerabilities.

Professional penetration testers revealed they could hack into the company’s app, which controls Cellmate. By altering user data, testers prevented users from unlocking their devices, which, understandably, resulted in some serious panic. 

The press swiftly reported their findings, pushing QIUI to implement product security measures, including encryption.

Even those using the latest tech might need to be careful; cybersecurity experts at ESET found that security vulnerabilities don’t just exist in older toy models. In 2021, the company found weak spots in the architecture of smart sex toys and shared just how easy it is for hackers to intercept communication between a device and its controlling app. 

The global market for adult toys is huge, reaching 30 billion USD in 2020. And it’s expected to grow at a rate of 8% from 2022 to 2027, with discreet online ordering bolstering the demand for smart toys in particular. 

As it’s Valentine’s Day today, you might be considering adding a smart sex toy into your life. Read on to see what you’re getting into so you can make a more informed decision.

What are smart sex toys?

Smart sex toys are devices that are Bluetooth or Wi-Fi-enabled. There is a wide variety of toys. Some are discreet and wearable, allowing users to use these toys outside the bedroom. Generally, those with Bluetooth capabilities are controlled through a smartphone or tablet app. 

Currently, there are three types of smart intimate devices:

Remote-controlled toys 

As its name suggests, these toys are controlled by some type of remote, like an app through a smartphone or tablet or by an accompanying device. Toys connected through an app can be controlled from far away, which makes them the toy of choice for couples in long-distance relationships. Companies like Lovense and We-Vibe specialize in remote-controlled toys designed for long-distance couples. Toys that use Bluetooth require close ranges. 

Virtual-reality toys 

VR-enabled toys like headsets can connect and sync with VR clips or content so that users can be fully immersed in an experience. Kiiroo, for one, makes toys that connect and sync to VR content for users to immerse themselves while watching.

AI toys 

This subset of smart toys is fairly new to the market and requires specific data types to enhance and tailor an experience for its user. These toys can be paired with biofeedback sensors to show a user’s response to changes in real-time. Lioness, an adult toy company, created a device with built-in sensors and a mobile app that allows users to visualize their reactions to stimulation. 

How safe are smart sex toys?

Generally, smart adult toys aren’t very secure. 

As many adult toys are connected to smartphones or tablets through Bluetooth, their existence can be found easily through a Bluetooth scanner. In their research, ESET looked at two popular adult toys in the market and shared how a scanner they used could reveal information about the device type, signal strength, and the device’s vendor. 

These devices were found to be paired using Just Works, which is the least secure Bluetooth protocol. Researchers have found that hackers can manipulate the Just Works method to facilitate man-in-the-middle (MitM) attacks.

Security concerns of smart adult devices

Like any other IoT device, smart adult toys are susceptible to security breaches. Below, we look at some of the security concerns.

Man-in-the-middle attacks 

In their research, ESET replicated a MitM attack on the We-Vibe Jive. Using the BtleJuice framework and two Bluetooth Low Energy (BLE) dongles, ESET could connect to the actual Jive, steal information from it, and then create a dummy Jive device based on the stolen information. 

When a user connects to the fake Jive device, an attacker can then use the BlteJuice framework and view all the packets of information shared by the user from their smartphone app and control the toy. 

Cybersecurity company Pen Test Partners did a similar experiment in 2017 with Lovense’s Hush. Through a method the company termed Screwdriving, where testers hunt for Bluetooth adult toys, they could locate different toys and intercept their BLE connections. 

While walking around Berlin with a Bluetooth discovery app, one tester could identify Lovense’s Hush BLE name that someone else was using in public.

Brute-force attacks 

In another simulation, ESET demonstrated a brute-force attack on Lovense’s servers. A brute-force attack involves trying numerous possible combinations of characters to a passcode at high speeds. 

In its list of options for remote-controlled features, Lovense allows users to generate a URL featuring specific tokens. In this case, Lovense’s tokens combine four alphanumeric characters. Users can control the device remotely when this URL is entered into a browser.

Despite the brand’s prominence, ESET found that Lovense’s servers were not protected against this basic attack.

Privacy and information leak

Plenty of the apps accompanying these toys have chat and content-sharing capabilities. While this is great for long-distance couples who want to communicate with each other while using the toy, these apps do not remove sensitive metadata from images or videos, and they don’t have end-to-end encryption. ESET also found that screen captures are not disabled, and the delete function in the chat does not erase messages from all devices. 

This makes it easy for receivers of such messages or content to screenshot and share what they’ve seen with others without the content creator’s consent or knowledge. This is particularly concerning, especially with the rise of revenge porn

Hackers could also obtain the location information of these toys and blackmail users who can be prosecuted for their sexual activity in their respective countries.

Physical and emotional harm

After compromising a device, malicious hackers could, in theory, cause physical harm to users via the device’s settings. But more relevant is the sense of violating one’s body if a sex toy is being controlled without the consent of the person using it. In the case of QIUI’s Cellmate, users could also experience emotional distress when they realize they cannot free themselves from the device designed to confine them.

How to prevent hacks on smart intimate devices 

Thankfully, there are ways that users can prevent their smart intimate devices from getting hacked or manipulated by others. Here, we discuss some of the preventive measures that people can take. 

Research a product before purchasing

Before purchasing any sort of electronic device, do your research and see if the company you’re about to purchase a product from has experienced data breaches or other security issues in the past. If they have, it’s worth noting what they’ve done to fix the problems and assure customers that their products are safe for use. 

Read the privacy policy

Many adult toy manufacturers publish the privacy policy of their company on their sites. Before purchasing a toy or downloading an app, you must read the privacy policy stated on their site to understand the type of data collected from you and how such data is used.

For instance, QIUI’s privacy policy states that the company uses personal information provided by users to deliver targeted ads and marketing materials that could interest users.

Use a VPN 

If you intend to use a smart adult toy connected to an app, use it with a VPN on your phone. While this doesn’t remove the risk of someone hacking into the app maker’s servers, it does help to prevent snooping on your activity. If you use a VPN router, everything connected to the network is secured and encrypted, even your Wi-Fi connected sex toys.

Careful of who you give access to

If you’ve decided to give others access to your toy, ensure that they are people you can trust. Once you’re done using the toy together, it’s a good idea to disconnect your toy from the device. You can always pair the devices again later.

Decide if you should use these smart features

While it might seem counterintuitive, decide if it’s even worth using the smart features of an adult toy. Understanding the security risks of connecting to a toy in public or sharing access with others might help you decide if these smart features are worth it in the first place.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?