Now THAT'S what I call penetration testing.
August 15, 2019 9:57 PM Subscribe
When most people think of the Internet of Things (IoT), they think about light switches, voice controllers, and doorbell cameras. But over the past several years, another class of devices has also gained connectivity—those used for sexual pleasure. One such device, the Lovense Hush, advertised as the “world’s first teledildonic buttplug,” became the subject of a Sunday morning DEF CON talk this year after a hacker named “smea” managed to exploit not only the device and its associated computer dongle, but software used with it for social interaction (read: people remotely playing with each other’s buttplugs).
If you know me (and you don’t; why should you?), you know “teledildonic” is not something I would ever have reason to say, and nevertheless, whenever I see it in print, all I want to do is say “teledildonic” over and over again.
Teledildonic. It just bounces off the tongue.
posted by notyou at 10:10 PM on August 15, 2019 [5 favorites]
Teledildonic. It just bounces off the tongue.
posted by notyou at 10:10 PM on August 15, 2019 [5 favorites]
Hippybear, your experience of metafilter is markedly different from mine.
posted by justsomebodythatyouusedtoknow at 11:15 PM on August 15, 2019 [24 favorites]
posted by justsomebodythatyouusedtoknow at 11:15 PM on August 15, 2019 [24 favorites]
In the not too distant future it will be discovered that the latest mobile game fad is really the control panel of a highly sophisticated totally immersive teledildonics rig that provides realtime feedback to drive the game. All Ender's Game like. You'll be sitting on the bus trying to beat the next boss while halfway around the world somebody's squirming and moaning.
posted by zengargoyle at 11:36 PM on August 15, 2019 [8 favorites]
posted by zengargoyle at 11:36 PM on August 15, 2019 [8 favorites]
as co-founder of a pentesting company, I can say we had a good laugh about it in the team when we heard about it. But make no mistake - all the laughs are basically a bit beavis-and-butthead "it's a sex toy" jokes, since the security, or lack thereof, is no different than just about all other internet-of-targets devices out there.
(or, as we sometimes say, the "S" in the "IoT" abbreviation stands for "Security")
posted by DreamerFi at 12:05 AM on August 16, 2019 [22 favorites]
(or, as we sometimes say, the "S" in the "IoT" abbreviation stands for "Security")
posted by DreamerFi at 12:05 AM on August 16, 2019 [22 favorites]
Next time I'm having sex I'm totally gonna scream "exploit my butthole"
posted by nikaspark at 12:45 AM on August 16, 2019 [6 favorites]
posted by nikaspark at 12:45 AM on August 16, 2019 [6 favorites]
Add a pressure sensor and you have a discreet Morse code communication device.
posted by acb at 2:25 AM on August 16, 2019 [8 favorites]
posted by acb at 2:25 AM on August 16, 2019 [8 favorites]
Next time I'm having sex I'm totally gonna scream "exploit my butthole"
“Yeah, baby, root that back end layer! Show me who’s administrator!”
posted by dephlogisticated at 2:37 AM on August 16, 2019 [12 favorites]
“Yeah, baby, root that back end layer! Show me who’s administrator!”
posted by dephlogisticated at 2:37 AM on August 16, 2019 [12 favorites]
Add a pressure sensor and you have a discreet Morse code communication device.
Consent can be a pretty tricky topic when you have to send your safeword in Morse with your sphincter.
posted by automatronic at 3:35 AM on August 16, 2019 [2 favorites]
Consent can be a pretty tricky topic when you have to send your safeword in Morse with your sphincter.
posted by automatronic at 3:35 AM on August 16, 2019 [2 favorites]
Consent can be a pretty tricky topic when you have to send your safeword in Morse with your sphincter.
Particularly if your safeword is "pareidolia".
posted by JohnFromGR at 4:27 AM on August 16, 2019 [4 favorites]
Particularly if your safeword is "pareidolia".
posted by JohnFromGR at 4:27 AM on August 16, 2019 [4 favorites]
Sounds like a new Chuck Tingle story:
Hacked in the butt by a penetration tester
posted by cheshyre at 4:49 AM on August 16, 2019 [14 favorites]
Hacked in the butt by a penetration tester
posted by cheshyre at 4:49 AM on August 16, 2019 [14 favorites]
butts lol
posted by Melismata at 4:57 AM on August 16, 2019 [5 favorites]
posted by Melismata at 4:57 AM on August 16, 2019 [5 favorites]
This article is right up my alley.
posted by mfu at 5:00 AM on August 16, 2019 [3 favorites]
posted by mfu at 5:00 AM on August 16, 2019 [3 favorites]
It is literally part of my job, as tech safety coordinator at a domestic violence agency, to keep my coworkers and our clients informed about the latest ways people are hacking the IoT to abuse victims. This is gonna make next week’s staff meeting a whole lot more interesting.
And it’s gonna go over really well the next time I give a tech safety talk to the clients staying in our shelter. I think maybe I’ll skip the demo on this one.
posted by MexicanYenta at 5:02 AM on August 16, 2019 [9 favorites]
And it’s gonna go over really well the next time I give a tech safety talk to the clients staying in our shelter. I think maybe I’ll skip the demo on this one.
posted by MexicanYenta at 5:02 AM on August 16, 2019 [9 favorites]
New buttplug, who dis?
posted by under_petticoat_rule at 6:24 AM on August 16, 2019 [23 favorites]
posted by under_petticoat_rule at 6:24 AM on August 16, 2019 [23 favorites]
IoT developers have all these newer technologies, like javascript-based applications, working together with these super-low level microcontrollers. They don’t necessarily understand the implications of, for example, dumping raw input from the dongle to HTML. So that actually is the way I’m able to get inside the [buttplug] app, due to this weird interface between super-old technology and newer web technology.
This cannot be overstated. I'm currently working on IoT-ing a device that can potentially have life-or-death consequences for animals, so security and unhackability is my number one concern. The cheap bits of hardware that are available to instantly make your device web-enabled are mind-bogglingly insecure. The only - only - way to make them secure is to not expose them at all, use a private network for communication and then proxy that through an app that has a failsafe mechanism to completely disconnect from the internet if and when any shenanigans are detected.
posted by grumpybear69 at 6:33 AM on August 16, 2019 [9 favorites]
This cannot be overstated. I'm currently working on IoT-ing a device that can potentially have life-or-death consequences for animals, so security and unhackability is my number one concern. The cheap bits of hardware that are available to instantly make your device web-enabled are mind-bogglingly insecure. The only - only - way to make them secure is to not expose them at all, use a private network for communication and then proxy that through an app that has a failsafe mechanism to completely disconnect from the internet if and when any shenanigans are detected.
posted by grumpybear69 at 6:33 AM on August 16, 2019 [9 favorites]
The major tele-dildonics patent expired last year, so we should be getting a rush of new toys in the coming years full of innovation.
posted by Manic Pixie Hollow at 6:33 AM on August 16, 2019 [5 favorites]
posted by Manic Pixie Hollow at 6:33 AM on August 16, 2019 [5 favorites]
Show me who’s administrator!
I've come here from the future to tell you to stop.
posted by mhoye at 6:56 AM on August 16, 2019 [10 favorites]
I've come here from the future to tell you to stop.
posted by mhoye at 6:56 AM on August 16, 2019 [10 favorites]
Okay, fine, I'll do it early to get it out of the way.
I was expecting the other MeFi staple:
"Christ, what an asshole."
posted by radwolf76 at 7:54 AM on August 16, 2019 [12 favorites]
I was expecting the other MeFi staple:
"Christ, what an asshole."
posted by radwolf76 at 7:54 AM on August 16, 2019 [12 favorites]
Next time I'm having sex I'm totally gonna scream "exploit my butthole"
“Yeah, baby, root that back end layer! Show me who’s administrator!”
"Ooh, yeah, sudomize me!"
I'll just see myself out then
posted by solotoro at 7:56 AM on August 16, 2019 [17 favorites]
“Yeah, baby, root that back end layer! Show me who’s administrator!”
"Ooh, yeah, sudomize me!"
I'll just see myself out then
posted by solotoro at 7:56 AM on August 16, 2019 [17 favorites]
The only - only - way to make them secure is to not expose them at all, use a private network for communication and then proxy that through an app that has a failsafe mechanism to completely disconnect from the internet if and when any shenanigans are detected.
Which, lbr— if you have put together a home automation system from pieces, this is not conceptually challenging. It’s one more computer, one more software package, one or two more steps for a few of the less common user tasks. And then it’s more secure than your email.
The only reason that’s not the standard, imo, is misaligned incentives— the folks selling cheap add-on boards can’t afford to provide software support, and the folks who can write user-friendly software have no interest in selling affordable commodity hardware. When it comes to consumer tech, security is nobody’s business. (Maybe Apple, on a good day.)
posted by emmalemma at 8:10 AM on August 16, 2019 [1 favorite]
Which, lbr— if you have put together a home automation system from pieces, this is not conceptually challenging. It’s one more computer, one more software package, one or two more steps for a few of the less common user tasks. And then it’s more secure than your email.
The only reason that’s not the standard, imo, is misaligned incentives— the folks selling cheap add-on boards can’t afford to provide software support, and the folks who can write user-friendly software have no interest in selling affordable commodity hardware. When it comes to consumer tech, security is nobody’s business. (Maybe Apple, on a good day.)
posted by emmalemma at 8:10 AM on August 16, 2019 [1 favorite]
Apple though has heavy buy in to planned obsolescence. I don't want the dimmer range of my lights being reduced by 50% just because they've brought out light dimmer X.
posted by Mitheral at 8:21 AM on August 16, 2019 [1 favorite]
posted by Mitheral at 8:21 AM on August 16, 2019 [1 favorite]
I pretty much assume that anyone using a networked device of this nature is in fact reckoning with this as a feature, not a bug. Right? Why would you hook that kind of thing up to the Internet if you weren't secretly hoping some stranger would do unspeakable things with it?
posted by praemunire at 10:23 AM on August 16, 2019 [2 favorites]
posted by praemunire at 10:23 AM on August 16, 2019 [2 favorites]
"I downloaded the .exe file from the internet and just ran it. So from there, yes, I can actually compromise other applications on the device, do actual ransomware, encrypt all the files and stuff like that. [The app] is running what we call for Windows a medium level of privilege. And that’s actually really strong. It basically allows you to access every file on the system."
So, ah, that looks... not good.
"gaining access to the sex toy might allow you to bypass some safety features and that could cause physical harm, assuming those safety features were implemented in software. "
That also looks very not good. I mean, I don't think buttplugs in particular have much in the way of harm options (or at least, not harm based on the remote control options), and what they do have, don't tend to have software-based safety features that can be overridden, but plenty of medical devices that may have similar software arrangements, do need safety features.
posted by ErisLordFreedom at 11:03 AM on August 16, 2019 [3 favorites]
So, ah, that looks... not good.
"gaining access to the sex toy might allow you to bypass some safety features and that could cause physical harm, assuming those safety features were implemented in software. "
That also looks very not good. I mean, I don't think buttplugs in particular have much in the way of harm options (or at least, not harm based on the remote control options), and what they do have, don't tend to have software-based safety features that can be overridden, but plenty of medical devices that may have similar software arrangements, do need safety features.
posted by ErisLordFreedom at 11:03 AM on August 16, 2019 [3 favorites]
I wonder if this device supports the finger protocol.
posted by foonly at 11:41 AM on August 16, 2019 [6 favorites]
posted by foonly at 11:41 AM on August 16, 2019 [6 favorites]
Next time I'm having sex I'm totally gonna scream "exploit my butthole"
Next time?
posted by bongo_x at 1:14 AM on August 17, 2019 [1 favorite]
Next time?
posted by bongo_x at 1:14 AM on August 17, 2019 [1 favorite]
« Older "Corn dog" is an unnecessarily restrictive term | You'll look sweet / upon the seat Newer »
This thread has been archived and is closed to new comments
posted by kirkaracha at 10:02 PM on August 15, 2019 [9 favorites]