 Hi, I'm Cecilia and I'm Denise and today we are going to talk about sex toys, smart sex toys. Well, insecure smart sex toys. There have been previous researches on this subject and you can find it online, but many devices that are still on the market have a lot of vulnerability and privacy issues. So in our research we try to find these problems and today we are going to share with you our results. Exactly, but first let's do a quick recap on the history of these devices. They have actually been with us for a very long time, actually more than a century. The first sex toys were used as medical appliances back in the 1900s. They were used to cure different types of pathologies, including some psychological ones. Then throughout the 1920s, 30s, 40s, 50s, even to the late 60s, new devices, new models, new shapes started to appear in the market and they were this time advertised towards the home users that could buy these products, take them home and use them whenever they wanted. Imagine powering one of these via the electric power grid, right? Well, let's talk about physical security back in the 20s with one of those. Then by the 70s the emergence of new feminist movements alongside the boom of the porn industry propelled those devices and new forms, shapes and materials started to be used. But by the 2000, this thing starts to get interesting for us because new devices that could be controlled remotely via infrared connectivity started to appear and by the 2010, there were several devices that could be controlled locally via Bluetooth with an application on your own smartphone. Yeah, with the arrival of IoT and new technologies, many manufacturers decided to integrate these toys with mobile apps and internet connections. So nowadays in 2020, we have toys that have a lot of characteristics and that can be used remotely, like control the toy remotely through the mobile app or even a web browser and change the vibrating patterns or even synchronize the device with a video call, an audio book, a playlist or even have Alexa support or other assistance support to control them on voice commands. So all of these functionalities are very interesting and also open the door to many vulnerabilities. Exactly, and they open the door to new models that can connect between each other and also we are now starting to see a trend towards smart six robots that have a lot of different capabilities that can be connected to the internet. They have certain artificial intelligence apps that can be installed on the device and these apps of course have a lot of vulnerabilities that we can somehow access to try to bypass. So we actually contacted a few of these vendors to ask them about the characteristics of these smart six robots and we found out that they are following several bad practices when it comes to security. So the way these smart six robots work is that they actually have a smartphone that functions on their head basically like a brain and that connects to the rest of the sensors of the body. So that phone can be actually very vulnerable and the updates are actually delivered through emails. So the user have to install the APKs themselves. Talk about security when it comes to these types of devices. Well, apart from the devices if we think about the sex industry and the adult entertainment industry these industries have already been target of several cyber attacks and the first attack that comes to my mind is the Ashley Madison social network which a couple of years before was a target of an attack and the details, the information of more than 30 million users was exposed online. So a lot of cheaters were revealed and many people had a lot of problems in their relationships and we can also think about Tinder, this dating app that has already been found in many vulnerabilities and also we have to think about the many scams that are based on fake apps or fake lab promises or even sextorsion based on stolen information. So if to these attacks to the sex industry we add the fact that IoT devices are being compromised by attackers to perform different types of attacks, well that's a problem. We can think for example about the mirai network or about a case where attackers got control of a thermometer in a casino's fish tank and then from there could jump to the casino's network. So if we sum up the industry of sex that has been target of cyber attacks with the many IoT devices that we have today in the market and are already being used by attackers well the combination is a little bit scary. So what can go wrong with these toys? Well first of all an attacker can put a bag door or malware inside of one of these toys but also these devices are permanently advertising themselves so they are permanently sending information of their presence there. So it's pretty easy to find if a toy is present on a hotel room or if someone is carrying one with him. So this can lead to several issues like information disclosure, information very sensitive for example as sexual orientation, sexual partners or sexual practices and this can be some problem in many countries that have lost against some sexual practices. But also we don't think about an attacker that gets control of one of these devices while a user is playing with it. So imagine a person has a toy, it's playing at home but then an attacker gets control of that toy and it's the one that is really sending the commands to the toy. Would that be sexual assault? What happens there? These are things that we have to start considering with smart sex toys. So at the start of our research we had to choose the devices that we were going to use for our research basically the models that we were going to buy. And voila there were so many different vendors, so many different models and it was really hard to choose with so many different characteristics each and every one of them. So we did what anybody would do in this situation. We went to the museum of sex. Yes, in New York. We were in New York and we visited the museum. Exactly and we started actually testing different devices that you could test in the site and we didn't bring our laptops with us. We should have. But we ended up choosing two vendors that we think were one of the biggest or two of the biggest. So are you referring to the size or actually the vendors? Oh come on. Don't do this to me. Just thinking. Okay the first one is Love Ends. I'm sure many of you know this brand if you're interested in sex toys and security of sex toys because there have been research on this particular vendor. This brand has a lot of smart sex toys. You can connect them over a Bluetooth network or even over the internet. And there are so many different shapes and sizes and we have also, we vibe that we choose and we also have a lot of smart sex toys and they are very important in the market and I'm sure you're aware that there were several researchers regarding this vendor in the past. So we wanted to know how much they had changed. So the first with the was we visited the websites of these two vendors and tried to look at the characteristics of their different models. The first thing that you can see is that there is a lot of information about colors, materials, how much the battery lasts, how much does it take to charge them. But there were no mentions of these on the websites about protocols, encryption and the security that was being applied to this apps and this firmware to make it secure. So this is something that happens a lot with this type of IoT devices and particular sex toys. So the first step was to understand the architecture, how are these toys connected. So the toy connects to the user smartphone using a personal area network like Bluetooth or in most cases Bluetooth low energy. Then from the smartphone, the user connects to an appy from the vendor, usually on a vendor server and then the remote parter that can be anywhere in the world connects to that appy and from there gets control of the remote toy. So in this architecture, in this model, there are a lot of attack vectors that an attacker could use like go through for the personal area network connection for the Bluetooth connection maybe something on the smartphone on the app or even the remote connection through the internet appy. So that's what we analyzed. Exactly. But first a quick disclaimer because all of the vulnerabilities that we're going to see throughout the talk that we're going to discuss have been already fixed and we have permission to perform and distribute the content that you're going to see. So just to be clear on where we are standing. So the first toy we are going to show you is this naughty one right here. He can't stand still. So this is the jibe from WeVive. This toy is pretty interesting because it's a wearable. It means that the person wears this toy and can go around playing with this toy. So usually a couple use these toys in bars, restaurants or even discos not only in hotel rooms or inside the house. So that was pretty interesting for our analysis because it's a toy that you can find anywhere and as we said before, it's permanently advertising its presence and an attacker can easily find one of these like 30 feet around. Yeah, it is designed to be used in insecure networks or it should be designed for that. We've had some trouble when it comes to information security in the past. It was at Duftgon a few years ago that research was presented where it was proven that they had collected too much information from their users without their consent. And so they were sued and they had to pay 3.7 million dollars, which is a lot. So we wanted to see if they had learned from this experience and they had changed their applications to make them more secure. The first thing that we checked was the remote control via the URL. This application has the possibility to create a 12 characters string that it's been used as a token and you can share with your partner and so they can connect via de-application to control your own sex toy. So this token used to have some problems in the past. It didn't expire as it should, but now they actually fixed it. At least we couldn't find any problem with this right now. The first things that we checked were some privacy issues that could have critical consequences for the users leading to information disclosure. There are so many good things that WeVipe has changed. For example, now they block all screenshot attempts, which is great and it's quite common in these applications that tend to handle such sensitive data. They applied end to end decryption to encrypt all the pictures that you are sending and the files actually are deleted from the chat once the chat ends, which is great. So you know that your pictures do not linger on the phone of your partners. But still there were some issues that we found with this transferring of images. Yes, well the pictures sent on the chat are saved to the app storage inside the phone so that no other app can access that picture or you cannot access that picture from outside the application. But if the attacker has a rooted phone, well they can access the app storage. In that case, that's what we did. We found out that the picture that is stored inside the application still has all the metadata in it. So when you send a picture, the metadata is not deleted before it's sent. So that picture can be uploaded to a site like for example Metapix and an attacker can find out where the person that sent the picture is actually located. The exact location by the GPS details information. The attacker can also know the model of the phone that's been used, the camera, the time and date the photo was actually taken and if it has been edited or not. This information at first could sound like something that no one could use but the thing is that many people usually use these applications to talk to strangers and also many people share online their tokens or their remote controls. So if that person is trying to hide his or her true personality or is trying to hide where he or she is, well the metadata and the pictures does not help. Exactly. And sometimes this is not a personal choice but this is also can be part of a service as a cam girl or a cam boy service. So we need to protect these people that are using these devices basically to work. What else? Well this application actually includes a four digit pin that they can use in order to lock the application so no one else can access the application unless it has the four digit pin. This functionality might be in place to protect the app from your kids or something like that, your nieces or maybe also a jealous lover. So the consequences can also be kind of critical if you're talking about a toxic relationship because this application only allows one partner at a time. So polyamory has not arrived to this application. So this pin can actually, since it's just a four digit pin, can be brute-forced by using a bad USB with a very simple script because it takes the keyboard input and not like a grid of buttons or other type of component. So it's quite trivial to access this token and therefore access the control panel of the application and the usage of the application itself. Unlike with the individual, just unblock the app. Exactly. So what else regarding these toys? Well, as we spoke before, these toys use Bluetooth low energy. And this protocol has a particular characteristic that is that there are two types of devices, peripheral and central devices. Peripheral devices that are usually the toys have to be constantly advertising their presence to wait for a connection from the central device. That means that while a toy is not connected to a smartphone, it's permanently advertising announcing their presence there waiting for the connection. This means that, like that. See? You're doing that. Come on. I'm not doing that. It's crazy. We are already being hot. Who is doing that? I'm not sure. It's nobody here. It's just us. Okay, so is somebody here? Those two. So the attacker can download an application like this Bluetooth scanner and just try to find out if there are any devices around. In the example that you can see on the screen, we are finding the jibe that's here and the mags that we are going to talk later about this one. So it's pretty easy for the attacker to just find these devices, find a lot of information from these devices and start using this scanner as a compass. A compass to get closer to the device just using the signal strengths of each device. So the attacker can easily move around looking for the best signal strengths and that will give the attacker an idea of where is the toy present who is wearing or using that toy. That's pretty much a lot of information. Yes, and then they can connect to the toy and they don't even need the app to do that because there are several web sites that you can use by using the web Bluetooth APA to connect to the sex toy and send commands to the sex toys and they are still functioning because there is no authentication when it comes to this Bluetooth connection and so it's quite vulnerable to these type of hijackings. So not only an attacker can get control of this toy whenever the toy is available but also, would an attacker get into the middle of a conversation, into the middle of a connection? Well, that's actually what we tried, a Bluetooth mining the middle attack where the attacker tries to get in the middle of a communication and control the toy. So in a common scenario, a toy would be connected to the user's phone but in this case, what the attacker will try to do is get in the middle of that connection, create a fake toy in his or her computer and then make the user connect to the fake toy instead of the real toy and the attacker will be the one who will forward the commands to the toy or maybe change them in the middle. So in the next video, we are going to see a proof of concept of this. So what we did is use the tool, BDL Juice, to create a man in the middle attack. This tool uses two Bluetooth dongles and the attacker will need two computers or in this case, two virtual machines. The first one, what the attacker would do is create a Bluetooth proxy. This Bluetooth proxy will be in charge of getting all the Bluetooth communications, capturing all the Bluetooth traffic. Then once the proxy is up, the attacker can go to the other computer or the other virtual machine and will connect to the BDL Juice proxy. And then once connected, you will see that this tool has a web interface. That's very useful and easy to use. So in that interface, the attacker can see all the Bluetooth devices on range and there you will find the Jive, our toy. So then once the attacker finds the toy, can connect to that toy and as you see in the console, the tool, BDL Juice, will create what it's called a dummy. It's like a fake toy, a fake device where the user, the victim, will connect but we still think that it's the real toy because this dummy will copy all the characteristics of the real device. So then the victim connects to that dummy, to the fake toy and when sent to command, the toy actually moves. As you see on the screen, the attacker is capturing all these packages, all these commands. So the attacker can start knowing some commands and getting some traffic. So there can you see the user is changing some vibration patterns and the attacker is there capturing all of these packages. So then the attacker can get some commands. But what the attacker can do next is take any of these packages and just reply it that means send it back to the toy. So now the attacker is sending a command and while the victim is not doing anything, the toy is moving. So the toy is vibrating. So the attacker is the one that is actually controlling the toy at this point. You can see it's sending different types of commands and the toy is responding. Also, what the attacker can do there, the device is stopping, is change these packages. Just add new commands. These commands can either be taken from the source code of the application or by capturing a lot of traffic. So there, for example, you have the max intensity. So the attacker can send a command to the toy to vibrate at its maximum intensity. And there you will see how the toy is now vibrating. So the attacker can not only intercept the actual commands but also change them or send new commands to the toy. So in this case, I don't know, maybe it could be a sexual assault. Something to talk about or to think about. So we have proved that these devices are still vulnerable to this type of attack and no authentication has been included in these toys in the past years. Which was the goal of this research. So now we're going to analyze our Loven's device, which is the max device that you are watching right now on screen. This device can be synchronized with its counterpart. It can be another max device or a NOR device. These models are interesting from a hacking perspective because if a hacker has control over one of these devices then immediately compromises the other one that replicates the movements of the first. So you can have two devices under your control by the price of one. So we started analyzing the application that is used to control this device. That is the Loven's remote application. And we started analyzing the privacy features related to this application. Well, we could see that it uses a four digit pen to lock the application as same as the other one, but there were some concerns, right? Yes, well some questionable design choices from Loven's. To start, the screenshots are allowed. So for a sexing application, that's pretty much something to think about. But also, well the metadata was deleted from the pictures before they are sent. That's great, but the pictures that the person sent on a chat are very difficult to delete from the remote smartphone. They practically stay there. What do we mean by this? Well, let's imagine you're using the application and you send your partner your own picture. Let's say that you now open the options menu on this picture. Well, you see different options. First of all, you can see that you can delete the picture. But this deletion only works locally. It doesn't remove the picture from the server nor the phone of your lover. So basically, once you send the picture, you lose control. Also, the remote partner can also forward or download your picture whenever they want. And since this picture stays on the server, then they can also query the server to get the image if they know the URL of this particular resource. The Loven's privacy policy says that these pictures stay in their servers. Unencrypted, by the way, for seven days. They actually found that they can stay longer. There's actually a hidden option that's called recall. And that's the one you want to use when you want to delete a picture from the two devices. But this option, it's only available for two minutes after sending the picture and then completely disappears. So if you never tried to delete the pictures right after you send it, then you don't even know that this function even exists. So that's something to have in mind if you or one of your relatives or someone of your friends is actually using this application. Also, when we start analyzing the traffic, you can see that there are several queries, HTTP get queries that are broadcasting information such as the user ID. In this case, it's the same one as the email addresses. When you register into the application, you can set a fantasy username and you need to provide your email. Well, guess what? That email is actually shared with whomever you're chatting with. Let's say you open up chat with one of your friends. Well, the application uses your email as your user ID to identify your phone. So they are sharing your email with the person that you're chatting and they can look up your email in the internal files of the phone because they are not encrypted. And even if they were, you can still somehow manage to get through this information by injecting the application at runtime. And there are other ways, other issues related to the way this application manipulates the email addresses. For example, you can query the server to see if a given email address is registered on the system. So you can know based on the response if the email exists, you could use a leak database of emails from previous attacks, let's say the Ashley Madison social network attack, and then query these emails against the server because there are no protections against brute forcing. So you could query all that you want. And it works the other way around. You can also query for usernames and get their emails. So let's say you start browsing the application and you find the patterns library where users can share their patterns of views publicly with other users. So you could find usernames listed in this library and then query the server to get their emails and start different attacks as social engineering or sextortion attacks or even use these emails to launch other types of attacks since these are also the user IDs. So these emails could be used to identify a person, right? Yes, exactly. Well, apart from the library we need to think that many people just share their username, their nicknames online for remote sessions with someone around the world. But most of the time these are fantasy names like Sexy Scott 26. Well, in this case an attacker could find out what's in the email for Sexy Scott 26 and find the real person behind that nickname. Be sure not to register with a corporate account, right? Yeah, for sure. Well, apart from this, the Loven's remote control also works with an URL. So the person that has this toy can create a remote control URL for his or her partner to control the toy remotely. So this URL works directly through the internet. It does not need for the remote partner to have the app in style as in the case of We Buy. So in this case, this URL is made by, at first, an alphanumeric token with only four characters. So we started analyzing a little bit about this token. So apparently, as Loven says, it's a one-time use token and it lasts only 30 minutes. But we were going to test this and see if this is true. Spoiler alert, it's not. So this is the remote panel where the remote lover can connect to control this toy. In this case, what you're seeing is the panel for our own toy. In the case of Max, you have two controls for vibration and for air control. So anyone that connects to this URL without authentication just gets control of this toy. So the idea here was to find if it was able to just guess different tokens and get access to panels that are online and maybe get a panel for another person's toy. Yeah, so we created different tokens, some of them expired, some of them active, and we used our own Loven's app installed on our own smartphone. And then we tried to analyze how this access to this token worked. So basically, if the token never actually existed, then it's the server Reddit X to a JSON with page not found. But in the case the token existed at some point in time, then it's redirected to another resource with a path that you can see now on screen. You can see there's an SID or session ID that links the token, the user ID, and also the ID of the particular device since a user can have multiple devices connected to this application. And then there was a second redirection within this process where you can see that the only thing that changes is the two in the middle of the path. At the end, the session only expires or the token expires if the user reaches the final URL. But in the meantime, you can interrupt the process and try to somehow see if the response from the server tells you if a token is valid, meaning it has existed at some point in time. If it's active, meaning there's someone actually waiting for you to connect to this token, or if it has expired. So is there a way to weaponize this? Could an attacker just try to write a script to find random active tokens and try to join these remote sessions? Well, we created different tokens, some of them expired, some of them active, and we actually tested some non-existent tokens, and we created a script to see if we could do this programatically. And in fact, this worked. It's a success. You can actually tell with a script if a token is active or not. So we tested this set of tokens, and then we wondered, could an attacker wait for how long to find an active token? I mean, is it really worth it? Or would he have to wait so long that it's not even worth the effort? Well, let's do some math. Let's check this. So it's a four digits token with letter and numbers. And that would be around 36 characters, different characters. And that would be like 1.6 million possibilities of tokens to try. So if we think about one second per token to find them, maybe 20 days for an attacker to find a token valid. And also, the attacker needs to access this URL, this token before their remote partner does, so it doesn't expire. So it's pretty much complicated. It's a lot of time. So maybe if we speed up a little bit, if we make some automation here. Automation to the rescue, right? So here's a proof of concept that we ran on top of our own tokens. And you can see on the bottom right screen, there's a console that's running our script that's checking for different tokens. And some of them are non-existent. Some others are valid. If the token is valid, then it opens up a new tab on the web browser to your left. And if the session is actually active, then it sends a message via a telegram bot to the attacker. So that way, the attacker can know that a new active token has been found. And this is done by adding a malicious extension to this web browser that allows or adds more processing capabilities to the Python script that it's running on the bottom right. So this is a simulation of 10 minutes of running the script. And you can see that in the end, it doesn't take long to find new tokens. This is the average that took us to find active tokens. And in this case, you can see that the attacker has access to the control panel of this device, the Max device, and he receives a new message via telegram in his phone. Let him know that there's a new section, session active, and the web browser. So how can we protect ourselves, given that these devices still have vulnerabilities? Well, first of all, keep in mind that this is a sexting phenomenon. So if you're talking about sexting, don't share any pictures or videos where other people can see your face or some particular markings that you have. Try to avoid being recognizable through these pictures and videos. Also, make sure that you're not sharing these remote tokens online or publicly in that you're always sharing them via some secure mechanism with the intended person. Make sure also that you're registering to these applications with a fantasy email. Don't use your personal email. Create a new one specifically for these applications. And also make sure to install the latest updates to install the patches to all of these vulnerabilities. Well, and of course, make sure you're using a secure network while you play with these toys. And even if it's possible, make sure nobody is around. And also you can always Google some reviews about the toy and see if there are already some security issues published or there is any security review published. And once you decide to buy a toy or once you have chosen a toy, please read terms and conditions before using it. It's also a good practice to download the application before buying the toy so you can check the application, see which functionalities it has and how it works, and maybe guess or research a little bit about which information is asking you and how it will treat or protect that information. So, well, that's all. But what happens if you already have a toy? What about all these people that already bought a toy and now are too scared to use it? Well, remember, it's also a great toy for your dog. Thank you very much for listening to our talk.