Smart sex toy's security flaws fulfil every hacker's fantasy

Nothing says “sexy” like a vulnerable vibrator….

Smart sex toy's security flaws fulfil every hacker's fantasy

A connectable dildo suffers from numerous vulnerabilities that make it trivial for attackers to steal users'... well, "private" data.

The "Siime Eye," which comes to us from Svakom, is aptly named in that it's a $250-vibrator that for some reason comes with... a camera.

All a user needs to do is turn on the device, connect to its AP (SSID: "Siime Eye") using the default password ("888888"), open the Android or iOS app, and "install" it. From there, they can view the livestream or take pictures and video.

Tantalizing, I know.

Turned on by other researchers' work involving smart sex toys, Pen Test Partners decided to examine Siime Eye. They quickly found a hard-coded IP address that accepted blank admin credentials. An attacker can therefore easily access the device's Wi-Fi AP, which is configured as an access point. The AP name is also static, meaning someone could technically geolocate other users via a wardriving site like wigle.net.

Siimex 1

But that doesn't come close to the worst of it.

With the help of some eBay clips, a BusPirate, flashrom, and a Stanley knife, Pen Test Partners dumped the dildo's root Linux filesystem, exposed the contents of /etc/passwd, and wrote themselves in as a root user. They then grepped for "root" after poking around on /bin/camera, one of the filesystem's binaries. This process revealed reecam4debug, the sex toy's telnet password.

The researchers explain in a blog post what attackers could do with their exploit:

"In this case, overexposure of system services means we could write a rogue application, compel a user to connect our app to the device using the default credentials, and then use the already-inbuilt functionality to perform unsolicited actions on the device. If we could get a user to connect their device to their home Wi-Fi, we (or any website loaded within the user’s home network, in a JavaScript drive-by) could siphon all video data, Wi-Fi passwords, and a list of local networks off it and send it somewhere unsolicited."

Bad actors could take it one step further. If they could gain physical access to a Siime Eye and access the AP, they could almost certainly establish a root shell and gain access to an unprotected version of the video stream.

It's bad enough there are IoT products our there that threaten our kids' privacy.

But this device rests on a whole other level of insecurity. Users should therefore think long and hard (pun intended) about whether they want to keep using Siime Eye.

If the device is indispensable, they should change the Wi-Fi password to something complex. They can also try to contact Svakom, but as Pen Test Partners didn't receive a response after three separate messages, that might be an unfulfillable fantasy.

You can hear further discussion about this latest example of IoT security insanity in the "Smashing Security" podcast, hosted by Graham Cluley and Carole Theriault.

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

One Response

  1. Michael Ponzani

    April 6, 2017 at 10:49 pm #

    Do we really need Smart Dildoes?

Leave a Reply