IoT love

Smart chastity device exposes sensitive user data

A security breach or piece of inadvertent exposure can be a devastating thing, not just for the company impacted but also the people whose data is stolen or exposed to the world. The usual roll-call of “name, address, phone number and card details” is bad enough. If such things are tied to sensitive material or websites, it can be many times worse.

This is the case for a recent piece of Internet of Things technology tied to people’s love lives. TechCrunch reports that a wearable “chastity device” which allows the user’s partner to control it over the internet (via Android app) has exposed all manner of user details which includes:

  • Home addresses
  • IP addresses
  • Plaintext passwords
  • Email addresses
  • GPS coordinates

The researcher who discovered the issue claims it’s due to “several flaws” in the servers being used by the company behind the device. Two vulnerabilities were how the researcher was able to view no fewer than 10,000 user records. Despite contacting the organisation responsible on June 17, there’s been no word back and the issue is still out there.

Due to this potentially snowballing in a much worse way if the device name is made public, the details are so far being kept under wraps. As a result, if you use an internet connected chastity cage with your partner you won’t know for sure if you’re potentially affected or not.

At this point the story would unusually end, and we’d advise you to think carefully when using IoT devices tied to more private aspects of your life. Well, not just yet! As it happens, the researcher was so frustrated by the lack of response that they took to compromising the device’s website with the following message:

The site was disabled by a benevolent third party. [REDACTED] has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what [REDACTED] has claimed, also shipping addresses. You’re welcome!” the researcher wrote. “If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.

We can’t condone breaking into a website and while trying to warn people is commendable, doing it in this fashion is likely to lead to more problems. If you want to keep a lid on the issue and not have it spill out across the internet, nothing can make something go public quicker than a spectacular web page defacement.

In this case, it doesn’t seem to have happened (yet). Even so, the message was gone a day later and the issue which led the researcher to so many user details still exists.

The above is bad enough. PayPal payment logs being exposed is possibly even worse, tying payments to email addresses. All of this alongside the GPS details for some users makes public activities that some folks will find embarrassing and not for public consumption. In specific circumstances this kind of thing can lead to harassment, trolling, and more.

With this in mind, we suggest an abundance of caution when making use of devices and technology similar to the above.

A product with no internet connection is safer from a data exposure perspective, but will naturally be somewhat less functional. If you need to make payments, use anonymous emails set up for exclusive use with sensitive devices. And keep in mind that enabling features like GPS will give potentially pinpoint accuracy to your daily movements.

We can only hope that the flaws in the above device are patched as soon as possible, but it’s possible that nothing will ever be done about it. While it should be quite shocking that such a personal device is able to be exploited in this way, IoT has been a flashpoint of poor security practices and lack of responsibility for years now. Buyer most definitely beware.

We don’t just report on threats—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.