Cybersecurity researchers discovered a vulnerability in an internet-connected chastitysex toy that could cause it to be taken over remotely and locked.- Once the sex toy is locked by an outsider, researchers at Pen Test Partners found, there's no emergency override function — meaning the sex toy would have to be cut off using bolt cutters or an angle grinder.
- Qiui, the China-based company that makes the sex toy, has not yet patched the vulnerability. Additionally, several user reviews on the app store claim that they "got stuck" in the sex toy after it unexpectedly stopped working.
On Tuesday, researchers at
The sex toy locks a user's penis inside a chamber with a metal ring, and lets a trusted partner lock or unlock the device remotely via Bluetooth through a smartphone app. But security researchers found that the app's interface was accessible online without a password, potentially allowing a hacker or malicious third party to take over any Cellmate user's device remotely.
The vulnerability, which Pen Test Partners first discovered in April, has not yet been patched for most users, TechCrunch first reported. Qiui later pushed an update that fixed the vulnerability for new users, but existing users' accounts are still vulnerable, researchers found.
The device has no emergency override — to remove themselves, users would need an angle grinder or similar tool, "used in close proximity to delicate and sensitive areas," Pen Test Partners researchers wrote in a blog post about the vulnerability.
"The only way to get out is to cut through the steel," Pen Test Partners researcher Ken Munro said in an accompanying video. "Given where it's at, it's going to be quite hard to get out of."
Wearers can even be locked in the device for months, according to Cellmate's own product description, which warns that "that once this time is set, the cage will not be able to unlock until the duration is reached."
It's not clear whether the flaw has been exploited outside of a research setting.
Pen Test Partners first contacted Qiui in April to disclose the vulnerability but said that the sex toy company missed multiple self-imposed deadlines to patch the flaw before ceasing communication with the research firm. Pen Test Partners ultimately decided to go public with their findings to alert the public to the risks they found.
Qiui did not immediately respond to Business Insider's request for comment. The company's CEO Jake Guo told TechCrunch that it was attempting to fix the problem but struggling to do so, describing Qiui as "a basement team."
Some user reviews of Qiui's app describe technical difficulties with the devices. One review in the Apple App store says the device's Bluetooth functions stopped working unexpectedly, leaving their partner trapped.
The devices also sporadically refuse to unlock, according to reviews of Qiui's app on the Google Play store. Multiple users have claimed that they got stuck in the device, with one blaming it on the "unreliable app."
"It worked for about a month until I almost got stuck in it," one reviewer wrote. "Thankfully it unlocked itself randomly and I was able to get out of it. The device left a bad scar that took nearly a month of recovery."
Problems with the app also meant that it leaked user data, including personal information, exact user locations, and private chats.
"It wouldn't take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing," Pen Test concluded.
Attackers are more likely to target the potential of personal data leakage than the remote locking feature, Pen Test said, but it's not known if these security gaps were exploited.
Qiui updated the app after Pen Test contacted it about the problems. The redeveloped app forces users to authenticate before using the lock function, but Qiui left other issues unsolved, and user locations are still accessible. The Chinese company said that lack of funds prevented it from fixing the problems.