IoT sex toy data security fails to hit the spot

IoT sex toy data security fails to hit the spot

IoT sex toy data security fails to hit the spot
Image Source: We-vibe.com

Latest in a new line of wearables are ‘adult sensual lifestyle products’ sporting Bluetooth and web-connected features to allow couples to share intimate experiences over long distances via a mobile app – it’s a cute twist, until it becomes clear that the manufacturer is tracking your usage without your consent. 

The pleasure principle

We-Vibe has established itself as a specialist manufacturer of adult pleasure products. The company’s line of USB-charged Bluetooth-aware products are built to connect with accompanying mobile apps that allow couples to control these ‘smart vibrators’.

The Canadian company has this month made the wrong kind of headlines after reports surfaced that detailed security flaws in its flagship app. Not only was the company tracking ‘intimate’ details of product usage without customers’ consent, including temperature, intensity setting and how frequently the products were used, but the devices could also be ‘hijacked’ by anyone within Bluetooth range.

As a result, a successful class-action lawsuit, brought before an Illinois federal court, has seen We-Vibe’s parent company, Standard Innovation, ordered to pay a total $4 million in Canadian dollars to users of the devices and apps.

Read more: Security researchers find backdoor in Chinese IoT devices

The cheek of bare exposure

Although its products are professionally presented on its website and available through reputable vendors including Amazon, We-Vibe’s software application security was also weak enough to allow anyone with Bluetooth range to take control of one of its devices. Although predominantly used in private domestic home environments, the wider lesson for IoT device security is not hard to spot.

The We-Connect software for the We-Vibe range is available in English, Chinese/Mandarin, Czech, Dutch, French, German, Japanese, Polish, Portuguese, Russian and Spanish. All language versions of the app are thought to be affected.

According to an official press statement issued this month, “At Standard Innovation, we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers more choice in the data they share and we continue to work with leading privacy and security experts to enhance the app. With this settlement, Standard Innovation can continue to focus on making new, innovative products for our customers.”

The Guardian reports further details of these flaws and explains that the We-Vibe sex toy data weakness were first uncovered and publicized at the DefCon hacker conference in Las Vegas last year.

A pair of New Zealand-based hackers, known as Goldfisk and Follower, were behind the revelation. In what appears to be a serious statement with no tongue-in-cheek pretentiousness, Follower has been quoted suggesting that, “unwanted activation of a vibrator is potentially sexual assault.”

We-Vibe has stressed that, at the time of writing, no customer data was hacked by outside parties. The lessons learnt here for all manufacturers of all IoT connected wearables and all devices with personalized data collection abilities, however, are serious.

Read more: The mainstream connected home remains a distant dream, says Gartner