An interview with Doris Hauser from the nic.at Operations team.

The so-called "Internet of Things" (IoT) is a broad field and ranges from intelligent traffic lights to medical devices and equipment for the "smart home". All these devices allow physical and virtual entities to communicate digitally: people, machines, plants, vehicles and products can interact directly with each other. As a result, processes can be optimized, costs and time can be saved, and new, innovative business models can be realized. However, numerous devices still have vulnerabilities and enable hackers to take over devices such as webcams, loudspeakers, or even surveillance cameras and thus spy on their users.

One IoT category that has been less visible, and whose security aspects have been neglected, is smart sex toys. This is despite the fact that remotely controllable vibrators are likely to make many long-distance relationships easier, especially in times of lockdowns and entry bans. Just last week, domestic media reported a case in Austria in which a hacker took control of a "smart" chastity belt controlled via app and subsequently blackmailed the user.

The security of sex toys is therefore a topical and very exciting (taboo) subject, which Doris Hauser, System Engineer in our Operations team, dealt with as part of her bachelor's thesis at the FH St. Pölten. Doris graduated from the HTL Spengergasse in IT with a focus on network technology and successfully completed her part-time studies in the field of "IT Security" last year. In an interview she gave us a comprehensive insight into her chosen topic "Security of Smart Sex Toys" and also allowed us to publish her bachelor thesis here:

Doris, the topic of your bachelor thesis is quite unusual. How did it come about?
At the ITSECX Conference 2018, a graduate of St. Pölten University of Applied Sciences presented his master's thesis on "Internet of Dongs - a long way to a vibrant future", in which he conducted a penetration test¹ on a smart sex toy. I was fascinated by the presentation and at the same time very shocked by the result, which suggested that extensive vulnerabilities exist in this area. Since little research has been done in this area so far - probably because the subject of "sex" is rather a taboo subject in our society - I wanted to dedicate my bachelor thesis to this topic.

Is hacking of smart sex toys actually widespread in countries like Austria?
Hacking  takes place everywhere. IoT devices, which include sex toys, are no exception. Particularly in recent years, you've been repeatedly hearing and reading about hacker attacks on IoT devices, because this topic is new and many of the technologies used, such as Bluetooth, still have security weaknesses.

Do you think manufacturers are aware of these risks?
I think that, thanks to a few dedicated researchers, the larger manufacturing companies should be aware of this risk by now - but it also costs money for the know-how, implementation and testing of security measures. In my opinion, companies are clearly focused on product functionality and competitiveness. Unfortunately, there are now also some manufacturers, primarily Chinese, which produce cheap products that aremuch more attractive due to the low price. Most end users probably assume that these devices are also appropriately secured and cannot be hacked.

There probably isn't much literature on this topic that you've been able to consult, is there?
The literature search was actually quite time-consuming, because hardly any scientific papers have been written on the subject. However, when researching on the Internet, you very quickly come across experts who have dealt with the topic very thoroughly and have fortunately published information about manufacturers, approaches and weak points, which I was able to draw on.

What was the most exciting insight for you? 
Probably the most exciting realization was that some risks become apparent during the "normal" use of the app. For example, in some apps you can connect with a partner, and there is a search field for the "nickname". For two of the four devices I examined, however, you simply had to enter the first letter of the name and received a list of all users whose names began with the letter "A", for example. I asked the manufacturers themselves for data according to the GDPR, to which I received no response at all from two manufacturers, another only described  how I could have my data deleted via the app, and only one manufacturer provided me with all the data about my account.

In conclusion, do you have any recommendations for manufacturers or consumers?
Probably my biggest recommendations for manufacturers are to encrypt the transmission of all data via the apps and to use certificate pinning², which makes it much more difficult for a hacker to impersonate the manufacturer in a man-in-the-middle attack³ and then read the transmitted data. I can currently only advise end users to keep away from smart sex toys, or at least to make sure that their devices are either switched off or only connected to the desired partner when they are actually being used. This way, at least in most cases, you can rule out the possibility of a third person taking control of the sex toy.

If you are curious about this topic, you can download Doris' bachelor thesis here and read her study and findings:

Download PDF

¹ Penetration testing, or pentesting, is a comprehensive security test of IT systems or networks to determine their susceptibility to attack. A pentest employs methods and techniques used by real attackers or hackers.

² HTTP Public Key Pinning (HPKP) is a mechanism for securing the HTTPS protocol against man-in-the-middle attacks.

³ A Man-in-the-Middle-Angriff (MITM-Angriff) is a type of attack that is used in computer networks. The attacker stands either physically or - today mostly - logically between the two communication partners, has complete control with their system over the data traffic between two or more network participants, and can view and even manipulate the information at will.