A connectable dildo suffers from numerous vulnerabilities that make it trivial for attackers to steal users'... well, "private" data.
The "Siime Eye," which comes to us from Svakom, is aptly named in that it's a $250-vibrator that for some reason comes with... a camera.
All a user needs to do is turn on the device, connect to its AP (SSID: "Siime Eye") using the default password ("888888"), open the Android or iOS app, and "install" it. From there, they can view the livestream or take pictures and video.
Tantalizing, I know.
Turned on by other researchers' work involving smart sex toys, Pen Test Partners decided to examine Siime Eye. They quickly found a hard-coded IP address that accepted blank admin credentials. An attacker can therefore easily access the device's Wi-Fi AP, which is configured as an access point. The AP name is also static, meaning someone could technically geolocate other users via a wardriving site like wigle.net.
But that doesn't come close to the worst of it.
With the help of some eBay clips, a BusPirate, flashrom, and a Stanley knife, Pen Test Partners dumped the dildo's root Linux filesystem, exposed the contents of /etc/passwd, and wrote themselves in as a root user. They then grepped for "root" after poking around on /bin/camera, one of the filesystem's binaries. This process revealed reecam4debug, the sex toy's telnet password.
The researchers explain in a blog post what attackers could do with their exploit:
Bad actors could take it one step further. If they could gain physical access to a Siime Eye and access the AP, they could almost certainly establish a root shell and gain access to an unprotected version of the video stream.
It's bad enough there are IoT products our there that threaten our kids' privacy.
But this device rests on a whole other level of insecurity. Users should therefore think long and hard (pun intended) about whether they want to keep using Siime Eye.
If the device is indispensable, they should change the Wi-Fi password to something complex. They can also try to contact Svakom, but as Pen Test Partners didn't receive a response after three separate messages, that might be an unfulfillable fantasy.
You can hear further discussion about this latest example of IoT security insanity in the "Smashing Security" podcast, hosted by Graham Cluley and Carole Theriault.Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.