Slight problem with a bdsm game ----
read the BBC story here:
https://www.bbc.com/news/technology-54436575
Cellmate: Male chastity gadget hack could lock users in
By Leo Kelion Technology desk editor
Published2 days ago
Cellmate
The Cellmate has been sold via several big-name online retailers as well
as niche stores
A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously.
The internet-linked sheath has no manual override, so owners might have
been faced with the prospect of having to use a grinder or bolt cutter to free themselves from its metal clamp.
The sex toy's app has been fixed by its Chinese developer after a team of
UK security professionals flagged the bug.
They have also published a workaround.
This could be useful to anyone still using the old version of the app who finds themselves locked in as a result of an attacker making use of the revelation.
Any other attempt to cut through the device's plastic body poses a risk of harm.
Cellmate circuit board
IMAGE COPYRIGHTPEN TEST PARTNERS
image captionThe workaround involves prising open the circuit board and pressing batteries against two of the wires to trigger a motor
Pen Test Partners (PTP) - the Buckingham-based cyber-security firm
involved - has a reputation for bringing quirky discoveries to light, including problems with other sex toys in the past.
It says the latest discovery indicates that the makers of "smart" adult-themed products still have lessons to learn.
"The problem is that manufacturers of these other toys sometimes rush
their products to market," commented Alex Lomas, a researcher at the firm.
"Most times the problem is a disclosure of sensitive personal data, but in this case, you can get physically locked in."
Lock and clamp
Qiui's Cellmate Chastity Cage is sold online for about $190 (£145) and is marketed as a way for owners to give a partner control over access to
their body.
Pen Test Partners believe about 40,000 devices have been sold based on the number of IDs that have been granted by its Guangdong-based creator.
The cage wirelessly connects to a smartphone via a Bluetooth signal, which
is used to trigger the device's lock-and-clamp mechanism.
But to achieve this, the software relies on sending commands to a computer server used by the manufacturer.
The security researchers said they discovered a way to fool the server
into disclosing the registered name of each device owner, among other personal details, as well as the co-ordinates of every location from where the app had been used.
In addition, they said, they could reveal a unique code that had been assigned to each device.
Cellmate user map
IMAGE COPYRIGHTPEN TEST PARTNERS
image captionA sample of the co-ordinates revealed by Cellmate's servers showed the device has been used worldwide
These could be used to make the server ignore app requests to unlock any
of the identified chastity toys, they added, leaving wearers locked in.
Mr Lomas' team flagged the issue to Qiui in May, after which it updated
its app as well as the server-based application programming interface
(API) involved.
But it still left an earlier version of the API online, meaning those who
had not downloaded the latest version of the app theoretically remained at risk.
Pen Test Partners sent follow-up emails urging this to be addressed and involved the news site Techcrunch to help press for action.
Techcrunch said Qiui's chief executive subsequently told it he had tried
to tackle the issue but added: "When we fix it, it creates more problems."
Five months on from first getting in touch, the UK security team decided
to go public.
"Given the trivial nature of finding some of these issues and that Qiui is working on another internal device, we felt compelled to publish," Mr
Lomas said.
Pen Test Partners acknowledged that in doing so, however, it made a real-world attack more likely.
The BBC has asked Qiui to comment.
Techcrunch reported there was no evidence that the hack had been exploited
by anyone to cause harm.
But it noted that one online reviewer who appeared to have got locked in
due to an unrelated bug posted that he had been left with "a bad scar that took nearly a month of recovery".
Related Topics
Cyber-security
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 357 |
Nodes: | 16 (2 / 14) |
Uptime: | 80:19:41 |
Calls: | 7,664 |
Files: | 12,822 |
Messages: | 5,706,374 |