Smart dildos and vibrators keep getting hacked – but Tor could be the answer to safer connected sex

Connected sex toys are gathering huge amounts of data about our most intimate moments. Problem is, they're always getting hacked. Welcome to the emerging field of Onion Dildonics

Kyle Machulis' first encounter with a connected sex toy happened more than a decade ago. The Trance Vibrator – a small, rectangular, USB-connected, black box – wasn't initially designed for sexual purposes. The vibrating appendage was released as an accompaniment for the PlayStation 2 and Dreamcast musical shooter Rez. It was intended to provide extra stimulation for people playing their way through the myriad of levels. But it didn't take long for users to adapt its purpose (slightly NSFW).

"I hooked it up to Second Life so that people could use SL as a sex interface, since they could be or do whatever they could dream up and build in the game" Machulis explains. He's spent the past decade reverse-engineering smart sex toys to make using them more fun. Even back in 2006, when the concept of connected sex toys was still fairly niche, there was considerable interest in the Rez Vibrator. "But people were also worried about others tracking their toy usage, controlling it via hacking, etcetera," Machulis says.

With the the rise of the internet of things, those early fears have now been realised. News reports of security flaws in smart sex toys, and sex tech in general, are fairly common. And the story is often the same: Bluetooth flaws, problems with databases, insecure APIs and dodgy apps can allow devices to be controlled remotely or allow unauthorised access to user information.

This week, SEC Consultants found the Panty Buster and sex toys from Vibratissimo could be broken into by hackers to "remotely pleasure" people over the internet. Account details were also easily accessible. In a separate incident, a Wi-Fi connected, endoscopic dildo's internal camera was found to be accessible. In another example, the maker of the We-Vibe 4 Plus had to pay £3 million in compensation after tracking customer behaviour without consent. The list goes on.

For the uninitiated, the range of connected sex toys goes from Bluetooth vibrators to male masturbators and smart butt plugs. If there's a sex toy, you can be sure there's a connected version of it as well.

The field of teledildonics – the area's semi-official name, which stems back to the 1970s – is huge. For customers, the options for sexual satiation have never been greater, but the potential for poorly created products are also higher. "The attack surface is absolutely huge now," says Machulis, who runs the Metafetish blog. Fortunately, researchers are working to fix what is broken.

Data slurps

A number of things happen when a connected sex toy is turned on. First, there are the obvious physical actions – then there's the by-product: data. "Often any data is tangential and not intentional," says the hacker RenderMan, who specialises in the security of sex toys. The data that's often collected by these devices is similar to the information which is created from every sort of device: login times, usage duration, account names and locations.

"Analytics like favourite pattern, usage times, diagnostic data, etcetera are common and almost universally there is some sort of crash or bug reporting analytics as well," RenderMan says. "The sort of things that we may not care about on our fridge, but on our sex toys that data means a whole lot more."

The biggest problems occur when the creators of smart sex tech don't think about what the data can be extrapolated into, he adds. It's not difficult with this type of information to build-up a profile of a person.

The case of the We-Vibe 4 – broken into by hackers known as g0ldfisk and follower, in 2016 – vividly demonstrated what data can be captured. Device temperature data was collected once per minute and intensity was measured in real time by the device. Who a person is with, when they're using a sex toy and what kind of sex they're having can all be gleaned from data, says anonymity and privacy researcher Sarah Jamie Lewis.

"We are currently sprinting into this world of connected sex toys and connected sex tech without regards to what consent, privacy, or security means in that context," Lewis says. There's the potential for people to spy on partners or commit sexual assaults with sufficiently advanced hacks. She adds that the companies behind connected products are interested in some of the data produced as their business models can rely on it. (Standard Innovation, the owners of the We-Vibe, said they used the We-Vibe 4's information for "market research purposes").

Researchers are now trying to change attitudes and practices. In 2016, RenderMan created the Internet Of Dongs, a project, supported by streaming website PornHub, to analyse and improve the problems with internet of things sex toys. It's covered security vulnerabilities in products, shut down conspiracies from Reddit, and created a code of conduct for those investigating security issues in sex toys.

As is often the case for researchers who find vulnerabilities in code – whether they're connected toothbrushes or critical national infrastructure – disclosing issues to their owners can be problematic. "Getting hold of them is usually not easy since they don't have a contact specifically for bugs or vulnerabilities," RenderMan says. "When I do get through they are usually surprised and a bit suspicious that someone wants to report a vulnerability in a sex toy." Similar situations have been encountered by Ken Munro of security firm Pen Test Partners, which has found numerous flaws in sex tech products.

"It's not necessarily that they are lazy, malicious, or don't care, they just did not realise that they were 100 milliseconds away from every jackass on the planet," RenderMan adds. "I'm stepping in to wake up the industry. They are making mistakes now that we solved 15 years ago."

Fixing the problem

In the summer of 2017, the vibrator sitting on Lewis' table went into overdrive. "At one point, over Twitter, I had five or six anonymous people making the vibrator on the table buzz all over the place," she says. The test was one of the first prototypes of a development called Onion Dildonics.

The system is designed to be a completely anonymised way to use a connected sex toy – without any data being sent to the company that owns it. With no data being transferred to servers, there isn't a way it can be hacked or exploited. "Anything you transfer over a network should be consensual," Lewis says. This includes metadata: the who, how, what, and when information that's recorded by products. "That information should not be available to anyone unless you explicitly give it to them."

Using the Ricochet protocols, Lewis created a way for a vibrator to be controlled remotely while being connected to the anonymous Tor network. "100% encrypted peer to peer cyber sex over tor hidden services," she wrote on Twitterat the time. Lewis says the method isn't technically hard to create but has been working on making versions that can be user-friendly and widely used by sex tech companies.

But with increased complexity, comes a trade-off between a system that is secure and easy-to-use. "More complicated Bluetooth setup means more time connecting to and setting up the toy, and when people want to have sex, more time between them wanting to have sex and actually having sex is a real deal-breaker," Machulis says. He suggests the development of systems that are anonymous, have secure connections and don't put a user off.

When it comes to fixing software and hardware security flaws in devices, there a few basic things that adult companies need to get right. SSL/TLS encryption for apps has to be standard. All of the people spoken to for this story emphasised simple cybersecurity protocols such as authentication through OAuth, secure storage, penetration tests, and regular audits. "Make sure developers understand security," Munro adds. "If you contract out your development, make sure your the contract specifies security standards."

If sex tech companies don't take these things into consideration, the consequences for users could be serious. "These devices are getting cheaper, people are buying more of them," Lewis says. "If we think two, three, four years down the line where we're still seeing this basic level of security failure it is kind of terrifying what that means for the idea of remote sexual assault."

This article was originally published by WIRED UK