UPDATED 21:53 EST / OCTOBER 06 2020

SECURITY

Vulnerabilities in connected chastity device could allow hackers to lock users in

Security vulnerabilities discovered in a smart internet-connected chastity device could allow hackers to lock users into the device.

Discovered and publicized today by security researchers at Pen Test PartnersLLP, the vulnerabilities were found in the Cellmate Chastity Cage, a device manufactured by FoShan QIUI Technology Development Co. Ltd. The device connects to a smartphone app via Bluetooth, allowing the wearer or wearer’s partner to lock or unlock access to the chastity cage.

The vulnerabilities relate to the app’s application programming interface. An insecure direct object reference vulnerability in the API leaves the door open in the app for anyone to access it without any authentication required.

Gaining access to users of the app and hence device only required an extended member code, a code that is “somewhat deterministic” and is based on the date a user signed up for the service. The researchers, however, found an even easier way to gain access with a short “friend code.”

In tests using the friend code, they were able to obtain sensitive information such as user names, phone numbers, birthdays, the exact co-ordinates where the app was opened, their longer “memberCode” value and the user’s plaintext password — that last not needed for access.

“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” the researchers noted.

penmapFor the exercise, the researcher pulled a random set of data and were able to match the location of users across the world, raising concerns given that a number of countries “have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement.”

Gaining access to member data is one thing, but where the story takes a twist is that the same API access vulnerabilities also enable potential hackers to overwrite permissions to a user’s device, cutting off access to the locking mechanism.

“Anyone could remotely lock all devices and prevent users from releasing themselves,” the researchers wrote, adding that in the event of this happening “removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas.”

Pen Test Partners tried to reach out to the company to address the vulnerabilities but with little success.

Images: Giui/Pen Test Partners

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU