The DEFCON conversations are uploaded online

IoT security insights

The weirdest devices can be found in the Internet of Things, including intelligent sex toys. And like all other internet-enabled devices, smart sex toys are susceptible to hacker attacks.

At the DEF CON in Las Vegas, an IT security expert demonstrated under the name smea known how he was able to exploit a vulnerability in the sex toy Lovense Hush.

He noticed that the dongle has no security mechanism and that every user can upload their own code. Using a known BLE vulnerability, the hacker managed to control the dongle continuously via Bluetooth, because an old version of a chip from Nordic Semiconductor is built into the device. The chip manufacturer stated that all security gaps in all devices manufactured after 2016 had been closed.

Unfortunately, it is not possible to determine how many of these chips are still in circulation, or where and how they are used.

"The thing is, you can even use the dongle to hack the software that is running on a computer," he said smea in conversation with Gizmodo. “IoT developers combine all of these modern technologies like Javascript-based applications with these ultra-bad microcontrollers. They often do not understand what it means when, for example, they output raw input from the dongle in HTML. "

The application itself was written with Electron and is based on Chromium, but for some strange reason it doesn't use sandbox, which means that attackers can basically do whatever they want, including installing ransomware.

The IT security expert also addressed a problem that goes far beyond vulnerabilities in Internet-enabled devices. If someone activates the sex toy remotely without the consent of the wearer, would that be a case of sexual violence?