A security flaw in an internet-connected male chastity device could allow hackers to remotely lock it — leaving users trapped, researchers have warned.
The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.
The locking mechanism is controlled with a smartphone app via Bluetooth — marketed as both an anti-cheating and a submission sex play device — but security researchers have found multiple flaws that leave it vulnerable to hacking.
“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock,” British security firm Pen Test Partners said Tuesday.
“An angle grinder or other suitable heavy tool would be required to cut the wearer free.”
The firm also found other security flaws in the Cellmate — listed for $189 on Qiui’s website — that could expose sensitive user information such as names, phone numbers, birthdays and location data.
“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” PTP’s Alex Lomas wrote in their report on the device.
“A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.”
Qiui did not immediately respond to AFP’s request for comment.
PTP said it reached out to Qiui in April this year, identifying the flaws.
Qiui fixed most of the issues by updating the software, but left the older version active and its
A flaw in a smart chastity device that puts your penis on lockdown could get your appendage imprisoned longer than you bargained for, security researchers say.
The device in question, Qiui’s Cellmate Chastity Cage, encases your favorite organ in a Bluetooth-enabled gadget that a trusted partner can lock and unlock remotely using a mobile app.
The problem, according to security researchers from UK-based Pen Test Partners, is that due to API flaws, a nontrusted party acting from anywhere could not only gain access to precise user location data, but could “prevent the Bluetooth lock from being opened, permanently locking the user in.”
“There is no physical unlock,” Pen Test Partners noted Monday in a blog post that details its months-long investigation into the device. “The tube is locked onto a ring worn around the base of the genitals, making things inaccessible.”
Qiui did not immediately respond to a request for comment.
The sex toy company calls the Cellmate the “world’s first app-controlled chastity device.” It’s polycarbonate, comes in two lengths and costs $189 (about £146 or AU$265).
“Qiui believes that a true chastity experience is one that keeps the wearer away from control over their own devices,” Qiui says on its site.
Of course, there’s surrender of control by choice. Then there’s loss of control by security flaw.
If the Cellmate falls into the hands of the wrong driver, the only way out would be to cut the wearer free using an angle grinder or other heavy tool that most people would probably prefer be kept away from their sensitive areas.
This isn’t the first time sex toys have raised security concerns.
A security flaw in an internet-enabled male chastity device allows hackers to remotely control the gadget and permanently lock in wearers, researchers disclosed today.
The Cellmate Chastity Cage, built by Chinese firm Qiui, lets users hand over access to their genitals to a partner who can lock and unlock the cage remotely using an app. But multiple flaws in the app’s design mean “anyone could remotely lock all devices and prevent users from releasing themselves,” according to UK security firm Pen Test Partners.
Even worse, as the chastity cage does not come with a manual override or physical key, locked-in users have few options to break out. One is to cut through the cage’s hardened steel shackle, an operation that would require bolt cutters or an angle grinder, and that is made trickier by the fact that the shackle in question is fastened tightly around the wearer’s testicles. The other, discovered by Pen Test Partners, is to overload the circuit board that controls the lock’s motor with three volts of electricity (around two AA batteries’ worth).
News of the security flaw was first reported by TechCrunch, and it suggests it’s worth doing your research before purchasing “smart” gadgets with more intimate use cases.
“It isn’t tremendously unusual to find an issue like this in many IoT fields, and teledildonics is no real exception,” security researcher Alex Lomas of Pen Test Partners told The Verge via direct message. “Both ourselves and other researchers have found similar issues over the years with different sex toy manufacturers. I do personally feel that the most intimate devices should be held to a higher standard however than maybe your lightbulbs.”
Past security flaws discovered in internet-enabled sex toys have
Celebrity Pooja Bedi in a complaint to the Goa Police Cyber Cell on Monday, said that her business website happysoul.in was targetted by hackers, who were now demanding ‘ransom’ in order to restore access to her e-commerce site.
Bedi, who resides in Goa and whose website trades in organic supplements, also took to Twitter with her woe, tagging Chief Minister Pramod Sawant and Director General of Police (DGP) Mukesh Kumar Meena, saying the hackers have threatened to sell drugs and narcotics substances on her website, if the ransom is not paid.
“Dear @DGP_Goa my ecommerce website http://happysoul.in HACKED AGAIN last night & this time they state if i don’t pay ransom they will sell DRUGS on my website. I have registered (an) FIR in Old Goa Police Cyber Cell last week but no action from Cops. My company regd in Goa @goacm,” the actress said in a tweet.
Have a look right here:
Dear @DGP_Goa my ecommerce website https://t.co/zjGS86eyQX HACKED AGAIN last night & this time they state if i don’t pay ransom they will sell DRUGS on my website. I have registered FIR in old goa police cyber cell last week but no action from cops.
My company regd in Goa @goacm pic.twitter.com/X6UZQmASkZ
— Pooja Bedi (@poojabeditweets)
October 5, 2020
“Dear @GoDaddyHelp your team is NOT cooperating with our team for my hacked e-commerce website http://happysoul.in Despite my deluxe security on your server & SSL the hacker hacked AGAIN yesterday made ransom demands threatening 2 sell my data & sell DRUGS on my site,” also tweeted tagging the global website hosting platform.
Catch up on all the latest entertainment news and gossip here. Also, download the new mid-day Android and iOS apps.
Mid-Day is now on Telegram. Click here to join our channel (@middayinfomedialtd) and stay updated
Russia’s 2020 hacking campaigns might have included a successful data breach at the US government. In the wake of a CISA notice warning of a cyberattack on an unnamed federal agency’s network, Wired and security company Dragos have obtained evidence suggesting Russia’s state-backed APT28 group, better known as Fancy Bear, was behind the hack.
The FBI reportedly sent alerts to some hacking victims in May warning that Fancy Bear was widely targeting US networks, including an IP address mentioned in the recent cyberattack notice. There was also “infrastructure overlap” and behavior patterns pointing to the Russian group, Dragos’ Joe Slowik said. Some of the IP addresses match criminal operations, but Slowik believed Fancy Bear might be reusing criminal tech to help cover its trail.
Security expert Costin Raiu added that an apparent copy of the malware uploaded to a research reposityory also appeared to be a unique combination of existing hacking tools that had no obvious connections to known hacking teams. While that doesn’t definitively link the malware to Fancy Bear, it suggests the attack was relatively sophisticated.
The intruders used compromised logins to plant malware and get “persistent” access to systems on the agency’s network, using that to steal files.
US officials haven’t responded to requests for comment.