- Qiui's chastity belt was hacked to demand payments in Bitcoin.
- Some users were locked in and lost control to their sex toy.
- The company was informed last year about the API vulnerability.
Last year, a serious vulnerability in the chastity belt sex toy made by the Chinese company Qiui was discovered by a team of researchers at the UK-based Pen Test Partners. The flaw was real and dangerous for men using the toy, which is why the researchers urged Qiui to patch it. But it turns out it might have been too late for that. A hacker apparently gained access to these compromised chastity belts and asked victims for ransom to unlock their genitals.
According to Motherboard who got in touch with many victims, the hacker announces to its victims that their chastity belt is now compromised by saying: "Your cock is mine now." He then would ask for payments in Bitcoin to unlock the cage. A security researcher named Smelly procured the screenshot from one of the victims showing the conversation between them and the hacker.
A victim identified as Robert told the publication that the hacker demanded a payment of 0.02 Bitcoin (roughly Rs 52,000). He also said that his chastity belt was locked and that he could not unlock it on his own although it was not in use around his organ. Another user who goes by RJ told Motherboard in an online chat that they were no longer the owner of the chastity cage anymore and that it was being controlled by someone else. The hacker also seems to have contacted RJ and demanded a payment to unlock the sex toy.
It is not immediately clear if this hacker is the same person or if there are different people working towards the common goal of exploiting the users of the chastity cage. But it does make one thing clear: just because you can connect something to the internet does not mean you have to. You should be wary of what products you are going to connect to the internet and that too with full precautions.
In October last year, Qiui's popular chastity cage sex toys, popular in the BDSM community to prevent erections, were found to have a vulnerability in the APIs. The researchers said this vulnerability is potential enough to allow hackers to gain remote access to several chastity belts that are connected to the internet. "There is no emergency override function either, so if you're locked in there's no way out," wrote Alex Lomas, a researcher at Pen Test Partners. Not just the remote control, this flaw in the Qiui app also left private messages and user location prone to third-party control.
The company did roll out a new API for new users but fixing old devices was not easy because for the rollout of new API, the device would need to go offline and that would lock the appendage of anyone using it. Qiui's chief executive Jake Guo told TechCrunch earlier that the fix would arrive sometime in August but that did not happen. Instead, he said "When we fix it, it creates more problems" in an email to TechCrunch. And the company did not mention anything about this flaw after that but the current situation of its users tells that the company did not patch it or if it did, it has turned out to be a failed attempt.