Werner Schober is a researcher at SEC Consult and a student at the Austrian University of Applied Sciences. In his fifth year, he faced a problem many of us are quite familiar with: He had to choose a thesis topic.
He began by making a tag cloud with words from topics selected by his course mates. All of the standard IT buzzwords were there: bitcoin, GDPR, cloud, etc. But for some reason, there was no Internet of Things (IoT), a hot topic these days. It was a no-brainer, especially with Werner’s work at SEC Consult giving him a fair bit of pentest experience (i.e., hacking devices and networks and finding vulnerabilities in them) that could be applied in his research.
However, the IoT is a very broad concept, covering just about everything from traffic lights and heart pacemakers to smart teapots. The focus had to be narrowed. But the critical infrastructure side of the IoT — such as the aforementioned traffic lights and pacemakers — had already been researched to death. As for the smart home with its brainy kettles and light bulbs, that too had been covered in depth — with no really critical vulnerabilities to speak of. So what if your smart lawnmower’s been DDoSed? Just cut the grass yourself for one day.
Werner opted for a IoT subcategory that hadn’t been widely researched (although studies do exist, since hackers love the forbidden) and where vulnerabilities can lead to real consequences: smart sex toys.
Werner tested three devices: two Chinese and one German. Guess which contained more vulnerabilities? Spoiler alert: It was the latter. And how! The vulnerabilities turned out to be so critical and so numerous that Werner abandoned the Chinese devices altogether and devoted his entire thesis to the German one. He reported his findings at the 35th Chaos Communication Congress (35C3).
The German device is known as the Vibratissimo PantyBuster. It connects to an Android or iOS smartphone over Bluetooth and is controlled through a special app, either locally or remotely, from another smartphone. However, the app’s capabilities extend much wider and essentially comprise a full-fledged social network with group chats (!), photo galleries (!!), friend lists (!!!), and other features.
Software: Getting to know fellow sex toy users
Let’s start with the software vulnerabilities. The root directory of the Vibratissimo website was found to contain a .DS_Store file, basically a list of all folders and files in this directory with additional settings that macOS creates to correctly display file icons and their layout. Werner was able to decrypt this file, thereby uncovering the names of all the folders and files in the root directory.
Of particular interest was the Config folder, which contained a file of the same name with unencrypted login credentials for database access. Werner was able to find an interface to connect to the database, enter the login credentials, and gain access to the data of all Vibratissimo users, including their usernames and passwords (again stored without encryption), as well as chats, images, and videos. What sort of chats and images might be found on a sex-toy-based social network? Probably ones of a fairly private nature.
One other problem: When a gallery is created in the app, it is assigned an ID. And when you want to view the gallery, the app sends a request that includes this ID. For test purposes, Werner created a gallery with two photos of cats, obtained the ID, and then thought: What happens if the ID in the request is modified slightly, say, by subtracting one from it? As a result, he gained access to someone else’s gallery (which didn’t contain cat pics).
The app also allows users to create a quick control link to remotely turn on the device, which owners can share with others (for long distance relationships and stuff like that). No confirmation is required when someone uses the link — the device just turns on immediately. The link also contains an ID. Guess what happens if you subtract one from this ID? That’s right, someone else’s device switches on right then and there.
On top of that, during authentication when logging in on your phone, the app sends a request to the server with the unencrypted username and password in clear text, meaning that on a public network anyone can intercept them — not exactly state-of-the-art security. There were other software vulnerabilities too, but not so significant. But there were plenty of significant issues at other parts – we mean at the transport (device communication) and hardware levels.
Interface: Connecting with random strangers
As already mentioned, the Vibratissimo PantyBuster connects to a smartphone over Bluetooth. More specifically, it uses Bluetooth Low Energy which allows for implementation of one of five pairing techniques — means of passkey exchange to establish a connection between the devices. The passkey to be entered on the smartphone can be written on the device itself, shown on the display, or known in advance (it might be, say, 0 or 1234). Additionally, devices can exchange passkeys using NFC, or there might be no pairing at all.
The PantyBuster has no display and is not NFC-enabled, so these options can be crossed off. Two of the remaining options are somewhat secure (somewhat), but the makers of the device valued simplicity above all, and so they chose a basic and insecure approach: no pairing. That means if someone knows and sends the device activation command, all PantyBusters in range will vibrate in unison. So anyone with the app activated can wander around the subway, for example, and pleasantly surprise any “lucky” owners who happen to be traveling with their devices.
Werner wrote a simple program that scans for enabled Bluetooth LE devices nearby, ascertains whether they are sex toys, and, if so, turns them on at full power. In case anyone was wondering, such action is not considered rape under Austrian law, but the country’s criminal code does contain a paragraph about “unwanted sexual acts,” and some other regions might have such as well.
Hardware: What’s inside
First of all, there is no option for updating the firmware. In other words, the manufacturer can do it, but not the user. When informed about Werner’s research, the manufacturer suggested that users should return their devices to be updated and then shipped back to them. But it’s unlikely that anyone would want to send in a used sex toy for service.
Second, if the device is opened, it’s possible to find interfaces that the manufacturer used for debugging and then forgot to close. These interfaces can be used to extract and then analyze the device firmware.
IoT troubles just keep on coming
Werner’s half-hour talk was high on problems and low on solutions, largely because there aren’t any. Of course, Werner reached out to the manufacturer, and together they fixed most of the problems in the app and new devices. But the hardware-level issues in devices already sold are there to stay.
Now it remains only to repeat the advice that we give in almost every post about smart things: Before you buy a smart device, read up about it online. And consider carefully (at least ten times) whether you really need its smart features. Maybe you can make do with a standard version of the same thing that doesn’t hook up to the Internet and isn’t controlled by an app? It will be cheaper and definitely safer.