Smart sex toys made by German company 'Amor Gummiwaren GmbH' contained several critical vulnerabilities that could let hackers remotely take control of vibrators.
According to cybersecurity firm SEC Consult, the entire "Vibratissimo" product range was compromised, with a slew of user information being exposed to the internet without adequate protection. In its research, the company tested a device known as the 'Panty Buster'.
In an advisory published Thursday (1 January), researchers said bugs in a customer database meant that attackers could have easily accessed user details, including "names, cleartext passwords and explicit image galleries" being stored by the company.
According to the Vibratissimo website, the business offers a community akin to social media that allows customers create profiles and message friends. The security firm said that the information exposed to the internet included batches of intimate chat logs.
The toys in question can be linked up to smartphone software, available on iOS and Android. The application, where vulnerabilities were found, lets users "create their own vibrations" and "hand your partner over the control of your Vibratissimo wherever he is".
But flaws in the cloud platform that linked the sex toys to the internet meant that hackers could "remotely pleasure individuals without their consent", SEC Consult said.
The cybersecurity company elaborated: "The mobile apps allow their users to use a feature called quick control. This feature allows user to send a link with a unique ID to an email address or a telephone via SMS to get direct control of the sex toy over the internet.
"This wouldn't be a problem in general if the link containing the ID would be random and long enough. It would be quite useful if the receiving user must confirm the remote control before being controlled by the other user. Unfortunately this is not the case."
Based on app store statistics, the company said between 50,000 and 100,000 users may be affected. The smart-vibrator company was storing users' passwords without encryption.
Researchers said the products had unauthenticated Bluetooth connections that could be exploited to alter the "intensity" of the vibration and read the temperature of the device.
"In recent years the Internet of Things (IoT) received more and more attention," SEC Consult wrote in a blog post, discussing the scope of the vulnerabilities.
"It promises to connect literally everything with anything: cars, buildings, home appliances, or even more exotic things like fridges, walkways or baby cams. To most people this sounds quite futuristic, but it is definitely not the case. The future has caught up with us."
Researchers said that users should update their apps and change all passwords immediately. While the Panty Buster was the sole device tested, experts said the whole range had "varying functionalities but the same mobile apps and backends" - developed by external companies.