A cybersecurity firm has discovered a flaw in an internet-linked men’s chastity device that could be exploited to make it impossible to remove.
The Bluetooth-connected hardware links to a smartphone app, which can then be used to activate or deactivate the cage’s lock-and-clamp mechanism.
Pen Test Partners (PTP) discovered that hackers could remotely target the Cellmate Chastity Cage and set it permanently in the locked position.
The flaw was due to commands being routed through a central server used by its manufacturer.
PTP found a way to trick the server into providing details on the owner of each device, including name, personal details, plaintext password, where the app had been used , and a unique code that had been assigned to each device.
“All API endpoints were unauthenticated using only a long-ish ‘memberCode’ to make requests,” PTP said. “The memberCode itself is somewhat deterministic and is based on the date a user signed up for the service, however, we found an even easier way using a shorter ‘friend code’.
“A request with this six-digit ‘friend’ code returned a huge amount of information about that user.”
With the information, a hacker could make the device ignore requests from the app, leaving anyone wearing the chastity device locked in.
Theoretically, this could have been done to set all devices in use to lock simultaneously
Since the device lacks a manual release mechanism, the only way to remove it would be to destroy the metal clamp or plastic body – generally requiring either a bolt cutter or angle grinder.
The app’s Chinese developer, Qiui, has since devised and provided a workaround – should the device become stuck, the victim can prise out its circuit board and press batteries against two of the wires to activate the motor.
- Blackbaud Reveals Hack May Have Hit Financial Data
- Abertay Ethical Hacking Course Achieves Full NCSC Certification
- Ethical Hacker Reveals Massive Flaw in Apple Security Protocols
Chastity belts are popular among BDSM enthusiasts as a way of giving sexual control over to a partner or to ensure they remain faithful. Being able to open and close the device remotely provides an additional level of control for the user.
After the issue was flagged to Qiui by PTP in May, the sex toy’s app was fixed with updated APIs. However, the earlier version of the API is still available online.
“We had particular problems during the disclosure process, as we would usually ask the vendor to take down a leaky API whilst remediation was being implemented,” PTP wrote in a statement. “However, anyone currently using the device when the API was taken offline would also be permanently locked in!”
Based on the number of IDs supplied by Qiui, PTP believes there could be up to 40,000 of the chastity devices currently in use around the world, clustered largely in Europe, the US and China.