While ‘smart’ devices sound lucrative due to the easy usage they promise, they are also highly vulnerable to hacking and outages. Many of these smart devices also use weak security, which exposes users to risks that don’t exist with non-smart products. Recently, security researchers found out that a major security flaw in a ‘smart’ sex toy could have been fatal for tens of thousands of its users. Researchers at UK-based security firm Pen Test Partners said that a flaw in Qiui Cellmate, an internet-connected chastity lock could have allowed anyone to remotely lock in a user’s penis for as long as they want. The Qiui Cellmate is touted as the “world’s first app controlled chastity device."
The Qiui Cellmate lock works by allowing users to remotely lock and unlock the chastity chamber over Bluetooth using a mobile app. The app communicates with the device using an API, but that API has been left open without a password, allowing anyone to take control of a device. The findings were reported by TechCrunch, which quoted researchers as saying that if a user is stuck, they may require the intervention of a heavy-duty bolt cutter or angle grinder to free the user. The chamber of the Qiui Cellmate was designed to lock with a metal ring underneath a user’s penis.
The researchers, in a blog post, also said that an attacker can lock the device very quickly. Further, they said that there is no emergency override function or a manual lock to free the user either. If a user is stuck, there is no way out, the researchers said. They even posted a video on their blog post demonstrating how the device locks a user in, and how they can or can’t get out of the Qiui Cellmate if stuck.
The TechCrunch report also said that the vulnerability in the API also gives an attacker access to private messages and a user’s location from the Qiui app. The publication first got to know of the vulnerability in June. When Qiui was contacted back then, the company said that taking the vulnerability offline might lock in anyone who is already using the device. The company then rolled out a new API, leaving the unsecured API as is. Qiui CEO was quoted by TechCrunch as saying that the vulnerability will be fixed in August. When contacted in August, the company said “we are a basement team, when we fix it, it creates more problems,” in a follow-up mail.
The vulnerability was only made public after researchers at Pen Test Partners learnt about a separate issue from another researcher. The researchers said that the public interest case made their minds to make the issue public. It is not know if anyone has maliciously exploited the Qiui API, but user reviews have indicated at a glitchy app that would time and again cause the device to stay locked.