How to hack a dildo?

Sex toy makers are increasingly connecting their products to the internet, but privacy is often an afterthought. One researcher showed that an alternative is possible.

Whistleblowing platforms, drug marketplaces, and secure messaging: uses for Tor are pretty varied. Now there’s another, albeit perhaps unexpected application for the tool, which anonymizes web traffic: controlling an electronic dildo.

ONIONDILDONICS

Last week, a researcher managed to set up her dildo to receive commands through the Tor network, and on Sunday, Motherboard remotely caused the device to start vibrating. Novelty aside, the experiment shows that electronic or internet connected sex toys can be created or modified with privacy in mind, as manufacturers continue to make devices that collect data and come riddled with security vulnerabilities. “I wanted to show that you can make communication between these devices private by default, end-to-end encrypted by default, and secure by default—and without a 3rd party server collecting the information about the people who use the product,” Sarah Jamie Lewis, the independent researcher behind the work she has dubbed “oniondildonics,” told Motherboard in a Twitter message.

Lewis’s approach uses Ricochet, a messaging program which creates a Tor hidden service for each user. Ricochet doesn’t just protect the content of users’ communications, but also obfuscates their metadata, making it harder for anyone snooping on the connection to see who is talking to whom. Lewis reverse-engineered her dildo, a Nova from Canadian company We-Vibe, so she could communicate with it over bluetooth. When combined, these elements allow anyone who knows the dildo’s Ricochet address to send commands, such as “/max,” to make the device vibrate. Lewis has uploaded the code to Github so others can try the experiment.

Motherboard started a ‘chat’ session with Lewis’ vibe, and sent a series of simple commands. Lewis then sent a video of the dildo vibrating.

CHATSESSION
The commands Motherboard sent to Lewis’ dildo over Ricochet.
Sex toy manufacturers are increasingly selling products that collect data on their users or that are somehow connected to the internet. In March, We-Vibe agreed to pay $3.75 million to settle a lawsuit with disgruntled customers. The sex toys uploaded usage data to a remote server, apparently without users’ knowledge. In April Motherboard reported that researchers had found a way to hack a camera-enabled dildo.

With Lewis’ research, however, users will likely have a greater degree of privacy and anonymity if they decided to use the code themselves. In a tweet, Lewis said the only data that might be recorded is the commands being sent, and the hidden service address of the person sending them.

“While sextech is a pretty niche area right now, it seems obvious that as attitudes shift we will see more innovation in the space, and sadly the groundwork being laid down right now is repeating much of the mistakes that the general internet-of-things domain has made—security/privacy is an afterthought,” Lewis told Motherboard.