What online sex toys can teach you about secure coding

Security researchers have found multiple vulnerabilities in Vibratissimo’s “Panty Buster”, an internet-enabled sex toy.

Let’s skip over the jokes about Internet of Things (IoT) devices failing penetration tests and get right to the fact that, like its brethren IoT security flubs, this one is full of elementary errors that you’re just not supposed to make any more.

As reported by the security firm SEC Consult on Thursday, Panty Buster, a Bluetooth- and internet-connected toy that you slip into your underwear and control by a smartphone app, is vulnerable to takeover by remote attackers, and liable to expose intimate data.

The toy, along with others in the Vibratissimo product line, are manufactured and operated by the German company Amor Gummiwaren GmbH.

SEC Consult researchers found a database containing all customer data for Panty Buster users, including explicit images taken by the cyberdildo, chat logs, sexual orientation, email addresses, passwords stored in plaintext and more, all of it available for anybody to access online.

Attackers were also able to remotely control the device without the user’s consent, via Bluetooth or over the internet. (According to the manufacturer, this was supposed to be a feature, not a bug. A portion of its customers like to hang out at swingers clubs where they can be randomly stimulated, SEC said in its post.)

The explicit images were accessible because of what the researchers said were predictable URLs and missing authorization checks.

SEC says that, based on downloads from the Google Play Store and the Apple AppStore, the number of affected users is in the hundreds of thousands. Helping to pump up the number is the fact that the exact same vulnerabilities are found in sex toys from other manufacturers, including Lovense, Kiiroo Fleshlight, and Lelo.

The researchers said that the Panty Buster manufacturer has introduced a more secure pairing method for Bluetooth, in spite of the swinger demographic. Unfortunately, even though new devices support password-protected pairing, this isn’t enabled by default. Owners of older devices have to send theirs to Amor Gummiwaren to get the fix, which requires a firmware update.

Same-old, same-old vulnerabilities

The Panty Buster situation may seem titillating, given that we’re talking about the kind-of new and sexy world of teledildonics. But really, there’s little new to be found in the vulnerabilities.

Private files left in public directories. Plenty of businesses are guilty of this one. One year ago, it was Denuvo, a digital rights management (DRM) software maker that failed to lock down all of its website’s directories from public snooping.

As SEC said, this is the error that left Panty Buster’s entire customer database available to attackers. Using those credentials allows attackers to connect to the database and to read all of the sensitive customer information, including explicit images, sexual orientation and home addresses.

Plaintext passwords. Panty Buster user passwords were stored in plaintext in the database, SEC said. Were an attacker to get into the database, they could then use the passwords to get into user accounts.

This is poor security practice, and it’s been both unnecessary and unacceptable for years. Not only that, given that so many people reuse their passwords, heaven knows what other bank, social media or fill-in-the-blank accounts could be hijacked. Even if you choose a super-strong password, it only takes one careless site to leak that password in directly usable form.

Predictable “unguessable” web links. SEC found that Vibratissimo’s mobile apps allow users to use a feature called “Quick Control” that allows them to send a link with a unique ID to a friend via email or via SMS so they can control the sex toy remotely.

There’s nothing random about the links that get sent, unfortunately: they’re set by a global counter that just gets incremented by one every time a new quick control link is created. There’s also no requirement for the toy user to confirm the remote control before it’s handed to another user.

Here’s an oversimplified security maxim – don’t let people know what’s coming next!