While you’re living out your fantasies, your internet-enabled sex toy may be setting you up for a privacy nightmare
We did it. Somehow, we got through 2020 and now Valentine’s Day is just around the corner. And yet 2020’s imprint may still be observed everywhere, and – believe it or not – the COVID-19 pandemic may have increased your chances of receiving a new, internet-enabled adult toy for your love nest as this year’s Valentine’s gift.
The pandemic has caused many people to hunker down at home, sometimes away from their partners and unable to carry on with their normal dating and love lives. Even now, some long-distance couples are still dealing with the consequences of travel restrictions and social distancing.
In this context, many have turned into new ways of exploring their sexuality or keep the flame alive through remote-controlled adult toys. After the pandemic hit, the sales of these devices went through the roof, mirroring the recently skyrocketing popularity of sexting applications and other forms of virtual intimacy.
To be sure, internet-connected sex toys, also known as teledildonics, have been looking for a place in the sun – or bedrooms, if you will – for years. The myriad contraptions have been gaining traction as part of the concept of sexnology, a portmanteau word of sex and technology. Indeed, it’s safe to say that connected sex tech is here to stay.
On the other hand, much like any other Internet of Things gadgets, smart adult toys have considerable privacy and security implications. What’s more, given just how personal these devices are and what kind of data they collect, the potential threats to your privacy are hard to ignore.
How smart are smart sex toys?
When was the last time you googled for smart sex toys? How versatile do you think these toys are – technology-wise? Well, you needn’t visit online stores and risk an endless parade of pesky and perhaps NSFW advertisements wherever you then go online – we will put you up to date on the state-of-the-art in this ever-growing industry.
Nowadays, these devices incorporate a wide range of features. For starters, they allow you to grant remote control of your device to others via the mobile app, the browser, or your laptop. Users can also participate in group chats, send multimedia messages and customized patterns, hold videoconferences, synchronize the vibration patterns with a playlist of songs or audiobooks, and connect the gizmos with smart assistants such as Alexa. Some models allow the users to synchronize two sex toys to replicate their movements, and some others are wearables.
When it comes to architecture, most of these devices can be controlled via Bluetooth Low Energy (BLE) from an app installed on a smartphone. Some vendors offer users the possibility to connect to their devices via software on their computers and using a special BLE dongle, and you can also use the BLE API in certain browsers to connect to the sex toys using a web app.
Then, the app connects through Wi-Fi or the mobile carrier to a server in the cloud, which stores the person’s account information and multimedia files, and of course is responsible for allowing core functionality, such as chatting and videoconferencing.
And this is just the beginning. The latest advances in the sex toys industry include models with VR (Virtual Reality) capabilities and sex robots that include cameras, microphones, as well as voice analysis capabilities. Actually, the use of robots as replacements for sex workers in brothels is already a reality in some countries.
But let’s go back to the affordable gadgets you might find in local stores nearby and explore the risks of getting and using one.
What happens in the bedroom, stays in the bedroom?
Let’s say you decide to buy your partner one of these smart sex toys as a gift for Valentine’s Day… what could go wrong in terms of your security and privacy? Well, given the wide range of functionalities these products offer, the attack surface is quite large. There are certain design characteristics that attackers can exploit: the local connection via Bluetooth that is sometimes unprotected, vulnerabilities on the server or in the apps, insecure Wi-Fi connections, and many others.
For the sake of conciseness, we will narrow it down to three main attack scenarios:
Executing malicious code on the device
In this case, the attacker could, for example, try to modify the code running inside the gadget – its firmware – to perform malevolent actions. In some cases, the cybercriminal could use the compromised device as a zombie, commanding the victim to send more malicious commands to other users on the contact list. The attacker could also intend to cause physical harm to the user, for example, by overheating the device.
Intercepting communications and stealing data
The information processed by sex toys and apps is extremely sensitive: names and other contact information, sexual partners, intimate photos, and videos. Also, information about device usage, such as preferred patterns or usage hours, can reveal a user’s sexual preferences. If stolen, these pieces of information could be used against the victim, exposing their intimacy, or even be used for sextortion campaigns.
The attacker could also exploit vulnerabilities in the protocols being used to gather information on the target, or even connect to the device bypassing poor authentication mechanisms. Imagine a scenario where someone can take control of a sexual device without consent while it’s being used, and even send different commands to the device. Would this be considered sexual assault? Does the current legislation allow for the possibility to punish such behavior?
Performing a denial of service attack
This would ultimately prevent the user from sending any command to the toy. For example, a popular chastity belt was found to contain vulnerabilities last year that would have allowed an attacker to remotely block the device, preventing the user from unlocking it. This actually led to attacks where the attacker first locked the devices and then asked for a ransom to unlock them. This, too, goes to show how serious security and privacy in sex-related platforms are.
Stay safe – use protection!
Now, the big question: How can you tech up your sex life without putting your privacy and security at risk?
- As in any other sexting practice, avoid sharing photos or videos in which you can be identified. And, of course, do not post remote control tokens on the Internet. Also, avoid registering for sex apps using an official name or email address that could identify you. In other words, try to be as anonymous as possible.
- Always use remote-controlled sex toys in a protected environment and avoid using them in public places or areas with people passing through, like bars or hotels. Also, while using the toy, keep the app connected to it, as this prevents the device from announcing its presence.
- Before buying a connected sex toy, be sure to buy a secure device from a trusted vendor. Do some research on the gizmo’s security aspects; for example, use search engines to find out if the toy has a history of serious vulnerabilities. If so, determine if patches are available and if there are frequent updates from the developer. Also, downloading the control apps and trying out their features before buying the device can give you an overview of how secure the app is.
Regarding dating apps, most security measures revolve around common-sense precautions – which you will definitely also need while dating offline!
- Try to share as little as possible and only what you need to. We know that creating a profile on Tinder, Happn or any other dating app is very simple. Most of the time we just need to link our account with our Instagram or Facebook profile. However, we must also think that both Facebook and Instagram store photos and personal information related to our tastes and interests that we may not want to share. If you log in with Facebook, Google, or any other account, pay special attention to the various permissions you are granting to the app. Many apps may request more information than your name or email address. Also, be careful when sharing sensitive information such as your location.
- Beware of fake profiles. Make sure on the other side of the app is a real person. For example, you can use a reverse image search in Google or Tineye to verify the pictures do not belong to someone else or are used on other websites.
- Stay alert for scams. Do not be tempted to move the conversation off the app and to other platforms, since this is one of the most common techniques used by fraudsters. Also, try not to reveal personal information such as phone number or email address, family details, home location, etc. Many dating apps restrict how much profile information you can share, which is a good thing. However, this protection won’t work if you’re convinced by a scammer to share your personal data through other means.
- As in any other site or social network, lock down your profile. Use strong and unique passwords for each platform and always enable two-factor authentication.
- Finally, whether you choose to play with a smart sex toy or use a dating app, always read the terms and conditions of the applications and websites where you register or to which you send any information. Pay special attention to the sections that describe data collected by the company as well as the processing of such data. Also, keep your mobile device and the applications always updated, have a security solution installed on them and try to use protected Wi-Fi networks while sharing sensitive information.
Perhaps one last thing to bear in mind – smart sex toys can be fun and a new way of spicing things up in your bedroom. But if you are not planning to let others control the device remotely, just don’t get a smart sex toy – get a regular one.