Siime Eye
Siime Eye may leave images and videos of sex acts exposed to hackersSiime Eye/Svakom

An internet-of-things (IoT) connected vibrator that lets users record their sex acts has been criticised by security researchers for having built-in vulnerabilities that could let hackers use a simple WiFi connection to snoop on unassuming victims.

Experts from Pen Test Partners conducted an in-depth test on the $250 sex toy – dubbed the Siime Eye. It has a 0.3 megapixel camera and has a "hidden searchlight" that can then be connected to PCs, tablets and phones via WiFi. It also works with an app for iPhone and Android.

"The camera not only allows you know the subtle changes inside of your private areas. You can also record and share the wonderful sex adventure to your partner via pictures or videos," its website states.

Unfortunately, experts said this content may be exposed to more than just a loved one.

The Siime Eye's WiFi access point comes with a severely weak password of "88888888" and has a relatively limited functionality, Pen Test researcher Beau du Jour, said in a blog post.

The source code, however, also includes hard-coded credentials IP address – meaning they can't be altered.

Getting past its back-end security was "trivial", du Jour said, adding it could be bypassed with a simple 'admin' credential input and blank password. The hack could provide "complete control" over the device, easy access to the video stream, a root shell and persistence.

"Remember, the credentials are hard-coded in the official app, so any user wanting to use the Siime Eye the official way will never change these credentials," the expert said. "If you can get onto the wireless AP, you'll have instant access to everything on this web application.

"It allows multiple concurrent connections too, without any fuss at all."

The problems don't end there, however. Pen Test Partners said that using specific tools it would also be possible to geo-locate users of the product. "Using Wi-Fi is logical [...] but most IoT devices would be configured to operate as a Wi-Fi client not an access point," du Jour wrote.

In a video released on the same day as the research, Pen Test Partners security expert Ken Munro demonstrated the hack in action. "In poking around with it we discovered there was a command injection in one of the interfaces," he said.

"Get it going and you can exploit the video stream which I think is really quite scary," he added. "You can drive by someone's house who has got one of these devices, hook up over WiFi, and exploit their connection – probably something you really don't want to be seeing."

US company Svakom, makers of the Siime Eye products, is not the first sex-toy developer to face trouble for its cybersecurity practices. Only last month, a company called Standard Innovation which makes the WeVibe product line, lost a class-action lawsuit for data misuse.

It was ordered to pay up $3.75m to settle the legal action for tracking customers' use without consent. The "smart" product allowed users' partners to activate the sex toy remotely, however in reality left the product wide open to compromise via a simple Bluetooth attack.