Remote-controlled vibrators were found to be hackable. 'Leak could have serious consequences'

Lovense, a manufacturer of smart sex toys, struggled with a security vulnerability for months, discovered by an ethical hacker in March. Malicious actors were able to access the user accounts of remote-controlled vibrators without a password. The email addresses associated with these accounts were also traceable. The vulnerability has since been patched, Lovense announced in a statement.

The Hong Kong company, which claims to have over twenty million users, produces vibrators, vibrating eggs, and butt plugs that can be controlled via a Bluetooth app. The app allows users to remotely control the devices' vibrations.

This could be a solution for people in long-distance relationships, the company's website touts. Lovense also provides services to webcam models for erotic sites like OnlyFans. They can, for example, charge viewers to make the toys vibrate during a live stream.

Chance

The vulnerability was first reported in a blog post by an ethical hacker calling himself BobDaHacker. The hacker, who wishes to remain anonymous, told this newspaper via the messaging app Signal that she accidentally discovered the vulnerability while "messing around" with the app. She blocked her ex-lover and observed the data the app subsequently exchanged with the server. The ex-lover's email address was among them.

The ethical hacker reported the vulnerability to Lovense in March, but the company failed to respond adequately. Therefore, she decided to disclose the vulnerability earlier this week. This led her to another ethical hacker, who told her they had already reported the same software vulnerability to the company in 2023.

Three days after BobDaHacker's blog post, Lovense released a new automatic update for the app, patching the vulnerability. Lovense wrote in astatement on its website that they wanted to ensure the update would provide lasting protection and "didn't want to rush" this process. The company also stated that it had found no evidence that user data had actually been accessed.

"I don't know the processes there, of course, but I think it's difficult [for the company] to say this with certainty," says Steven Derks, board member of the Privacy First foundation. "I consider the risk of a data breach, meaning access to or theft of personal data, very high."

Shocking

Such a leak could have serious consequences, says Derks. "The cam models who also use these products often operate under pseudonyms. If you can link an email address to that, you can quickly find out more about a person. That paves the way to blackmail, doxing [publishing personal information online], and intimidation."

Derks also believes the leak violates privacy in another way: "You can truly violate someone's physical integrity the moment you hack into an account and control a sex toy." He calls it "shocking" that the company waited at least four months to patch the leak. Derks: "You'd expect such a major manufacturer of intimate toys to have their security in order."

Easytoys and Bol.com, among others, sell Lovense sex toys. Earlier this week, the online stores announced they were halting sales following reports of the leak in the AD newspaper . Now that the leak has been addressed, the forty erotic products are being offered for sale again on Bol.com, a spokesperson told NRC . The online store says it is not taking the matter lightly. "We remain in close contact with our distributor and demand close supervision of Lovense." Easytoys also says it will resume selling the sex toys.