Victims who agreed to the blackmail paid 0.02 BTC (about $ 600).
The manufacturing company updated the API of its devices to correct the failure.
Researchers found and published the source code used by a group of hackers to execute an attack on ransomware to a sex toy from the Chinese company Qiui, known as the CellMate (male chastity cage). The device works with technology based on the Internet of Things (IoT).
The attacks have been going on since the end of last year, when a group of hackers began to remotely block the application during its use, leaving many users locked in the device. Then they asked those affected for a payment of 0.02 bitcoin (USD 250 for when the attacks began and USD 600 to the current date) to be able to unlock them.
The code used for the attacks includes a series of commands that randomly choose devices and send the following message: “hahaha I have your dick now, send 0.02 bitcoin or you will be blocked forever.” Indoors the BTC address where the money should be sent is specified.
He CellMate It works like a cage to enclose the male member and is operated remotely through an application. At the beginning of the attacks, it only allowed unlocking through a programming interface (API, for its acronym in English) that connected the device with the cell phone using a password.
When the attacks began, those who were affected panicked and agreed to pay the 0.02 bitcoin. Some were blocked more than once. Others users did not give in to blackmail and contacted the manufacturer to give them access to their devices again. Behind the hack the manufacturing company decided to add some improvements to the devices, including a manual disassembly method.
An attack ransomware what could be avoided
In June of last year TechCrunch researchers they detected bugs in the sex toy API and warned the company. Months later, Qiui made an update that worked for those who bought new devices, but existing users have continued to operate with the same insecure interface.
By October 2020 researchers from Pen Test Partners they discovered another series of security vulnerabilities that affected these devices. Among them, was the ability to access the personal data of users such as: location, password, private chats, name, phone number, date of birth, the exact coordinates of where you opened the application and your memberCode (member code).
However, it was not until the first attacks occurred, at the end of the year, that the manufacturer corrected the security flaws and released the new version of its API that, in theory, should already be secure.
Unfortunately, as we reported in CriptoNoticias, in the year 2020 the coronavirus pandemic was lent for many cyberattacks to occur. An example was the attack, also with a ransomware, what suffered the production company of Master Chef and Black Mirror in November.
In that same month, another hack Through which more than 50 GB of information was stolen from the government of the National Directorate of Roads. They asked for a payment in cryptocurrencies.