WiFi-enabled adult toy comes up short on security

Why in the world would you need an endoscopic camera at the end of a vibrator?

Why, to record “love through pictures and videos”, says Svakom, maker of the $249 Siime Eye sex toy… and to then “share the wonderful sex adventure to your partner via pictures or videos”.

Yes, that’s right, “share”. As in, Internet of Things sharing, as in yes of course it’s got a built-in tiny camera and a hidden searchlight that can be connected to a PC, tablet or mobile phone via WiFi.

… And of course it’s hackable.

The company assures customers that Siime Eye has a “powerful but quiet motor when operating”, so you don’t have to worry about being overheard by others. But it turns out that you do have to worry about somebody wardriving through the neighborhood, picking up on who’s using the vibrator and intercepting the video stream.

Researchers at Pen Test Partners – a penetration-testing (we’re not going to touch that one) outfit that probes the security of IoT gadgets and which has looked at the security of cyberdildonic sex toys in the past – decided to look at the security of Siime Eye in the wake of the WeVibe lawsuit and settlement.

It found that after seeing some pretty bad things in IoT security, “this has to take the biscuit”.

Pen Test Partners found hard-coded credentials, plus a hard-coded IP address and port. It also found what it says is “hidden” functionality to connect to Skype, to save videos automatically to a network file share, and to send pictures in emails. It also has code injection in its web interface.

The hard-coded credentials, admin:blank, make it “trivial” to connect to the vibrator’s web admin interface, the researchers say. And given that the web app serves the video from the camera, and because it’s an access point, an attacker within range can identify users.

Given that the credentials are hard-coded, users who aren’t combing through their IoT gadgets for security weaknesses will never think to change those credentials. And anybody who can get on to the wireless AP will instantly gain access to everything on the web app. As it is, Siime Eye is already turning up on wardriving sites: Pen Test Partners spotted a user in Tokyo who showed up on wigle.net, for example.

As far as access to Skype goes, they found a cgi script called skype_pwd, along with other scripts for adding a Skype account, sending emails and changing DNS settings.

With a bit more work – including cracking the thing open to dump its firmware, discovering a command injection point, logging themselves in as root user and then logging in over telnet – the researchers got at the hardcoded telnet password.

After that, it was “plain sailing,” they wrote:

We’ve got complete control over every inbuilt function in the Siime Eye, easy access to the video stream, a root shell and persistence on a dildo.

There are two attack scenarios:

  1. Get a user to connect the device to their home WiFi so as to siphon off their video data and WiFi passwords and send it off to wherever the attacker likes.
  2. Get anywhere near a Siime Eye and crack the WiFi access point with what’s likely to be a weak or default password and hence “almost immediately” get a root shell and the video stream.

Pen Test Partners reached out to Svakom three times, starting in December, without receiving a reply, after which the company decided to publicize the device’s security shortcomings.

It’s telling users to change that default passcode to something complex and long. Better yet, try to get in touch with Svakom, they advise: maybe you’ll have better luck than PTP did!