It’s been a bad period for Canada’s Standard Innovation Corp., with the news that their popular connected “pleasure device” (aka a vibrator…now everyone settle down), We Vibe 4 Plus, is easily hackable being followed by a corresponding lawsuit.
The smart vibrator released two years ago is marketed towards couples spending time apart. It’s Bluetooth- and Wi-Fi- compatible and able to be controlled remotely by either partner using a cellphone app called We-Connect. This allows users to control the toy’s intensity and vibration patterns. Other features built into the app include private text messages and video calls.
At the latest DefCon conference held in August in Las Vegas, two independent hackers from New Zealand, known digitally as goldfisk and follower, presented a talk titled “Hacking the Internet of Vibrating Things” that revealed that the ways that the way the vibrator connects with its controlling app isn’t secure – making it possible to remotely seize control of the vibrator and activate it at will.
See also: That connected device already knows your mom’s maiden name
The pair also discovered that the app itself was sending the temperature of the device back to Standard Innovation every minute, and any time the intensity of the vibration changed — in effect providing data of when and how often someone is using the vibrator.
This data is stored on corporate servers and in the terms and conditions of the device the manufacturer reserves the right to pass it on to the authorities. “What are the implications of who they’re going to give that data to,” asked goldfisk. “In their privacy policy, they say ‘we reserve the right to disclose your personally identifiable information if required to by law’, but what does that actually mean?”
A new form of sexual assault?
While some may at first find the concept amusing, the reality is that the security of a sex toy should be taken seriously. As goldfisk commented during the talk:
“The company that makes this vibrator, Standard Innovation: They have over 2 million people using their devices, so what’s at stake is 2 million people…A lot of people in the past have said it’s not really a serious issue, but if you come back to the fact that we’re talking about people, unwanted activation of a vibrator is potentially sexual assault.”
In a statement in response to the workshop, Standard Innovation shared that they have engaged external security and privacy experts to conduct a thorough review of our data practices with a view of further strengthening data protection for our customers. They admit to this data collection, too:
“We do collect certain limited data to help us improve our products and for diagnostic purposes. As a matter of practice, we use this data in an aggregate, non-identifiable form. Processor chip temperature is used to help us determine whether device processors are operating correctly. And vibration intensity data is used for the purposes of helping us better understand how—in the aggregate—our product features are utilized.”
In September a Canadian woman known only as N.P in an 18-page class action lodged a civil suit against Standard Innovation. She says she bought herself a $130 We-Vibe from an Illinois retailer in May but never realized “that We-Connect monitors and records, in real time, how they use the device.”
Standard Innovation likewise failed to mention “that it transmits the collected private usage information to its servers in Canada.”
Standard Innovation released a statement this week that they have updated the We-Connect app and app privacy notice. This includes an option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings and a new plain language Privacy Notice outlining data collection.
A short history of long breaches
It’s worth noting the world’s first smart vibrator, Vibease, only came on the market in 2015. Yet it’s not the first leak of sensitive data. At CeBIT in Hannover earlier this year, security software firm Trend Micro revealed that it was able to successfully hijack a vibrator that connect to the internet with an on-stage reveal.
Using a PIN of 0000—the default option for most bluetooth devices—Trend Micro’s researchers were able to easily connect to the vibrator and implement its own software to take control over the device.
In 2011 developer Andy Baio revealed that Fitbit health and activity trackers were revealing users’ sexual activity stats online. The company had made users’ profiles and activity public by default, to encourage social sharing and friendly competition. As a consequence, over 200 Fitbit users’ “sex-ercise” were showing up in Google search results.
Then only recently a Consumer Report into Glow Pregnancy App revealed that private health and sexual information was easily accessible, even to those without any hacking skills. Anyone with an account could request that data of another to be shared without the sharer requiring to supply permission to do so.
This meant that “anyone — loving partner, obsessive ex-husband, or anonymous creep — could link his account to any Glow users, if he knew the woman’s email address.” Other vulnerabilities would allow an attacker with rudimentary software tools to collect email addresses, change passwords, and access personal information from participants in Glow’s community forums, where people discuss their sex lives and health concerns.
It’s clear that security regulations in both connected devices and personal health apps need to have greater security measures implemented that involve “opt in” consent to the sharing of information, along with penalties for unsafe devices. This needs to be combined with greater consumer education and a populace that digital devices take their security seriously in the first instance.
And maybe a really secure safe word.