Sex toy hack
Internet connected sex toy makers have been known to sell products that collect users’ data - representational imageiStock

In the past, internet connected sex toys have raised both privacy and security concerns, especially given the vulnerabilities associated with IoT (Internet of Things) devices. However, a security researcher has reportedly come with a novel way to use an internet connected dildo securely – by incorporating Tor.

The experiment was aimed at showing that smart sex toys, which in the past have been known to be vulnerable to hackers, can be modified to be used more securely. The dildo was reportedly reverse engineered to receive commands via the Tor network, to remotely control the device and successfully cause it to vibrate.

"I wanted to show that you can make communication between these devices private by default, end-to-end encrypted by default, and secure by default — and without a 3rd party server collecting the information about the people who use the product," Sarah Jamie Lewis, the independent security researcher told Motherboard, explaining her motives for the research, which she dubbed "oniondildonics".

Lewis used Ricochet, which is a messaging app that creates a Tor hidden service for each user. The app protects users' communications and also obfuscates metadata, which makes it a lot more difficult for malicious entities to spy on the connection to figure out the participants of the conversation.

The dildo, manufactured by Canadian firm We-Vibe was reverse engineered so Lewis could communicate with it over Bluetooth. Essentially, Lewis' technique would allow anyone privy to the device's Ricochet address to remotely send commands, such as "max" to cause the device to vibrate.

Motherboard reported that internet connected sex toy makers have been known to sell products that collect users' data. Security experts have also previously exposed vulnerabilities in internet connected vibrators with cameras that were found to contain flaws that could have potentially allowed hackers to spy on victims.

In March, We-Vibe agreed to pay out around $3.75m (£2.87m) after it was discovered that the firm was collecting data from its users, including how often the devices were being used and more.

"While sextech is a pretty niche area right now, it seems obvious that as attitudes shift we will see more innovation in the space, and sadly the groundwork being laid down right now is repeating much of the mistakes that the general internet-of-things domain has made—security/privacy is an afterthought," Lewis said.