Industry News

Smart sex toy is oh so dumb when it comes to security

Are you familiar with the field of teledildonics?

Do you own an internet-enabled “intimate personal massager”?

Do you even know what I’m talking about?

The truth is that most of us keep our lips sealed about what we get up to in the privacy of our bedrooms, especially when it comes to sex toys. But now a couple of Australian security researchers have revealed that the vibrating friend you might be taking into your boudoir may be vulnerable to hackers.

As The Register reports, the hacking team of Goldfisk and Follower described at DEF CON how they took an up-close and personal look at the We Vibe 4 Plus, a vibrator that can be controlled over Bluetooth using a smartphone app or remote control.

And there’s the problem. The We Vibe 4 Plus is part of the internet of things, opening opportunities for you to engage in some bedroom shenanigans whether you are physically in the same room (or indeed continent) as your sexual partner or not.

As the We Vibe website puts it:

“Turn on your lover when you connect and play together from anywhere in the world.”

Which is all fine and dandy, if security and privacy have been properly considered.

The researchers, however, were able to exploit the lack of certificate pinning on the device’s Bluetooth chip, allowing them to unscramble data sent and received by the We Vibe 4 Plus. Worse still, the duo discovered they could even manipulate the data via a laptop, making it possible to activate and control the vibrator without permission.

And to compound the privacy headache, the researchers discovered that the manufacturers of the We Vibe were being sent realtime data about the intensity of the vibrator, its temperature and even which vibration mode is in use.


Who needs a backdoor when a sex toy is being so casual with its secrets as this?

Goldfisk raised concerns about what might happen to the data held on We Vibe’s servers:

“What are the implications of who they’re going to give that data to? In their privacy policy, they say we reserve the right to disclose your personally identifiable information if required to by law, but what does that actually mean?”

Standard Innovation Corporation, the developers of the We Vibe 4 Plus, say that they are only collecting information for “hardware diagnostic purposes” but it’s clear that there is the potential for privacy to be massively invaded.

At the conference, Goldfisk and Follower released a suite of tools they called “Weevil”, allowing anyone to simulate and control We-Vibe compatible vibrators saying “it’s time for you to get to play with your toys more privately and creatively than before.”

Of course, you should not try to hack another person’s vibrator without their permission. Not only might it open you up to accusations of computer hacking, but there is also the potential for you to be investigated for sexual assault.

Many of us are reluctant to turn on the lights in the bedroom when we have sex. Imagine how much worse it might feel if we found we had a spy lurking beneath the covers with us.

With the manufacturers claiming that more than two million people are using their devices, there are clearly many who might be kept awake at night for all the wrong reasons.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.