Is your vibrator spying on you?

There are many things you have that you might think can be used to spy on you, from the credit cards in your wallet to the web browser you are using to read this. They are all keeping track of you in subtle but meaningful ways. It is frightening what you can learn about a person from the most trivial of information.

This week a pair of hackers speaking at the DefCon conference in Las Vegas showed off just how much information the ‘WeVibe 4 Plus’ keeps and more importantly sends back to the company when you are using it. It turns out the most personal moments of up to 2 million people are being logged in a database somewhere.

How can this be?

How can it be that this little device is able to keep this information about you and more importantly send it back to its home base? The answer lies in the Internet of Things.

There is a growing segment of devices from light switches to cars that are connected to the Internet, either directly or via something like your smart phone. Sometimes like in the case of the WeVibe it isn’t immediately obvious that it is connected to the Internet. You download the app onto your phone, connect the vibe to your phone over bluetooth, and away you go.

From there you can control your vibe using your phone to make it do all sorts of things. Everyone has a phone and making it so you can control your vibe from there just makes sense.

At first glance there is no reason for the app to use the Internet. But what the hackers found was not only did the app contact its parent company but it did so every time you changed settings on your vibe.

The implications

Consider for a moment just how intrusive that information is. Logged into a database is information like:

• How often you play with the vibe
• What settings you use
• How long you play for

It turns out the device even records the temperature of the device as well. Even though this is used for diagnostic information it could also be used to indicate all manner of health information about you.

When you combine that with the other information they could gather about you from the phone itself like who you are, where you live, etc. Quickly and silently you have gathered some of the most personal information about someone. Information not even your doctor could ask for.

It doesn’t stop there

It turns out there was a lot more the hackers could do. Because the device communicates over the open standard that is Bluetooth they were able to to easily take control of the vibe and make it obey their own commands.

In itself that shouldn’t be a problem but shows just how open and vulnerable some of these devices are.

Response

In a statement given to fusion.net Frank Ferrari (President of Standard Innovation Corporation) said:

“The safety and security of our customers is of utmost importance. We ensure that all data transmissions are encrypted in transit and protected on secure servers. We conduct regular security audits and address security issues as they are discovered to comply with current best practices and security standards.”

I have installed the app myself and while is a very pretty app it isn’t immediately obvious it collects any information about you. I eventually found the privacy policy in the “About” section of the app.

It turns out it is actually the privacy policy from their web site. It makes no mention of the data their devices collect or what they will do with it. They do say they won’t share that information with third parties. But as this is the web site privacy policy it isn’t really relevant.

There is one very interesting paragraph which reads:

“We reserve the right to disclose your personally identifiable information if required by law.”

Which of course they must do, but I’m not sure anyone really thought just how personal that information might be. With all this information kept digitally it would be possible for law enforcement to not only find out when you bought your vibrator, how much you paid, the card you use, and even when you play with it and how often.

Fully exposed

With more and more devices connected to the Internet it becomes easier and easier for companies to collect personal information on you. Sometimes it is going to be accidental (they are collecting it just because they can). Other times it is going to be more malicious.

The problem is not just that they can use it but someone can hack into their system and steal it. Even the most well protected of institutions suffer attacks all the time, a sex toy company will be no different.

How can this information be used in places that don’t like you owning sex toys? Even some states in the USA ban the use of sex toys and this device is leaving a trail of evidence that could easily be used to prosecute you.

What can be done

The hackers that discovered this have setup an initiative called “Private Play Accord” with the aim of making companies that use this type of technology be more transparent about the information they keep.

A simple start would be giving the user a choice not to send that information back to the company, and if it is needed to diagnose a problem giving the user the ability to turn it on and off.