From sexual security to life hack: A scary future


Hacker stealing data from computer
Believe it or not, adult toys are no longer safe devices to seek pleasure. Nor are the hearing aids to support people with hearing impairment. They can be hacked and that could be a potential risk to your life. We have heard about hackers who steal money, lock your computers with ransomware to squeeze out hefty money, digitally stalk you, social engineer your identity to make your life miserable. And now, finally, they could devastate your pleasure planets by raiding your own private world, thanks to a vulnerable technology called the BLE or Bluetooth Low Energy.
This technology allows many digital devices to be controlled by smart phones. But at the same time it masquerades real risks. Allowing digital devices to be controlled by any other technology poses huge security threats. It’s because you are knowingly or unknowingly becoming victims of outside manoeuvres. This set of movements requires skill and patience. Believe me, hackers have got plenty of both. You may ask how it happens and what are the risks that we face.

Well, let’s see things, first, subjectively. After all, empathy and love always take the front seat. Why do adult toy makers chose Bluetooth Low Energy (BLE)? Because of involvement of the aspect of poignancy. They didn’t want you to be alone always. Psychologists feel self-pleasures sometimes make people sad and alone. Any pleasure could double up with an active partner. There are various problems, ranging from sexual dysfunctions to other fetishes, where you need assistance. Through BLE you can interact with a partner during an act of self-pleasure through your smart phones. Controlling a dildo or any type of sexual toys with any other device makes sense. You are happy because your partner is participating. And that too from a distance!

But that is the main dilemma. Tighter security measures can dampen the spirit. Makers didn’t want that and they were hopeful that people would be careless about these parts and these would remain unstudied and unnoticed. It was nothing but wishful thinking. Why? Because in this age of ‘Internet of Things (IoT)’ everything digital goes under the scanner. Security has been the main concern; it is now and it will be in the future.

Now let’s see things objectively. Recently, Alex Lomas of Pentest Partners has performed a security analysis on a number of BLE-enabled sex toys. It includes the Lovense Hush — a BLE-connected butt plug designed to allow control by the owner’s smart phone. A partner’s phone can control it via the device’s mobile application.

Lomas used a Bluetooth ‘dongle’ and antenna, and he was able to intercept and capture the BLE transmissions between the devices and their associated applications.

What does that mean? Suppose A and B are two partners and they are controlling their pleasure remotely with their smart phones. Now C, an outsider, intercepts the transmission and A suddenly finds that her vibrator’s speed jumps up or inside her body a toy starts behaving madly. It could be really dangerous. You may ask how C comes to know about the transmission that was supposed to be known by only A and B. You have probably heard about the dogs that are trained and used by the police or army to find hidden drugs and bombs by smelling them. Hackers use sniffing hardware to track Bluetooth Low Energy (BLE) just like this. Bluefruit or Ubertooth is a great tool to sniff the BLE. Many hackers use a special version of Linux — Kali. This Kali linux has no connection with the goddess Kali. It’s packaged with many hacking tools. Anybody can use a cheap five pound BLE dongle to visualize the transmitting packets in special hacking software called Wireshark. I could have written the commands that are used to scan the BLE devices running near your laptop to find out the Media Access Control (MAC) addresses of those digital devices.
Media Access Control (MAC) addresses are usually permanent by design. There are several methods that hackers use which allow modification or ‘spoofing’. Once a hacker knows the MAC of any device, it seems to be much easier to manipulate the devices. It’s because one could see the movement of the device as numbers and strings in the command line of the Linux-operated laptop.

Usually there is no PIN or password protection. If there is any PIN, that is also static and generic. Engineers test this on many toys like Kiiroo Fleshlight, Lelo, Lovense Nora and Max. It’s found that there is only one protection with which the BLE device comes up and that is that it pairs with one device at a time; but, the range is limited and if the user walks out of the range of the smart phone it doesn’t work any more and the adult toy becomes a victim. Hackers make a snatch by connecting to it without any authentication.

We should make one point very clear at this stage. Using adult toys doesn’t mean that you’re always at risk of harming yourselves or putting your privacy in jeopardy. These devices actually help people stay positive in their sexual lives and they should be able to use them without fear of any type of compromise or injury to their bodes. Hopefully, in the future, makers will stress more on security perspective and that willl boost the confidence of the users. It’s not desirable that someone from outside could be able to drive the toy’s motor to high speed and make it unstoppable.

Reverse engineering the control messages between apps and a number of such devices run by the BLE technology is not very difficult. However, it can be improved. It’s important for another reason: because, the same rule applies to hearing aids. The same technological vulnerability and the same fear persist. It’s not a pleasing affair that someone would suddenly eavesdrop and take control of the transmission running between the device and the outer sound wave. A sudden jump or enhancement of the sound could lead to permanent smashing up of the hearing tissues. The BLE technology of these devices also makes them particularly vulnerable to remote detection.

That’s a separate topic and we could have an interesting discussion on how spy masters use the hacking tools at present; may be later on another occasion.

[email protected]