“As more and more devices are coming to the market, the threats only grow.”

As the number of interactive sex toys with internet connectivity is growing, so is the danger of data theft or data abuse. Perfect safety is obviously an illusion, but there are steps that producers and users can take to protect themselves against hacker attacks. Therefore, a hacker and safety expert using the nom de guerre RenderMan launched a new project last year, named internetofdon.gs. Since then, many producers have employed the services of RenderMan to eliminate weak spots in their products. In our EAN interview, we look back at the milestones of internetofdon.gs throughout its first few months, and we discuss how companies can better protect their products.


 

Your internetofdon.gs project has been up and running for a couple of months by now. How happy are you with the outcome so far?
RenderMan: It’s been running for just over 18 months now, at least since I started laying the groundwork for the project, but only about 10 months since I really started building the project and doing formal research. Many things have surprised me along the way, one of which was how quickly everything has been happening and how well it’s worked out so far. I expected things to take years before I got any major traction in the industry, but it only took a few months before I had caused significant positive change in the industry. So far, the outcome is better than I could possibly have imagined.

Could you recap your project and your work for those of our readers who may not be familiar with what you do?
I’m a hacker and security researcher who became interested in testing the security of connected sex toys and related products. These devices are a branch of the “Internet of Things” (the movement to connect everything to the Internet) and one where security and privacy should be of the utmost importance. However, due to societal stigmas, had never been studied in any thorough or serious (i.e. non-juvenile) way. I created the “Internet of Dongs” project to house my work initially, but it very quickly grew into a project to not only document vulnerabilities and issues found by myself and others. It has also become a sort of security advocacy and oversight group for the adult toy industry. We’ve been building relationships with vendors, helping them to realise that security and privacy is a complex and very important part of the industry and to help them better protect their customers.

“I created the “Internet of Dongs” project to house my work initially, but it very quickly grew into a project to not only document vulnerabilities and issues found by myself and others.”

Without names any names, what was the biggest issues you discovered in the past months?
In the past month, the largest was finding the secret keys to access, edit and completely take over a vendor’s mail list service. These keys could allow someone to view subscribers’ names and emails, add or remove subscribers, or send out mail ads the vendor with misleading or offensive content. They were left where anyone who bothered to look would find them.

What would you say is the most common problem when it comes to privacy, security, and teledildonics?
Most of the vendors I’ve run across have no idea how to do very basic Internet security things like SSL/TLS. This is the encryption behind the “https://” sites and what prevents someone eavesdropping on the traffic between the user and the vendors server. Most have very poor implementations (if they use it at all!!) that do next to nothing to protect the data and make professionals like me cringe. Almost all the fixes are just configuration changes and there is tons of information and tools out there to assist. Once these issues have been pointed out and the risk explained, all of the vendors reacted very quickly to fix the issues raised. It was simply an issue of not understanding that doing SSL/TLS is not just a matter of getting a certificate. There’s more to it than that.

You were able to get some manufacturers to work together with you. What can you tell us about those collaborations? Are you happy with the feedback you’ve received?
The vendors have been incredible. Every one of them, (once they understood I wasn’t crazy and a serious professional) they took the news well and their next question was “What do we need to do to make this right”, which is the best thing you can say. They fixed the issues quickly and were more than happy to take my advice.

Several of the vendors came to me together, expressing an interest in taking the message of security and privacy to the entire adult industry. Throw down the gauntlet, so to speak and get all other aspects of the industry thinking about security and privacy. Like it or not, most of them are now software companies and there are certain things that come along with that.

The vendors have also expressed an interest in creating some sort of publicly posted baseline security standards that they then voluntarily adhere to and transparently report on their “compliance”. Other industries have adopted similar self-regulation with success and there’s no reason the model won’t work here. Problem is, they are all looking to me for security standards and doing some sort of oversight which is way more work than I expected. It’s worth it so I’m trying to pull something together in my limited free time, hopefully something by the end of the year.

“Like it or not, most of them are now software companies and there are certain things that come along with that.”

Is the industry becoming more aware of the importance of cyber security in teledildonics?
The We-Vibe lawsuit was the opening shot that the public heard that made many of them aware that such devices existed and that they were potentially vulnerable (even though the issue was one of privacy policy rather than a technical hack). As more and more devices are coming to the market, the threats only grow.

While awareness is growing, it’s very difficult to reach some vendors to set up relationships and report vulnerabilities. Not everyone in the industry or in the public are aware and if they are interested, it’s difficult to find people willing to work with this industry. I’m hoping that having an industry adopted standard will help provide resources for other established vendors and those new to the market.

What can the teledildonics industry learn from other industries and vice versa?
I’ve noticed that the teledildonics industry is where the high-tech industry was about 12-15 years ago. To put out an internet connected product nowadays requires that you do at least a certain level of security and privacy or else you’ll get eaten alive. Most of the problems have been solved, the answers are out there. It’s just a matter of providing the needed resources and connections between these worlds.

Interestingly I’ve noticed that the vendors fall into two categories. The first is established vendors who previously designed and manufactured the classic “manually operated models” who then added connectivity. The other group is technology companies that expand into the wearables market (most often Kegel exercisers). The former were blissfully unaware of the risks and until me, never had any contact with the infosec community so no one to warn them. The latter often have a much better approach where security is built in earlier into the design process and it shows in the results by not having the same types of issues. They are not without issues, but theirs are different and usually much more technical.

“I’ve noticed that the teledildonics industry is where the high-tech industry was about 12-15 years ago.”

More and more IoT and IoD devices are expected to come to the market in the future. For the average consumer, it’s hard to determine if a product is secure. What is your advice to the users who want to protect their privacy?
The first and obviously self-serving answer is, are they are working with the IoD project and listed on our partner page? (https://internetofdon.gs/sponsors/#partnervendors)
The industry group will help with this by having a verifiable standard that the public can review. Until then, I suggest doing your research. Has the company got a vulnerability disclosure page somewhere on their site that encourages reporting vulnerabilities and has a way to contact them? Are they willing to answer questions about security? Do they acknowledge that issues could exist? Do they have an easy to read, plain English version of their privacy policy that makes sure you know what they are collecting and what they are doing with it. These and many other pieces of advice and questions are available at https://internetofdon.gs/consumer-resources.

What are your plans for the future of internetofdon.gs? How could the erotic industry help to make its products future-proof and secure?
I’ve got no idea what the future holds and I kind of like that. When new devices come out, I’d like to have enough name recognition and respect that new vendors approach us with questions and seeking advice before things are sent out for production. We’re hoping to get some security consulting companies onboard with us to where they have an understanding of the teledildonics industry and its unique requirements and be recommended by us to do audits and proper testing and verification.

Eventually we’d like the industry to be self-regulating and take care of itself with minimal oversight and there seems to be the desire from the public and the industry to do better. All they need is to be guided in the right direction. This may be new territory for them, but not for others, so why not help them learn from others’ mistakes before they make their own?