A flaw in a smart chastity device that puts your penis on lockdown could get your appendage imprisoned longer than you bargained for, security researchers say.
The device in question, Qiui’s Cellmate Chastity Cage, encases your favorite organ in a Bluetooth-enabled gadget that a trusted partner can lock and unlock remotely using a mobile app.
The problem, according to security researchers from UK-based Pen Test Partners, is that due to API flaws, a nontrusted party acting from anywhere could not only gain access to precise user location data, but could “prevent the Bluetooth lock from being opened, permanently locking the user in.”
“There is no physical unlock,” Pen Test Partners noted Monday in a blog post that details its months-long investigation into the device. “The tube is locked onto a ring worn around the base of the genitals, making things inaccessible.”
Qiui did not immediately respond to a request for comment.
The sex toy company calls the Cellmate the “world’s first app-controlled chastity device.” It’s polycarbonate, comes in two lengths and costs $189 (about £146 or AU$265).
“Qiui believes that a true chastity experience is one that keeps the wearer away from control over their own devices,” Qiui says on its site.
Of course, there’s surrender of control by choice. Then there’s loss of control by security flaw.
If the Cellmate falls into the hands of the wrong driver, the only way out would be to cut the wearer free using an angle grinder or other heavy tool that most people would probably prefer be kept away from their sensitive areas.
This isn’t the first time sex toys have raised security concerns.
A security flaw in an internet-enabled male chastity device allows hackers to remotely control the gadget and permanently lock in wearers, researchers disclosed today.
The Cellmate Chastity Cage, built by Chinese firm Qiui, lets users hand over access to their genitals to a partner who can lock and unlock the cage remotely using an app. But multiple flaws in the app’s design mean “anyone could remotely lock all devices and prevent users from releasing themselves,” according to UK security firm Pen Test Partners.
Even worse, as the chastity cage does not come with a manual override or physical key, locked-in users have few options to break out. One is to cut through the cage’s hardened steel shackle, an operation that would require bolt cutters or an angle grinder, and that is made trickier by the fact that the shackle in question is fastened tightly around the wearer’s testicles. The other, discovered by Pen Test Partners, is to overload the circuit board that controls the lock’s motor with three volts of electricity (around two AA batteries’ worth).
News of the security flaw was first reported by TechCrunch, and it suggests it’s worth doing your research before purchasing “smart” gadgets with more intimate use cases.
“It isn’t tremendously unusual to find an issue like this in many IoT fields, and teledildonics is no real exception,” security researcher Alex Lomas of Pen Test Partners told The Verge via direct message. “Both ourselves and other researchers have found similar issues over the years with different sex toy manufacturers. I do personally feel that the most intimate devices should be held to a higher standard however than maybe your lightbulbs.”
Past security flaws discovered in internet-enabled sex toys have