A CyberNews investigation has revealed that Lovense remote sex toy users might be at risk from threat actors, due to poor security features.
Lovense boasts that its teledildonic sex toys will spice up your sexual relationship. By using wireless remote control, you can customize vibrations and adjust them to your body, or give pleasure to someone across a room or even miles away.
Remote-control sex toys have been around since 2010. Back then, as smartphones were not as popular, these toys were controlled by Skype. With the arrival of Bluetooth and WiFi, the remote sex toy market grew significantly. These days, they are controlled by apps on our phones, with IP, WebRTC, and Bluetooth protocols used to transmit data.
Hong Kong-based Lovense is one of the biggest brands that makes remote sex toys. So, the CyberNews Team decided to test its devices and interfaces to check how secure they are.
Researchers found some worrying security practices, including a lack of obfuscation, a dependence on third-party frameworks and application programming interfaces (APIs) to deliver cross-platform apps, a high number of public exploits surrounding the Bluetooth protocol, a few probable Denial of Service (DoS) cases, and several access points which – according to the CyberNews Team – should not be accessed.
In 2017, Lovense customers complained that the app recorded users’ remote sex sessions. The company admitted there was a “minor bug” that affected Android users, but insisted no data was sent to the company’s servers, and that the recordings existed only for a short period of time.
“User safety has always been our highest priority, and this is why Lovense has invested significant resources to participate in private bug bounty programs. We are the first sex tech company to do this,” Lovense told CyberNews after the research team informed the manufacturer of its findings.
The company said it updates its software to address any concerns that arise and is committed to the privacy and security of its users.
“We also cooperate with cybersecurity labs such as Internetofdon.gs and ESET Research, addressing vulnerabilities and software bugs to provide users of our products and services with a safe, secure and smooth experience,” it added.
To carry out this investigation, the CyberNews team used one of the most comprehensive mobile app security assessment frameworks on the market – the Mobile Security Framework (MobSF) – to analyze the code of the Lovense Remote Android App. MobSF is an interface for a set of tools used by security researchers to perform static and dynamic analysis of Android apps.
MobSF gave a below-average security score – 19 out of 100 – as it detected three trackers in the Lovense Remote Android App. Note that the lower score is because of the many permissions that the app legitimately needs to function.
It also detected Janus vulnerability on old Android devices (versions 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, and 8.0), ten dangerous permissions, and insecure configuration that permitted cleartext or unencrypted traffic to all domains.
Lovense noted that the scope of Janus vulnerability is fairly limited: “It only affects applications signed with Android’s original JAR-based signing scheme, which was replaced with Signature Scheme v2 in Android 7.0, released in 2016. We use v2 in common channels except Google Play. For the package published on Google Play, we use AAB, which is not affected by this.”
As for the ten “dangerous permissions”, Lovense said that all of them are necessary to enable app functions. It needs network and Bluetooth connections, and GPS permission for Android 6.0 and later versions to use Bluetooth. The app doesn’t apply this permission without explicit user consent.
Just by intercepting traffic from the remote-control link, CyberNews researchers managed to associate 11 addresses with the operation of Lovense: lovense.com; tests2.lovense.com; apps2.lovense.com; apps.lovense.com; tests.lovense.com; c.lovense.com; coll.lovense.com; activity.lovense.com; www.lovense.com; hytto.com; and 126.com.
Lovense also seemed to be connecting to their testing server addresses – a method typically used to trial website layouts, shopping carts and memberships, among other things. But such addresses – endpoints for an app intended only for testing and typically used to send, receive or recall data – should not have been left exposed after the website went live.
Lovense noted that it occasionally leaves some domains in production for internal testing by connecting to its test servers, but claimed “our regular users will never use these test domains.”
Lovense uses Cloudflare web application firewall (WAF) and IP proxying tools, meaning that a malicious actor would still have difficulty pinpointing the attack surface.
However, a couple of addresses seem to be leaking valuable information by confirming what servers they use. Cybernews believes that these access points – or at least the information about the IP addresses – should be shielded completely.
Most of the Lovense front-end website for controlling a remote device is built on cheap and rather old technology, dating back to around 2016. Its cross-platform apps use the ElectronJS framework, which is considered vulnerable with many publicly listed flaws.
However, the company dismissed concerns that this outdated technology could prove vulnerable to cyber attacks.
“Electron is a good framework that more and more organizations are using – such as Facebook Messenger, Twitch, and Microsoft Teams,” it said. “It might be a vulnerable framework, but we make it as safe as possible.”
The cross-platform apps also use a control interface on the web. When users open an app and connect their toys, it generates a link shared with their sexual partners. Once they open that link, they are presented with a user interface that controls the sex toy. The technology, as stated above, is rather old and rarely updated, and therefore might be susceptible to attacks.
Lack of obfuscation
Keeping in mind that Lovense develops such discreet products for its customers, it should try to conceal their code or the code of the third parties they rely on. Unobfuscated code could lead to reverse engineering – threat actors or competitors deconstructing the code to extract design information, or to use for more malicious purposes.
“We have obfuscated most of our core code except some unimportant code or [those] that can’t be obfuscated,” the company said.
Risk of DoS
Some of the endpoints of Lovense servers mentioned above are set for extensive time-out, which could potentially lead to DoS attacks on their servers. However, Lovense pointed out that it uses Cloudflare, and those endpoints do not reach its server.
It is also important to note that, since Lovense devices depend on Bluetooth, they are susceptible to Bluetooth DoS. If such an attack were to occur, legitimate users would not be able to properly use their sex toys, nor the apps and systems that control them.
Is it really safe to use Bluetooth-controlled sex toys?
Bluetooth protocol is infamous for its susceptibility to data leaking, DoS, and code-execution vulnerabilities.
In 2004, Nokia and Ericsson admitted that some of their Bluetooth-enabled devices were vulnerable to unauthorized access to information from a wireless device through a Bluetooth connection, called “bluesnarfing”. This means a threat actor could read, modify and copy users’ address books and calendars without leaving any trace.
Last year, researchers at the Singapore University of Technology and Design (SUTD) discovered a group of vulnerabilities, BrakTooth, in commercial Bluetooth chipsets affecting billions of end-user devices. Some of the flaws have still not been patched.
The results of that research were astounding. One of the exploits uncovered even managed to achieve arbitrary code execution. Thus, we couldn’t help but wonder, is it safe to use Bluetooth-controlled sex toys?
What is more, in 2017, Italian infosec researcher Giovanni Mellini revealed in a blog post that he had successfully hacked a Lovense butt plug sex toy using a Bluetooth Low Energy (BLE) scanner.
Lovense admitted that Bluetooth may not be a very secure protocol, but is nonetheless practical and commonly used.
“For example, [electric car manufacturer] Tesla uses Bluetooth on its keys,” said Lovense. “We are doing our best to make it as safe as possible. Based on its security and convenience, we still think it’s a good choice for sex toys. Malicious parties would need to be within Bluetooth range of a Lovense toy at the exact same time the user was pairing it to their own device.
“Though theoretically possible, there would need to be a very particular and unlikely set of circumstances for a Lovense toy to be hacked. In the unlikely event that a toy connection was intercepted by a malicious party, the toy could simply be powered off manually.”
Conclusion: Lovense should up its security game
Lovense is trying to up its security game by implementing cryptography in its products. However, the implementation and general oversight of its security practices seem rather sloppy.
Lack of obfuscation in all of its applications, use of third-party libraries, APIs, and easy enumeration of testing servers point to an overall lack of concern for user privacy.
Moreover, the Bluetooth protocol used by the devices isn't the most secure choice either. A cyber attack against the company could lead to DoS, disabling the devices, or data breach.
All Lovense apps – Cam, Remote, and Connect – require registration, which stores the user's email, username, and password. If attackers were to target Lovense’s servers, they would most likely go after such sensitive information.
More from CyberNews:
Subscribe to our newsletter