Oh, No! They're Hacking My Digital Dildo!
In a 1993 speculative essay, American critic Howard Rheingold used the term "teledildonics" to describe new frontiers of sexual encounters facilitated through cyberspace. Today, the term is often used to describe the current generation of "smart" sex toys.
Teledildonics is a subset of the "Internet of Things" (IoT): everyday objects imbued with connective tech such as Bluetooth and Wi-Fi to collect, receive and communicate data. Alongside all kinds of home devices from fridges, dishwashers and security cams to electric toothbrushes, more and more sex toys are joining the ever-growing networks of the IoT.
But as smart devices begin to populate our physical world, they bring with them cybersecurity issues that you probably associate more with corporations and national elections. By their very nature, though, smart sex toys come with a uniquely high level of privacy concerns.
What exactly can happen when bad actors try to hack their way into your pants?
Sex toys of the 'future' are here
Smart sex toys use their digital intelligence to a variety of different ends. The most common are Bluetooth-enabled, allowing the user or a partner to control certain settings such as vibration speed and pulse patterns via smartphones.
But these more familiar devices are just the tip of the iceberg for teledildonics tech. Looking at a report from cybersecurity firm ESET, some of the latest smart sex toys and their associated apps integrate features such as multimedia messaging, videoconferencing and synchronization with porn videos, audiobooks or songs.
The practical applications of smart toys don't require too much imagination. Many devices offer couples a way to keep their sex life going over a long distance. Some allow cam show performers to put paying audience members in control of their sex toys, while others allow users to collect extensive datasets on their sexual bioactivity.
The digital bells and whistles of a brainy sex toy seem like exciting first steps toward Reingold's imagined teledildonic future. But they come with a darker side. Many cybersecurity experts worry that sex toy manufacturers aren't doing enough to keep their customers safe.
The wrong kind of backdoor action
Daniel Markuson, a digital privacy expert at NordVPN, an internet security provider, wrote in an email that many IoT devices—erotic or otherwise—often lack security features typically built into computers, tablets and smartphones.
Such vulnerabilities become particularly troubling when the information that's being collected and transmitted is far more personal and sensitive than, say, that of a smart thermostat or fridge.
"Teledildonic data makes for a tempting target for bad actors looking to extort money, damage reputations or get revenge," Markuson wrote. "The main thing is that they all are connected to a very private part of users' life, which makes them appealing to hackers or a vindictive ex looking to extort a ransom."
But Markuson isn't confident that sex toy manufacturers are taking these security issues seriously, and worries many cybersecurity experts might shy away from this somewhat taboo realm of technology, no matter how important it might be.
"Constant improvement is crucial in this area, as there is nothing more personal than [your] sexual life," Markuson wrote. "At the same time, it is a stigmatized topic in many spheres, and cybersecurity is not an exception. So, in my opinion, there is not enough work done when it comes to the security of smart sex toys and IoT in general."
The impact on sex toy users
Markuson pointed to the cautionary tale of Vibratissmo's Panty Buster. The device is a thin, curved clitoral vibrator that was marketed as "discreet and invisible" while being worn—a product description that later proved somewhat ironic.
The Panty Buster offered far more "smart features'' than a typical remote-controlled vibrator. Its associated mobile app came with a dedicated social network that allowed users to share images and videos, connect with friends and exchange messages.
Through penetration testing, cybersecurity firm SEC Consult indicated that hackers could access the user data collected by the app, including chat logs, friend lists and image galleries. Other user information, such as real names, sexual orientations, home addresses and passwords, were also left vulnerable.
"Fortunately, the issues were solved with updates. but not until at least 50,000 users had details of their intimate lives leaked," Markuson wrote.
Possibly more disturbing was SEC Consult's revelation that the Panty Buster could potentially allow hackers to seize control of the device itself. In theory, this could allow complete strangers to override the operation of a device without your consent.
The ultimate cockblocker
This security risk, however, wasn't limited to the Panty Buster. Multiple other smart sex toys have been shown to have backdoors that allow malicious actors to take the wheel.
In January 2021, VICE's Motherboard published the disturbing story of a man named Sam Summers. He claimed hackers had taken control of his internet-connected chastity cage, the Cellmate from Chinese company Qiui, ransoming his penis' freedom to the tune of $1,000 in Bitcoin. He told VICE he was forced to snip off the device with bolt cutters.
It turns out this daring escape never happened. "Sam Summers" was actually Australian comedian Lewis Spears, who revealed the hoax in a March YouTube video after the story went viral. But while Summers and his dick-prison-break were fake news, the cybersecurity flaws that inspired the prank were not.
In fact, it was an October 2020 blog post by cybersecurity experts Pen Test Partners which rang the alarm bells about the Qiui Cellmate that would later become the inspiration for Spears' hoax.
Analog iterations of chastity cages often feature a lock and key, allowing BDSM fans to hand over control of their privates to a trusted partner. The Cellmate instead used a digital locking mechanism that connected via Bluetooth to a companion mobile app.
According to Pen Test Partners, the Cellmate's app had serious flaws that not only left user data like name, phone number and location vulnerable but also allowed hackers to take over and remotely lock the device.
Even worse, the Cellmate had no emergency manual unlocking mechanism—meaning Summers' fictional account very well could have become a reality.
"There is no physical unlock," wrote Pen Test Partners researcher Alex Lomas. "An angle grinder or other suitable heavy tool would be required to cut the wearer free."
The blog post includes a workaround that doesn't require operating power tools inches from your privates (though Lomas still recommended trapped users go to the ER first). After months of pressure from the media, retailers and cybersecurity advocates, Qiui updated its app to address the security flaws, according to Pen Test Partners' timeline of events.
How to keep your activity private
If you do decide to buy a smart sex toy, make sure you do extensive research beforehand, Markuson advised. Shoppers should check user reviews, online forums and media stories for any information about security risks.
"If the device is flawed, there's a good chance that someone's already noticed that," Markuson wrote.
Commonsense online habits, such as changing default passwords, also apply to smart sex toys, he added.
The bottom line is that you should be aware that any internet-connected device comes with some degree of risk of a security breach. Before you buy an IoT device, perhaps the most important question you should ask yourself is how much "smartness" do you really need? Are all those exciting features really worth the potential security risk they represent?