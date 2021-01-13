A security breach in a chastity sex toy connected to the Internet allowed cybercriminals to permanently block the Qiui Cellmate device in October last year, which blocks male genitalia as a modern chastity system. Now it became known that cybercriminals were asking about 270 dollars in exchange to release it, plus other details.

This week, specialized cybersecurity sites revealed that the source code of the ChastityLock ransomware, which was specifically aimed at extorting those who use these sex toys, is now available for investigation.

And to understand the details of a very unpleasant situation that the users of the Cellmate.

The Cellmate leaked code. Photo Bleeping Computer

The device is controlled by Bluetooth and, through a vulnerability, they managed to hack it.

The Qiui Cellmate works on the initial idea that you put it on a man and that his partner can regulate when it allows you to take it off and when not. But the hack allowed third parties to access and block it remotely, in exchange for a ransom (dynamics of ransomware).

The “key” of the sexual game is that it is controlled by whoever does not have it, but the situation led to an atypical system in which the Cellmate was lost. Its price is around 190 dollars.

The Cellmate product is offered on Amazon. It costs $ 189. Photo: capture.

The report on the situation was published by the company Pen Test Partners, which published a video (in English) explaining how the hack was and showing the device:

What was vulnerability like: the investigation

The researchers found that making a request to any API endpoint did not require authentication, and that the use of a “friend code” six digits would return “a lot of information about that user” such as location, phone number, plain text password. This gave a very dangerous result.

Cellmate, the internet-connected chastity sex toy. Photo DPA

“It didn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it to blackmail or phishing“Pen Test Partners specialists wrote in a report.

Following the disclosure, an attacker began targeting users of the Qiui Cellmate mobile app who were controlling the smart toy and blocking the chastity device. Victims were asked to pay 0.02 bitcoins, around $ 270 at the time of the attacks.

The malware includes code that communicates with Qiui API endpoints to list user information and send messages to the victim’s app and add friends, according to the analysis of security researcher Ax Sharma, collects the site Bleeping Computer.

The reports: this is how the victims realized

The countries from which they managed to extract personal data. Photo Pen Test Partners

Shortly after the attacks began, a flood of complaints emerged from victim users who reported that they could no longer control adult smart toy. Some of them were victims of the attacker several times.

The attacker taunted the victims when asked what had happened, saying that they used magic to take control of the toy.

Some users were concerned that the only way to remove the Cellmate device was cutting itas there was no manual override for the Bluetooth lock.

According to the report, the situation was desperate for users because in the first instance it did not seem to admit escape. The problem was that mechanically cutting the steel used for the lock required a angle grinder, and given the sensitivity of the genital area, this was not entirely safe.

Then users realized that by contacting remote support and asking unlocking Cellmate was possible to break free. Another user realized that with a screwdriver he could disable it, which is why Qiui posted a video showing how to do it. The latter came with the cancellation of the product warranty.

“The attacker said no one paid the ransom. It is not clear if this was due to the victims unlocking the device themselves, through Qiui’s support, or if the attacker did it, ”Bleeping Computer posted.

Qiui explained, now, that the latest update should avoid the problem and that it is safe to use.