- Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API
- Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves
- Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas
- Precise user location data also leaked by API, including personal information and private chats
- Vendor initially responsive, then missed three remediation deadlines they set themselves over a 6 month period
- Then finally refused to interact any further, even though majority of issues were resolved in migration to v2 API, yet API v1 inexcusably left available
- This post is published in coordination with Internet of Dongs.
Smart adult toys and us
We haven’t written about smart adult toys in a long time, but the Qiui Cellmate chastity cage was simply too interesting to pass by. We were tipped off about the adult chastity device, designed to lock-up the wearer’s appendage.
There are other male chastity devices available but this is a Bluetooth (BLE) enabled lock and clamp type mechanism with a companion mobile app. The idea is that the wearer can give control of the lock to someone else.
We are not in the business of kink shaming. People should be able to use these devices safely and securely without the risk of sensitive personal data being leaked.
The security of the teledildonics field is interesting in its own right. It’s worth noting that sales of smart adult toys has risen significantly during the recent lockdown.
What is the risk to users?
We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock. The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.
Location, plaintext password and other personal data was also leaked, without need for authentication, by the API.
We had particular problems during the disclosure process, as we would usually ask the vendor to take down a leaky API whilst remediation was being implemented. However, anyone currently using the device when the API was taken offline would also be permanently locked in!
As you will see in the disclosure timeline at the bottom of this post, some issues were remediated but others were not, and the vendor simply stopped replying to us, journalists, and retailers. Given the trivial nature of finding some of these issues, and that the company is working on another device that poses even greater potential physical harm (an “internal” chastity device), we have felt compelled to publish these findings at this point.