Smart sex toy’s security flaws fulfil every hacker’s fantasy

David Bisson

Smart sex toy's security flaws fulfil every hacker's fantasy

Smart sex toy's security flaws fulfil every hacker's fantasy

A connectable dildo suffers from numerous vulnerabilities that make it trivial for attackers to steal users’… well, “private” data.

The “Siime Eye,” which comes to us from Svakom, is aptly named in that it’s a $250-vibrator that for some reason comes with… a camera.

All a user needs to do is turn on the device, connect to its AP (SSID: “Siime Eye”) using the default password (“888888”), open the Android or iOS app, and “install” it. From there, they can view the livestream or take pictures and video.

Tantalizing, I know.

Turned on by other researchers’ work involving smart sex toys, Pen Test Partners decided to examine Siime Eye. They quickly found a hard-coded IP address that accepted blank admin credentials. An attacker can therefore easily access the device’s Wi-Fi AP, which is configured as an access point. The AP name is also static, meaning someone could technically geolocate other users via a wardriving site like wigle.net.

Siimex 1

But that doesn’t come close to the worst of it.

With the help of some eBay clips, a BusPirate, flashrom, and a Stanley knife, Pen Test Partners dumped the dildo’s root Linux filesystem, exposed the contents of /etc/passwd, and wrote themselves in as a root user. They then grepped for “root” after poking around on /bin/camera, one of the filesystem’s binaries. This process revealed reecam4debug, the sex toy’s telnet password.

The researchers explain in a blog post what attackers could do with their exploit:

“In this case, overexposure of system services means we could write a rogue application, compel a user to connect our app to the device using the default credentials, and then use the already-inbuilt functionality to perform unsolicited actions on the device. If we could get a user to connect their device to their home Wi-Fi, we (or any website loaded within the user’s home network, in a JavaScript drive-by) could siphon all video data, Wi-Fi passwords, and a list of local networks off it and send it somewhere unsolicited.”

Bad actors could take it one step further. If they could gain physical access to a Siime Eye and access the AP, they could almost certainly establish a root shell and gain access to an unprotected version of the video stream.

It’s bad enough there are IoT products our there that threaten our kids’ privacy.

But this device rests on a whole other level of insecurity. Users should therefore think long and hard (pun intended) about whether they want to keep using Siime Eye.

If the device is indispensable, they should change the Wi-Fi password to something complex. They can also try to contact Svakom, but as Pen Test Partners didn’t receive a response after three separate messages, that might be an unfulfillable fantasy.

You can hear further discussion about this latest example of IoT security insanity in the “Smashing Security” podcast, hosted by Graham Cluley and Carole Theriault.

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One Reply to “Smart sex toy’s security flaws fulfil every hacker’s fantasy”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES