Smart world is a dangerous world if vulnerabilities are left open to be exploited. But things could have gone really bad for some if hackers had discovered a dangerous loophole in a smart chastity sex toy. What's the worse that could happen? Well, its users could have been permanently locked in. Worse enough?
The "world's first app-controlled chastity device" could have turned into "world's first app-controlled chastity device that locked users' penis permanently." Qiui's Cellmate had a serious security flaw, which in the wrong hands could have meant a PR nightmare for the company. UK-based security firm Pen Test Partners was the first to find out that anyone could have remotely and permanently locked its users' penis since there's no way it can be unlocked manually or an override function.
How does Cellmate chastity lock work?
Cellmate chastity lock is operated via an app, giving full control to a trusted partner to remotely lock and unlock the lock via Bluetooth. But the API that used to communicate with the lock was left open for anyone to take control.
The chastity lock has a metal ring that sits underneath the user's penis. So in an event of it getting hacked, it may require a heavy-duty bolt cutter or an angle grinder to free the user's genitals.
More than manhood at stake
But that's not the only risk users faced with a vulnerable API in the app. It also allowed access to private messages, location, names, birthdays, passwords and phone numbers. The sensitive data could be exploited by hackers in many ways, like extortion, blackmail.
"For a realistic threat, the risk of personal data leakage seems more likely to be exploited and give reward to an attacker. A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots," researchers wrote in a blog post.
Total disregard to privacy, security
As shocking as the vulnerabilities may seem, it is the company's way of handling it is what shocked us more. The Pen Test Partner notified Qiui of the vulnerability on in April, then again in May, then thrice in June to avail no fix. When the researchers contacted two UK vendors, one of them pulled the sex toys off the shelves and to that the company said the problem would be fixed in August. Given their history, there was no fix yet again.
After several months of total disregard for all the warnings, the researchers went public with their findings. It is not clear if the vulnerabilities have been exploited outside of the research.