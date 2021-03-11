Sex toys or toys for adults also have their connected version, which is linked with a mobile application to expand its functions, but they generally accuse a lack of protection that puts sensitive data of its users at risk, as reflected by the IT security company ESET with the We-Vibe Jive and Lovense Max products.

More and more erotic toys incorporate applications for the cell phone, messaging, video chat and connectivity, which makes them attractive not only for those users who want to enjoy themselves, but also for cybercriminals, who found in them a new attack vector.

The consequences of a data breach in these types of products can be “very problematic for the victim”, since they can filter private and sensitive information, such as sexual orientation, behaviors and even intimate photographs, as explained from ESET.

Researchers at this cybersecurity company have analyzed two connected toys for adults “in depth”: We-Vibe Jive and Lovense Max, and found vulnerabilities in the applications that control them and that could facilitate the installation of malware on the phone, changes in the firmware of the toy or even that the actions of the device are modified, causing physical damage to the user.

We-Vibe Jive

We-Vibe Jive is a hands free vibrator that can be used outside the home environment. Through the analysis of their application, the researchers explain that it continuously sends signals to announce its presence and facilitate the connection, with which any device that reads Bluetooth signals can discover it if it is nearby (at a maximum of about eight meters).

The We-Vibe Jive Vibrator

Jive uses the least secure pairing method and the temporary code used for pairing is zero, so any device could use that key to connect with the vibrator.

This means that attackers could identify the device and use the signal to reach the user wearing the vibrator. In addition, they point out that it is not necessary to download the official application to be able to control the device, since it could be operated from most browsers.

On the other hand, the multimedia files shared by users during chat sessions are saved in the application’s private folders, but the metadata of these files remains as shared files, so every time a user sends a photo to the phone , additional information about the device or the exact geolocation is being sent.

Lovense max

In the case of male masturbator Lovense Max, this device can be synchronized with another remote device, which would allow an attacker to take control of both, compromising only one of them.

However, unlike the other toy, multimedia files do not include metadata when information is received from the device and the application allows you to configure a four-digit password, making it difficult for cybercriminals to intend.

The Lovense Max male masturbator. Photo: EFE.

However, some elements of the design of the application can pose a threat to the user’s privacy, such as the option to forward images to third parties without the knowledge of the owner or that users who have been deleted or deleted can continue to have access to the chat history.

Lovense Max does not use authentication for Bluetooth Low Energy (BLE) connections, so attacks can be used man-in-the-middle to intercept the connection and send control commands to the device’s motors.

Also, the application uses the email address in the user ID, which can be a privacy issue, since the address is shared with all the phones connected to the chat.

The IT security company ESET sent both Lovense and We-Vibe a report with the discovered vulnerabilities, which were fixed before the report was published.