Thursday, 8 October 2020

New Hack Turns ‘Smart’ Male Chastity Device Permanent

In my time at ExtremeTech, I’ve developed a habit of covering some of the worst ideas the IoT collectively has to offer. We’ve discussed personal butthole scanning, self-igniting heating ovens, microwaves with integrated Netflix, bricked shoes, smart toasters, and Juicero, the $700 juicer with rapidly-expiring DRMed bagjuice that rivaled the best hand-pulped beet squeezings you’d never want to drink.

Today, I bring news of a frustrating flaw in the Qiui Cellmate, a remote-controlled male chastity device from the cutting-edge field of teledildonics, a word that combines the Greek word meaning “remote” with an even worse version of the word “dildo” that sounds like it was coined by Data during his “Sexy Riker beard” phase.

Note: I did research for this story, and you’re going to be the unlucky recipients of it.

The Qiui Cellmate is a metal and neoprene device designed to be worn by a man as a deliberate means of preventing him from having sex. As near as I can tell, this fetish is created by taking the wrong lesson from not being allowed to eat cookies as a child. Ever seen a kid that can’t have cookies staring at a cookie jar? It’s kinda like that, except instead of wanting to eat cookies, you get really into the feeling of wanting to eat cookies… without (necessarily) ever getting around to eating them.

No, that’s not sexual innuendo. You’ll know when I’m invoking sexual innuendo, trust me. Or, maybe you won’t. If you get frustrated trying to figure out when I’m employing double entendres, you’re getting into the spirit of the fetish, at least as I understand it. I admit, I may not have a sound grasp of the principles. This is a bit off our beaten path.

These devices come in an astonishing range of materials, colors, sizes, and shapes, which makes sense considering this is a fetish intended to encase what is, perhaps, the least-encasable part of a human body. Since you probably haven’t considered this idea before, and I’ve been forced to, I’d like you to consider a glove. Now, imagine your fingers were sometimes twice as long as they are right now, and sometimes half the length. Sounds inconvenient, right? Now, imagine playing the same game, only you’re doing it with a metal tube-and-ring contraption that fits around the place men least enjoy encountering unexpected, sharp pressure. Some people do this for fun. Uncomfortable yet? SO AM I. 

Nobody is taking themselves *too* seriously in all of this, except hopefully for those who took seriously the idea of being in one of these.

Now that we’ve locked down the meaning of what a chastity device is, let’s talk about what makes this one special: Bluetooth.

Well, Bluetooth and the kind of casual attitude towards security that’s either a turn-off (because your partner isn’t paying attention) or a turn-on. According to reddit, a lot of people like these things to have really long timers. Qiui’s Cellmate cocks up its locking mechanism in one critical way: The company completely forgot to secure it. As a result, any random jackoff could theoretically take control of it and lock it forever. This is according to security firm PenTestPartners, whose name is absolutely not snicker-worthy in this context, and their faithful sidekick, the Internet of Dongs Project.

The IoD (IDOP?) focuses on security in sex toys, which is a worthwhile idea IMO, thanks to the intimate circumstances in which such devices are used and the degree of personal information that could be milked from them. According to the IoD, the CellMate has a number of security problems, including:

  • No alternative to the Bluetooth locking/unlocking mechanism, which means no physical key or mechanical bypass.
  • All data in the company database was accessible via the API, including usernames, passwords, email addresses, gender, phone numbers, friends, and even recorded GPS location.

When contacted, Qiui was somewhat responsive and rolled out a new version of its API which fixed some problems but caused others. It also rolled out API v2 without retiring API v1, meaning all customer PII was still available via the original API interface. This is the “Maybe if I tell everyone to come ’round to the back door, they won’t notice that my front door is actually a blanket” method of computer security. The company went silent for months thereafter, and it wasn’t until the folks at IoD talked to PenTestPartners and realized they were also trying to report the same vulnerabilities to the same company that the two groups decided to daisy-chain the release of their findings to the public.

As PenTestPartners notes, “We are not in the business of kink shaming. People should be able to use these devices safely and securely without the risk of sensitive personal data being leaked.” ExtremeTech agrees with this as a matter of principle. What consenting adults do — or don’t do — is 100 percent their business.

Remote attackers, according to PTP, can cause the device to lock, permanently, requiring the use of an angle grinder and/or approximately four quarts of lube to remove. I will not be testing whether the latter is a solution and you shouldn’t, either. The good news is that if you wind up locked into one of these things — and frankly, PTP’s discussion doesn’t make it sound like the company is long for this world, which means you really might not want to keep it on — there’s a guide on how you can try to short the motor and remove it, here.

In all seriousness, the implication of PenTestPartner’s blog post is that the failure of the company behind the app could leave the app offline, which would also leave the device locked. For that reason alone, a toy like this is a bad idea. While all the coverage has been about the idea of being hacked, the disappearance of the company (which was reportedly down to very little funding over the summer) could be a much bigger threat. Also, to leave you with a final bit of trivia, it’s a holiday month in the chastity fetish community! Happy “Locktober.”

You’re welcome.

Now Read:



No comments:

Post a Comment