‘Panty Buster’ ‘smart’ sex toy fails penetration test

Security researchers have found multiple vulnerabilities in smart sex toys that open up the potential for all sorts of mischief by hackers.

The Bluetooth and internet-connected Vibratissimo Panty Buster, and its associated online services, made by German gizmo biz Amor Gummiwaren [Rubber Love Goods], are riddled with exploitable privacy flaws, [according to researchers at SEC Consult].

Screenshot WhaleOil

The adult toy is controlled by a wirelessly connected smartphone app. You’re supposed to slip this self-love gadget into your underwear, and set it off wherever you are – at home, work, etc – or have special friends control it from over the internet. It also does stuff to music. Use your imagination.

What could possibly go wrong?

A database containing highly sensitive Vibratissimo customer data – such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc – was openly accessible on the internet. Enumeration of users’ explicit images was possible due to predictable ID numbers, and missing authorisation checks.

Obviously, one should think long and hard before buying an Internet-connected dildo.

Yes, explicit images. From a cyber-dildo. How? Social network stuff. SEC Consult explained:

“The mobile apps used to control those devices are not just an ordinary remote. The apps offer multiple features for communication and socializing like search for other users, maintaining a friends list, a video chat, a message board and also a feature to create and share image galleries, where images can be stored and shared with friends in the Vibratissimo social network.”

SEC Consult confirmed to The Reg that this leaky database is [no longer] accessible by the public.

Oh well, that’s OK then, on with the fun!  Perhaps Auckland City could sponsor some of these devices?  They seem to be into this sort of thing.

Worse yet, a creepy miscreant may be able to remotely turn on the device without the consent of its owner, the infosec bods discovered. Non-consensual “tickling” could be carried out either against a nearby toy via Bluetooth, or over the internet.

Julie-Anne Genter needs to set up another register smart-pronto to record all the remote, unwanted sexual pleasuring harassment.

Based on app download figures, tens of thousands of users are potentially affected. […]

[…] Most of the most severe vulnerabilities have been addressed.

We’re told the hardware manufacturer has implemented a more secure pairing method that will is included in a new version of the pleasure-gizmo’s firmware.

According to the researchers, however, the adult toy slinger disputed whether remote manipulation of other people’s devices by miscreants was a problem, before emitting the fix. SEC Consult alleged the manufacturer had said it was even a “desired property of the sex toy.”

What?  Tinder over Bluetooth?  Swipe left to  …?

Does the phone App automatically connect to the nearest 3G hotspot?

This research was done as a part of a master’s thesis with the goal of reviewing multiple smart sex toys including several teledildonics devices.

And when your girlfriend’s mother asks you what your thesis was about …..?

Do you want:

  • Ad-free access?
  • Access to our very popular daily crossword?
  • Access to daily sudoku?
  • Access to daily code cracker?
  • Access to Incite Politics magazine articles?
  • Access to podcasts?
  • Access to political polls?

Our subscribers’ financial support is the reason why we have been able to offer our latest service; Audio blogs. 

Click Here  to support us and watch the number of services grow.