Cellmate: Male chastity gadget hack could lock users in

  • Published
CellmateImage source, Pen Test Partners
Image caption,
The Cellmate has been sold via several big-name online retailers as well as niche stores

A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously.

The internet-linked sheath has no manual override, so owners might have been faced with the prospect of having to use a grinder or bolt cutter to free themselves from its metal clamp.

The sex toy's app has been fixed by its Chinese developer after a team of UK security professionals flagged the bug.

They have also published a workaround.

This could be useful to anyone still using the old version of the app who finds themselves locked in as a result of an attacker making use of the revelation.

Any other attempt to cut through the device's plastic body poses a risk of harm.

Image source, Pen Test Partners
Image caption,
The workaround involves prising open the circuit board and pressing batteries against two of the wires to trigger a motor

Pen Test Partners (PTP) - the Buckingham-based cyber-security firm involved - has a reputation for bringing quirky discoveries to light, including problems with other sex toys in the past.

It says the latest discovery indicates that the makers of "smart" adult-themed products still have lessons to learn.

"The problem is that manufacturers of these other toys sometimes rush their products to market," commented Alex Lomas, a researcher at the firm.

"Most times the problem is a disclosure of sensitive personal data, but in this case, you can get physically locked in."

Lock and clamp

Qiui's Cellmate Chastity Cage is sold online for about $190 (£145) and is marketed as a way for owners to give a partner control over access to their body.

Pen Test Partners believe about 40,000 devices have been sold based on the number of IDs that have been granted by its Guangdong-based creator.

The cage wirelessly connects to a smartphone via a Bluetooth signal, which is used to trigger the device's lock-and-clamp mechanism.

But to achieve this, the software relies on sending commands to a computer server used by the manufacturer.

The security researchers said they discovered a way to fool the server into disclosing the registered name of each device owner, among other personal details, as well as the co-ordinates of every location from where the app had been used.

In addition, they said, they could reveal a unique code that had been assigned to each device.

Image source, Pen Test Partners
Image caption,
A sample of the co-ordinates revealed by Cellmate's servers showed the device has been used worldwide

These could be used to make the server ignore app requests to unlock any of the identified chastity toys, they added, leaving wearers locked in.

Mr Lomas' team flagged the issue to Qiui in May, after which it updated its app as well as the server-based application programming interface (API) involved.

But it still left an earlier version of the API online, meaning those who had not downloaded the latest version of the app theoretically remained at risk.

Pen Test Partners sent follow-up emails urging this to be addressed and involved the news site Techcrunch to help press for action.

Techcrunch said Qiui's chief executive subsequently told it he had tried to tackle the issue but added: "When we fix it, it creates more problems."

Five months on from first getting in touch, the UK security team decided to go public.

"Given the trivial nature of finding some of these issues and that Qiui is working on another internal device, we felt compelled to publish," Mr Lomas said.

Pen Test Partners acknowledged that in doing so, however, it made a real-world attack more likely.

The BBC has asked Qiui to comment.

Techcrunch reported there was no evidence that the hack had been exploited by anyone to cause harm.

But it noted that one online reviewer who appeared to have got locked in due to an unrelated bug posted that he had been left with "a bad scar that took nearly a month of recovery".