In the course of our Internet of Things (IoT) research SEC Consult is going to review the security of multiple smart sex toys. The current roadmap includes the following test devices:
- Vibratissimo Panty Buster
- MagicMotion Flamingo
- Realov Lydia
The results are the foundations for a Master thesis written by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten. The first available results can be found in the following chapters of this blog post.
The sex toys of the “Vibratissimo” product line and their cloud platform, both manufactured and operated by the German company Amor Gummiwaren GmbH, were affected by severe security vulnerabilities. The information we present is not only relevant from a technological perspective, but also from a data protection and privacy perspective. The database containing all the customer data (explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc.) was basically readable for everyone on the internet. Moreover, an attacker was able to remotely pleasure individuals without their consent. This could be possible if an attacker is nearby a victim (within Bluetooth range), or even over the internet. Furthermore, the enumeration of explicit images of all users is possible because of predictable numbers and missing authorization checks.
Based on the official statistics from the Google Play Store and the Apple AppStore a six-digit number of users may be affected.
These are just some of the vulnerabilities from our technical security advisory. Keep on reading for the full story.
FROM IOT TO IOD
In recent years the Internet of Things received more and more attention. It promises to connect literally everything with anything: cars, buildings, home appliances, or even more exotic things like fridges, walkways or baby cams.
To most people this sounds quite futuristic, but it is definitely not the case. The future has caught up with us.
The Internet of Dildos can be seen as a sub-category of the Internet of Things. In general, every device, which is there to pleasure humanity, let them reach climax in a sexual way and is additionally connected to some kind of network or device can be classified as a IoD device. As this area got more and more attention in recent times, a whole new research area was formed. This area is called teledildonics, or alternatively cyberdildonics, which is a term from 1975 and even described on Wikipedia:
“Teledildonics (also known as “cyberdildonics”) is technology for remote sex (or, at least, remote mutual masturbation), where tactile sensations are communicated over a data link between the participants. The term can also refer to the integration of telepresence with sexual activity that these interfaces make possible — the term was coined in 1975 by Ted Nelson in his book Computer Lib / Dream Machines.“
As we can see, this field is not “new” in a common sense, as the idea behind already originated over 40 years ago. Back then it was just an idea. Now it is reality. To dig deep into teledildonics, the research project IoD – Internet of Dildos got created. In this project certain devices from various manufacturers are currently being reviewed based on their software and hardware.
VIBRATISSIMO “PANTY BUSTER”
The panty buster is a sex toy for, which as the name already suggests, busting your panties. It can be controlled remotely with mobile apps (Android, iOS) and is one product out of a huge “Vibratissimo” product line of sex toys with varying functionalities but the same mobile apps and backends. It is marketed and distributed by Vibratissimo, a brand by Amor Gummiwaren GmbH. The mobile apps, the backend and the hardware and corresponding firmware are developed by other companies.
The mobile apps used to control those devices are not just an ordinary remote. The apps offer multiple features for communication and socializing like search for other users, maintaining a friends list, a video chat, a message board and also a feature to create and share image galleries, where images can be stored and shared with friends in the Vibratissimo social network.
Vibratissimo Panty Buster product, Image source: vibratissimo.com
Vibratissimo Panty Buster product, Image source: vibratissimo.com
VULNERABILITIES
The following vulnerabilities, describe issues in the iOS/Android application and the corresponding backend as well as hardware related issues.
- Customer Database Credential Disclosure
- Exposed administrative interfaces on the internet
- Cleartext Storage of Passwords
- Unauthenticated Bluetooth LE Connections
- Insufficient Authentication Mechanism
- Insecure Direct Object Reference
- Missing Authentication in Remote Control
- Reflected Cross-Site Scripting
1) Customer Database Credential Disclosure
In the webroot of the host vibratissimo.com a .DS_STORE file was found. Those files are always a veritable goldmine of information. A .DS_STORE file is usually created in every directory that was accessed by the MacOS Finder application. Those files store metadata like the display options of folders, e.g. icon positions and view settings.
If those files are created on remote shares (e.g. a webroot) they can be used to get a directory listing and enumerate the contents of the webroot. The data in the .DS_STORE file is stored in a proprietary binary format, which is in detail described at the following link. Using the python package ds_store the .DS_STORE files was decoded and the following interesting folder was found:
/config/
Besides this config folder many other things like files/directories were found, which got immediately removed by the vendor after reporting those findings.
Inside of the config folder the directory listing was enabled and a file called config.php.inc with the following content was found:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;; Database configuration file ;;;Vibratissimo Server ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
db_host="localhost"
db_name="vibratissimo"
db_user="<redacted>"
db_pass="<redacted>"
An attacker would be now in possession of the username and password for the whole customer database. The next step shows that an attacker would be able to connect to the database using these credentials and read all the sensitive information about the customers including explicit content like images, sexual orientation and home addresses.
2) Exposed administrative interfaces on the internet
While the MySQL database is not exposed directly, we found a phpMyAdmin installation in a subdirectory which is used for database administration. A successful login with the credentials from the config file above was possible. The phpMyAdmin installation was accessible without any restrictions (no IP whitelisting, etc). An attacker would now have access to all customer data stored in the databases.
3) Cleartext Storage of Passwords
The user passwords were stored in cleartext in the database. If an attacker gained access to the database (e.g. via credential disclosure), he would be able to retrieve the plaintext passwords of users and abuse their privileges in the system. Lots of people still reuse their passwords which could also lead to potential hijacked accounts outside of the Vibratissimo environment.
An attacker would have been able to access the following types of data:
- Friend lists
- Friendships
- Full user information (real name, home address, passwords in cleartext, etc)
- Image galleries
- Exchanged messages (including timestamp and content)
4) Unauthenticated Bluetooth LE Connections
The analyzed sex toys are using the Bluetooth LE protocol to communicate with the mobile apps. They are using the “no pairing” method and are therefore vulnerable to injection attacks. An attacker can control those devices without any restrictions except being nearby / in range of an external antenna.
Bluetooth Security Basics
The Bluetooth transport security depends highly on two major things: the Bluetooth version in use and the key exchange aka the pairing method. The differences between the different Bluetooth versions can be found in the following table:
| Bluetooth LE 4.0, 4.1 | Bluetooth LE 4.2 | |
|---|---|---|
| Key Exchange | Key Agreement | ECDH |
| Encryption Method | AES-CCM | AES-CCM |
| Data Rate | 220 kBit/s | ~550kBit/s |
| Additional Security Features | 6LoWPAN (4.1) | LE Privacy 1.2LE Secure Connections
Elliptic-curve cryptography |
The Bluetooth SIG highly recommends to use Bluetooth LE 4.2 for obvious reasons. The “panty buster” product is currently using Bluetooth LE 4.0 (for compatibility reasons), although it would be capable of using Bluetooth 4.2 hardware wise. Besides the version in use, the second very important parameter is the key exchange. The key exchange is called pairing method. The different pairing methods are explained in the following paragraph.
Bluetooth Key Exchange aka “Pairing”
Passkey
The passkey pairing method is one of the most used methods. A key, which is set on the initiator side must be entered on the device, which should be paired. This method can be very insecure, because a lot of devices use the default passkey 0000 or 1234.
Pin-comparison
This method is used, when there is no input available (e.g. Pairing a device, without any buttons/keyboards). A 6-digit pin is presented at the initiator of the connection and the device itself. If the pins match on both devices a connection gets established.
Out-of-Band Pairing
Out of band pairing can be used by devices, which support for example NFC, where the NFC protocol is used to exchange the temporary key (TK).
Just Works
As the name already suggests it just works, unfortunately simplicity often leads to insecurities. In this case the TK is set to 0x00. This allows an attacker to decrypt the whole communication and even replay packets.
No Pairing
The last method is to use no pairing at all. This is the method Vibratissimo is currently using.
The pairing method depends on the following parameters:
- Display values
- Display with binary input (yes/no)
- Keyboard
- No input/output
- Keyboard/Display available
It’s quite obvious that some pairing methods can’t be used with sex toys. The reason for that is that there is no screen, keyboard or any input at all. One of the secure ways would be to use OOB pairing, or implement some kind of pairing button as it is used for other sex toys. No pairing is definitely not a good option, because the devices can be controlled basically by everyone within Bluetooth range.
The Swinger Club Problem
During one of the multiple calls with CERT-Bund, the manufacturer, the software developers and the hardware developers an interesting discussion arose. The hardware manufacturer stated, that they are aware of the problem that there is no authentication (aka “No Pairing”) in place and moreover that this is a desired property of the sex toy. The reason for this is, that there is a user group who wants to be controlled by random individuals without asking beforehand: Swingers. According to the vendor, visitors of swinger clubs like to have this feature.
We think that this user group, which is aware of that feature would be rather small and the bigger part of the users may not be aware of the fact that anyone could turn on their sex toys remotely. This fact is also confirmed by multiple other vulnerabilities of the exact same nature from other manufactures:
- Lovense Hush
- https://internetofdon.gs/reports/
- Kiiroo Fleshlight, Lelo, Lovense Nora & Max
- Lovense
As a hotfix the hardware manufacturer already implemented a more secure pairing method in a new firmware version. The user has to send the device to Amor Gummiwaren GmbH to get the firmware updated as there are no ways to perform this remotely. Password protected pairing is already included in new devices but not enabled per default. From an IT Security point-of-view this feature should be an opt-out feature and not an opt-in feature.
Bluetooth Protocol Reversing
To demonstrate the underlying issue, a Bluetooth LE sniffer was used to sniff the data packets exchanged between the sex toy and the mobile application. The hardware used was a Bluefruit LE sniffer and the tool used to sniff was the NordicRF Sniffer application. The piece of software is very useful when it comes to Bluetooth LE protocol reversing, as it already ships with the proper Wireshark plugins to analyze the captured traffic. The following figure shows the NordicRF Sniffer with the Vibratissimo Panty Buster set as target (“sectest”).
NordicRF Sniffer output
By pressing “w” in the console window, Wireshark is launched automatically with the plugins needed and the sniffed packets are displayed in the Wireshark window. To generate useful traffic the Bluefruit LE sniffer was placed between the panty buster and a smartphone, which was used to control the sex toy, and various vibration patterns were sent to the device.
Test setup
After sending various vibration commands to the device, a pattern was found. The following two handles were used to control the device:
Handle 0x001f → 0x03 (Init packet) handle 0x0025 → 0x00 – 0xff (Vibration intensity)
Wireshark output vibration intensity
In the following figure the sex toy was set to a vibration intensity of 0x88/0xFF.
Wireshark output vibration intensity
This behavior can now be scripted with various tools (e.g. bluepy, gatttool, etc.) to control every single Vibratissimo device in range without prior authentication. For example, the following gatttool commands can be used to set the vibration intensity of an arbitrary device within range to 100%:
gatttool -t random -b CF:DF:7A:FF:FF:FF -Ichar-write-req 0x001f 03char-write-req 0x0025 ff
To automate the process, a python proof-of-concept was developed. The python script scans for Bluetooth LE devices nearby and tries to query a certain service containing the name of the Manufacturer. If the services return a proper string (“Amor AG”), the command to set the vibration intensity to 100% is sent to the identified device. The term “Dildo Wardriving” could be used for this attack.
Dildo Wardriving
5) Insufficient Authentication Mechanism
While assessing the mobile applications various other issues were identified, which are not as critical compared to the other issues. This includes a reflected cross-site scripting issue and multiple problems within the authentication of the mobile apps to the backend. To find out more about those vulnerabilities please take a look at our technical advisory.
6) Insecure Direct Object Reference
Due to flaws in the authorization, an insecure direct object reference vulnerability allows an attacker to get access to restricted resources. If a regular user of the mobile applications uploads a picture to the backend, the file gets renamed. The new filename is a global counter, which gets incremented by 1 every time a new picture is being uploaded. Pictures can be uploaded by setting a profile picture or if a gallery is created within the app. The images are stored at the following path of the webserver /userPictures/$ID.png.
Users can choose to set their Vibratissimo profile to hidden (see the following figure, “Versteckt” is German for hidden). This should prevent anyone from viewing it. However, the images of the user can still be viewed using this vulnerability.
The vendor stated that this behavior is intended. Based on the explicit content available to an attacker we felt obliged to further discuss this issue with the vendor and CERT-Bund. As most of the users are not aware of the fact that everyone on the internet is able to see those pictures, the vendor concluded that it will be fixed in the future.
Vibratissimo app user profile “hidden”, Profile settings – pictures will be hidden (“Versteckt”) to other users within the app
7) Missing Authentication in Remote Control
The mobile apps allow their users to use a feature called “Quick Control”. As can be seen in the next two figures, this feature allows users to send a link with a unique ID to a friend via email or via SMS. This friend will then be able to control the sex toy remotely.
Vibratissimo app: Quick control (“Schnellsteuerung”)
Vibratissimo app: SMS/email address input for confirmation
This wouldn’t be a problem in general if the link containing the unique ID would be random and long enough. Apart from that, it would be quite useful if the receiving user has to confirm the remote control before being controlled by the other user. This is currently not the case. The IDs are again a global counter, which just gets incremented by one every time a new quick control link is created. The attacker could simply guess this predictable ID in order to control the victim directly. There is a confirmation dialog in place, which is not activated per default. In the following scenario (see figures below) a quick control link was created on the device in the middle. A created link looks as follows:
https://vibratissimo.com/quickControl.php?id=11359
The user with the device on the left side just created a new quick control link for himself and decremented his own ID (e.g. 11362) a few times to get the remote control ID of the victim. Without confirmation, an attacker can directly activate the device of the victim.
Attacker remotely controls the victim
The following video shows how it is easily possible to remotely control other devices:
8) Reflected Cross-Site Scripting
While assessing the mobile applications various other issues were identified, which are not as critical compared to the other issues. This includes a reflected cross-site scripting issue and multiple problems within the authentication of the mobile apps to the backend. To find out more about those vulnerabilities please take a look at our technical advisory.
VULNERABLE/AFFECTED DEVICES
Vibratissimo immediately removed the configuration file containing the database credentials. Furthermore, the access to the phpMyAdmin admin interface got restricted. The passwords in the database are now hashed with an algorithm, which is state of the art. The following vulnerabilities are not fixed yet, but are on the roadmap and will be fixed within a timeframe of one month (end of March) according to the vendor:
- Insufficient Authentication Mechanism (Issue 5)
- Insecure direct object reference (Issue 6)
- Missing Authentication in Remote Control (Issue 7)
- Reflected Cross-Site Scripting (Issue 8)
The unauthenticated Bluetooth connection is present in all devices with a firmware lower 2.0.2. From 2.0.2 a user can set a password, which has to be entered before a sex toy can be controlled via the app over Bluetooth. If a device has a firmware version lower than 2.0.2, the device can be sent to Amor Gummiwaren GmbH, where the firmware will be updated.
VENDOR COMMUNICATION & FINAL WORDS
Because of the nature of the vulnerabilities, SEC Consult decided to contact CERT-Bund (part of German Federal Office for Information Security) to help coordinate the disclosure process for the German vendor. After transmitting the most critical issues to CERT-Bund via a PGP encrypted email, we got an immediate response the day after and another email about two hours later, informing us that the most critical issues were already resolved by the vendor. The coordination work done by CERT-Bund was very professional and we want to thank everyone involved.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
