from the another-day-another-IoT-problem dept.
A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously.
The internet-linked sheath has no manual override, so owners might have been faced with the prospect of having to use a grinder or bolt cutter to free themselves from its metal clamp.
The sex toy's app has been fixed by its Chinese developer after a team of UK security professionals flagged the bug.
This could be useful to anyone still using the old version of the app who finds themselves locked in as a result of an attacker making use of the revelation.
Any other attempt to cut through the device's plastic body poses a risk of harm.
[...] The security researchers said they discovered a way to fool the server into disclosing the registered name of each device owner, among other personal details, as well as the co-ordinates of every location from where the app had been used.
In addition, they said, they could reveal a unique code that had been assigned to each device.
These could be used to make the server ignore app requests to unlock any of the identified chastity toys, they added, leaving wearers locked in.
Fantastical News Everyone! Remember an earlier SN article about CELLMATE, a male chastity device that got hacked and would not unlock your hardware? Well, now the maker of that IoT device says it's now totally safe to put your equipment into their device once again! They promise! This time for sure! Nothing could go wrong!
While we've covered the Internet of Broken Things for some time, where companies fail to secure the devices they sell which connect to the internet, the entire genre sort of jumped the shark in October of last year. That's when Qiui, a Chinese company, was found to have sold a penis chastity lock that communicates with an API that was wide open and sans any password protection. The end result is that users of a device that locks up their private parts could enjoy those private parts entirely at the pleasure of nefarious third parties. Qiui pushed out a fix to the API... but didn't do so for existing users, only new devices. Why? Well, the company stated that pushing it out to existing devices would again cause them to all lock up, with no override available. Understandably, there wasn't a whole lot of interest in the company's devices at that point.
But fear not, target market for penis chastity locks! Qiui says it's now totally safe to use the product again!
Since this device uses a proprietary API, there is still the issue of Vendor Lock In to be concerned about.
The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. "Smart" locks that are easy to bypass, "smart" fridges that leak your email credentials, or even "smart" barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.
Even your traditional hot tub isn't immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).
But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere [. . . .]
For those who need reminders, let us not forget prior SN (horror) stories:
- IoT Pet feeders that stop feeding pets
- Peloton treadmills
- Insteon smart home lighting and other controls
- Smart male chastity devices that won't unlock, need metal grinder to remove