Cybersecurity expert Cecilia on why hackers are attracted to the adult gadget industry and why it’s dangerous

Adult gadgets do not always sufficiently protect user data and can be an easy target for hackers, said Cecilia Pastoring, an information security expert from ESET, in an interview with Investee. By hacking into an intimate device, a cybercriminal can obtain comprehensive information about the sex life of its owner, and then blackmail the victim and demand a ransom. The pandemic has spurred the demand for sex toys, and hackers will certainly take advantage of the trend, the expert is sure.

– How have sex toys improved over the past 5-10 years, which is why hackers have noticed them?

– Modern gadgets have acquired many functions. For example, you can transfer remote control of the device to other users through a mobile application or browser . In the same applications or websites, users can participate in group chats and video conferencing, as well as share device settings or sync vibration with music or audiobooks. There are paired devices that allow partners to mimic movements from a distance . And this is just the beginning. Recent advances in the sex toy industry include devices with virtual reality options and sex robots with artificial intelligence, cameras and microphones . In some countries, similar robots are already being used in brothels to replace sex workers.

 What can you learn about a person by hacking his advanced sex toy?

– Names, email addresses, sexual or gender orientation, information about the use of the device (time of use, types of vibration, temperature). Plus intimate photos and videos . Hacking a sex toy and leaking data can be disastrous.

– What, for example?

– Many countries have laws prohibiting citizens from engaging in certain sexual activities. In such regions, primarily in Africa and Asia, the publication of private information about the sexual behavior of a person and his partners can lead to arrest, subsequent imprisonment and even death sentence. For example, in Sudan, Saudi Arabia and Afghanistan, according to journalists El Pais (Spanish daily – Izvestia), homosexual relationships are still punishable by death.

– Hackers are more likely to set themselves the goal of making money, rather than killing someone. How are cybercriminals monetizing sex toy attacks?

– Mostly through extortion or sexual harassment . For example, if a hacker manages to block access to or control of a gadget after a hack, he may demand a ransom to regain control of a vibrator, chastity belt or sex doll. Confidential information received from the device can be used for blackmail. Money is demanded from the victim in exchange for keeping the information secret from the spouse, colleagues or law enforcement agencies. Such information can also be used in social engineering. Achieving the goal is simple when the victim is sure that a familiar person or, for example, a relative of the partner asks to make a transaction or perform another action.

 Is it difficult to steal all this data from a sex toy?

– Differently. Many devices have serious privacy concerns . They do not protect metadata or personalized files. For example, one of the applications we analyzed sends images that contain information about the user’s device and its geolocation. And in another mobile client, we saw that the e-mail of each chat participant is used by all phones in the session and is stored in plain text in the general settings file. Such miscalculations greatly simplify the work of hackers.

– Can hacking an adult gadget cause other devices and user accounts to be compromised?

– Sure. As with any other cyberattack, vulnerable devices can be used as an entry point to the Network or to take control of other gadgets in it.

– Can the interception of control of an intimate gadget be considered sexual assault?

– We cannot talk about the consequences of hacking a gadget without reassessing the importance of sexual violence in the context of the digital transformation that society is going through. First, you need to determine the consequences of intercepting control over an intimate gadget without the user’s consent. Then find out if the law provides for punishment for such behavior. After all, is it legal to take control of a gadget into an act of sexual assault?

Many countries have a legal framework that categorizes different types of cybercrime. However, the phase when new forms of cyber incidents affecting the privacy of many users are immediately registered in the legal framework has not yet been reached . However, one thing is clear: consent obtained through online fraud is not legitimate. This axiom must be enshrined in existing laws to ensure the sexual, physical and psychological safety of users in the digital world.

– Is it possible to talk about an established trend when it comes to hacking sex toys?

“The adult sex and entertainment industry has been targeted by cyber attacks on several occasions. Just remember the attack on the social network Ashley Madison, when the names of more than 37 million users were published, which provoked a wave of divorces and suicides. Or a scam with a Tinder vulnerability that allowed attackers to trick men with fake female profiles.

Although there have not yet been any massive attacks on smart sex toys, vulnerabilities have been reported that could potentially affect thousands of users. We also know that many attacks go unreported simply because users do not always realize that they have been hacked. And the owners of sex toys belong to the group of those who will not bring up problems with their gadgets for public discussion.

– Will attacks on adult gadgets become a trend in the next 5-10 years?

– The era of smart sex toys is just beginning. They are gaining popularity. The pandemic has greatly spurred this process. Self-isolation has forced many people to stay at home, sometimes away from their partners and unable to continue their normal sex lives. As a result, people have turned to new ways of exploring their sexuality or maintaining passion with remote-controlled adult toys. With the onset of the pandemic, sales of such devices have skyrocketed.

There is no doubt that hackers are taking advantage of this situation . Internet scammers always act on growing trends. Moreover, in the pursuit of sales, manufacturers of sex gadgets do not think about the safety functions of products in the first place . Cyberattacks will definitely not stop in a couple of years, because attackers know the value of intimate information for subsequent deception and extortion. But the safety of sex toys will increase over time. Manufacturers will consider data integrity aspects of such devices at the design stage.

– How correct is it to say that developers of gadgets for adults pay little attention to information security?

– Both vendors that my colleague Denise Giusto Bilic and I interacted with during the research were deeply concerned about the vulnerabilities found and took the necessary steps to fix them. They also stated that they periodically conduct checks and send newsletters to customers about security flaws and how to fix them. But the market for smart sex devices is vast and includes many different manufacturers. It would be wrong to generalize in this case.

Unfortunately, there are manufacturers who, either due to a rush with the release of devices, or due to a lack of experience in technological issues, do not conduct the information security testing stage and do not consider potential vulnerabilities at the design stage.

– Do you see the prerequisites for developers of gadgets for adults to start paying more attention to cybersecurity?

– One of the prerequisites is the growing expectations of the users themselves. Bulk product requires vendors to provide advanced information security practices. At the same time, our survey shows that only 30% of smart gadget users are concerned about security issues. Therefore, the consumer must first become more conscious in order for the manufacturer to take the right steps towards digital security.