October 7, 2020, 10:39 GMT
Photo credit, Pen Test Partners
The Cellmate has been sold by several major online retailers as well as niche stores
A security hole in a high-tech male chastity belt allows hackers to remotely lock all devices in use simultaneously.
The internet-connected duct does not have a manual override, so homeowners may have faced the prospect of having to use a grinder or bolt cutter to free itself from its metal clip.
The sex toy app has been patched by its Chinese developer after a team of UK security professionals reported the bug.
They also posted a workaround. This solution could be useful for anyone still using the old version of the application and who finds themselves blocked following an attack.
Any other attempt to cut the plastic body of the device poses a risk of damage.
Photo credit, Pen Test Partners
The solution is to open up the printed circuit board and press the batteries against two of the wires to trigger a motor.
Pen Test Partners (PTP) – the involved Buckingham-based cybersecurity firm – has a reputation for shedding light on bizarre discoveries, including issues with other sex toys in the past.
According to her, the latest finding indicates that manufacturers of “smart” products for adults still have lessons to learn.
“The problem is that the makers of these other toys sometimes rush to the market,” comments Alex Lomas, a researcher at the company.
“Most of the time, the problem is a disclosure of sensitive personal data, but in this case, you may be physically locked.”
Lock and tighten
Qiui’s chastity cage is sold online for around $ 190 and is marketed as a way for owners to give a partner control over access to their body.
The Pen Test Partners estimate that around 40,000 devices have been sold based on the number of IDs that have been granted by its Guangdong-based creator.
The cage connects wirelessly to a smartphone via a Bluetooth signal, which is used to trigger the locking and tightening mechanism of the device.
But to achieve this, the software relies on sending commands to a computer server used by the manufacturer.
Security researchers claim they have discovered a way to trick the server into disclosing the registered name of each device owner, among other personal details, as well as contact details for each location where the app is used.
Additionally, they said they could reveal a unique code that had been assigned to each device.
They added that these codes could be used to have the server ignore requests to unlock identified chastity toys, leaving users locked in.
Mr. Lomas’ team reported the issue to Qiui in May, after which they updated their app as well as the affected server-based Application Programming Interface (API).
Photo credit, Pen Test Partners
A sample of contact details revealed by Cellmate’s servers showed that the device has been used around the world
But she still left an older version of the API online, meaning those who hadn’t downloaded the latest version of the app were theoretically in danger.
Pen Test Partners sent follow-up emails asking for this issue to be addressed and tapped the Techcrunch news site to help them take action.
Techcrunch states that Qiui’s general manager then told him that he had tried to tackle the problem but adds, “when you fix it, it creates more problems.”
Five months after the first contact, the British security team decided to make the issue public.
“Given the trivial nature of finding some of these issues and the fact that Qiui is working on another internal device, we felt compelled to publish,” Lomas said.
Pen Test Partners acknowledges that by doing so, however, it made a real world attack more likely.
The BBC asked Qiui for comment. Techcrunch said there was no evidence that the hack was exploited by anyone to cause damage.
But she noted that a user who appeared to have locked himself in due to an unrelated bug posted that he was left with “a bad scar that took almost a month to recover.”