A security flaw in an internet-connected male chastity device could allow hackers to remotely lock it — leaving users trapped, researchers have warned.
The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.
The locking mechanism is controlled with a smartphone app via Bluetooth — marketed as both an anti-cheating and a submission sex play device — but security researchers have found multiple flaws that leave it vulnerable to hacking.
“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock,” British security firm Pen Test Partners said Tuesday.
“An angle grinder or other suitable heavy tool would be required to cut the wearer free.”
The firm also found other security flaws in the Cellmate — listed for $189 on Qiui’s website — that could expose sensitive user information such as names, phone numbers, birthdays and location data.
“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” PTP’s Alex Lomas wrote in their report on the device.
“A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.”
Qiui did not immediately respond to AFP’s request for comment.
PTP said it reached out to Qiui in April this year, identifying the flaws.
Qiui fixed most of the issues by updating the software, but left the older version active and its users still vulnerable, PTP added, saying other researchers had found similar issues.
Such smart sex toys and devices are among the wave of new “internet of things” products and appliances introduced in recent years that are online and capable of being operated remotely.
Their connectivity has also made them vulnerable to security breaches and privacy violations.
In 2017, the Canadian maker of a smart vibrator agreed to a multi-million-dollar settlement after it was sued for collecting sensitive user information, though it did not admit any wrongdoing.
Next year, cybersecurity firm SEC Consult reported multiple vulnerabilities that hackers could exploit to hijack and control a smartphone-controlled vibrator called Vibratissimo. Sensitive user data was also left exposed.
Learn More About IoT Security at SecurityWeek’s IoT Lockdown Virtual Event
