Hong Kong-based sex toy company Lovense's remote control vibrator app was found secretly recording users' intimate sessions without their consent and storing them in the app's local folder. A Reddit user reported that the app recorded a six-minute session without their knowledge and saved it to a local file buried in the phone's media storage.
"The lovense remote control vibrator app seems to be recording while the vibrator is on," the Reddit user named 'tydoctor' said in a post on Wednesday (8 November). "I was going through my phone media to prepare it for a factory reset and came across a .3gp file named 'tempSoundPlay.3gp' in the folder for the App. The file was a FULL audio recording 6 minutes long of the last time I had used the app to control my SO's remote control vibrator (We used it at a bar while playing pool)."
The user noted that they gave the app access to the mic and camera only to be used with the in-app chat function and to send voice clips on command.
"At no time had I wanted the app to record entire sessions using the vibrator," the user said. "I'm not tech savvy enough to know if the recording had been sent to them or not, but I assume this is the case given the history of the industry and their disregard for privacy. I have deleted the app, and will no longer be using its Bluetooth functions."
Other Reddit users also reported finding similar audio files on their own devices.
Another user claiming to represent Lovense responded to the post saying it was a "minor bug" that only seemed to affect the Android version of the app and not the iOS version.
"Regarding the sound file in question, it has already been confirmed that this is a minor bug — a temporary file that is created when someone uses the Sound Control feature," the representative said. "Your concern is completely understandable. But rest assured, no information or data is sent to our servers. This cache file currently remains on you phone instead of deleting itself once your session is finished. Also, when the file is created it overwrites itself (no new files are created)."
They later said that the bug had been fixed and an updated version of the app is available for download in the Google Play Store. The patch also deletes the temporary audio file 'tempSoundPlay' after exiting the Sound Control feature while the app will do an extra check and delete every time the app is launched, they noted.
"Absolutely no sensitive data (pictures, video, chat logs) pass through (or are held) on our servers," the firm's policy states. "All data transfers are peer-to-peer. Furthermore, we encrypt the data before passing it along to your partner. The same data encryption technology that Google, Skype, Facetime and others use — It would be nearly impossible for someone to obtain any of the content that is happening on our platform."
This isn't the first time security and privacy concerns have been raised over connected sex toys.
Earlier this year, a butt plug by Lovense called the Hush was found to be vulnerable to hackers. In March, Standard Innovation, the makers of We-Vibe vibrators, shelled out $3.75m (£2.84m) to settle a class action lawsuit after its Bluetooth-enabled devices allegedly collected and recorded users' personal data.