- Qiui’s chastity lock has been found to have a number of security flaws.
- The flaw gives hackers control of the smart sex toy using the app.
- The company has not patched the vulnerability yet, despite multiple warnings.
With the increasing advancement in the internet world, more and more devices are connecting to it. Internet of things as it is called and now there are smart sex toys that also connect to the internet using Wi-Fi or through apps. You can easily get an internet-enabled sex toy today but maybe you should hold off because it might be well off the internet. Researchers have found a new vulnerability in a popular sex toy made by Qiui that can leave users awkwardly vulnerable.
Per a TechCrunch report, security researchers at the UK-based Pen Test Partners company have discovered a flaw in the Qiui Cellmate internet-connected chastity lock for men. This device is popular as the "world's first app-controlled chastity device". This means that unlike the conventional chastity lock, the app is used to control the lock of the user's appendage. It uses Bluetooth (BLE) to enable the lock and clamp when controlled by an app that uses an API. The researchers said this API has multiple security flaws, leaving it prone to hacks.
The API that Qiui app uses is not password protected, allowing anyone to take control of the chastity lock. The chamber of the lock is designed to lock with a metal ring under the user's genitals. The flaw can give control to anyone who can permanently lock in the organ. The researchers believe that only a bolt cutter might be of some help, in case that happens with a user of Qiui chastity lock.
"There is no emergency override function either, so if you're locked in there's no way out," wrote Alex Lomas, a researcher at Pen Test Partners. Not just the remote control, this flaw in the Qiui app also leaves private messages and user location prone to third-party control.
TechCrunch claims it learned about the vulnerability first in June. The researchers also contacted Qiui, an adult toy manufacturing company based out of China, to inform them about the vulnerability in their chastity lock. Since taking the API offline would lock in anyone using the lock now, Qiui decided to roll out a new API for new users fixing the flaw. But that left existing users high and dry.
Qiui's chief executive Jake Guo told TechCrunch earlier that the fix would arrive sometime in August but that did not happen. Instead, he said "When we fix it, it creates more problems" in an email to TechCrunch. The company ended up missing three deadlines it gave itself to fix this flaw, but there is no fix to be seen even two months later.
It was then the researchers decided to go public about this issue, fuelled by another incident after another researcher stumbled on a separate security issue in Qiui's product but the company was seemingly in no mood to address that, as well.
While the company is mum about what it is doing about the security flaw, many users have posted concerning and negative reviews for the Qiui chastity lock online. "The app stopped working completely after three days and I am stuck!" said one user. Another user said, "It worked for about a month until I almost got stuck in it. Thankfully, it unlocked itself randomly and I was able to get out of it. The device left a bad scar that took nearly a month of recovery."
Security bugs are not new to the world of adult toys though. Previously in 2016, researchers found the Bluetooth-enabled "panty buster" toy that let anyone control it using an internet connection. A good number of toys have also been found siphoning user data and collecting it.