If you’re using an internet-connected vibrator equipped with a camera that allows you to stream your “pleasure” right to the internet, your intended viewers might not be the only ones watching.
Hackers from the UK-based security firm Pen Test Partners have found that it’s trivially easy to hack into a Svakom Siime Eye, a $249 Internet of Things dildo that has a small camera on its tip, allowing users to stream a video to anyone of their choosing over the internet (here’s an example footage – warning: NSFW; can be disturbing). However, if you’re in Wi-Fi range of the dildo and can guess the password, which by default is “88888888,” you can watch the video stream. With a bit more hacking, you can take control of the firmware and then connect to it remotely as well.
“When somebody is using it, someone else could be seeing the video stream,” said Ken Munro, the founder of Pen Test Partners.
What’s worse, “you’d never know about it,” said the researcher who investigated the security of the device, who asked to be referred to only as Beau du Jour.
Of course, this is not the first dildo to get hacked. Security researchers have time and time again warned that some of the new internet-connected sex toys were awfully insecure, and a privacy nightmare. Earlier in March, the maker of a connected vibrator that collected sensitive personal information agreed to pay $3.7 million to settle a class-action lawsuit.
But it’s the first dildo hack that could potentially expose live footage of someone’s most intimate parts (literally).
Beau du Jour found that the Siime Eye creates a Wi-Fi internet access point whose password, by default, is “88888888.” That way, anyone in range can connect to it by guessing the simple password, as he explained in a blog post published on Monday. By looking at the code of the mobile app that comes with the dildo, the researcher also found that once on the dildo’s Wi-Fi, you can access its webserver. This has a login portal, but the user is “admin” and the password is blank.
By reverse engineering the firmware, Beau du Jour found a way to get root—hacker speak for taking full control of it—and get persistence on the device, meaning that he could connect to it even outside the range of the Wi-Fi. At that point, it was game over for the smart camera dildo.
The researcher said he tried to warn Svakom of these vulnerabilities with repeated emails in December, January, and February but he received no response. The company did not respond to request for comment either.
The researchers also found that by creating a Wi-Fi access point always with the same name, it’s possible, in theory, to just drive around a city and look for Wi-Fi networks called “Siime Eye.” Some of these networks, in fact, have been logged onto the Wi-Fi wardriving site wigle.net.
“The fact they chose to use Wi-Fi was utterly stupid,” Munro said in a phone interview.
Once again, the lessons learned with this dildo show us that most Internet of Things devices aren’t ready for prime time. And they’re not designed taking into account basic security principles that can safeguard users privacy. From Teddy Bears to medical washing machines, and from lightbulbs to freaking Crock-Pots, the Internet of Things is still the Internet of Shit when it comes to security.
So, for now, the Munro’s advice to anyone owning a Siime Eye is throw the device away “and never use it again.”