A BUG in a "smart" chastity belt for men left users at risk of having their genitals permanently locked in the gadget.
The flaw exposed the gonad-pinching gizmo to hackers who could have controlled it remotely without the user knowing.
It was spotted by researchers at Brit cyber security firm Pen Test Partners, who published their findings in a blog post on Monday.
Dubbed the Qiui Cellmate, the sex toy is billed as the "world’s first app controlled chastity device" and is reportedly used by tens of thousands of people across the globe.
The wearer's todger is placed inside a metal tube which can then be locked or freed from a ring that sits at the base of the genitals.
By connecting the toy to a phone via Bluetooth, a partner can control it with the push of a button on a connected app.
However, a major security hole unearthed by Pen Test Partners meant hackers could have taken control of someone's device instead.
"Remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device" researcher Alex Lomas said.
"There is no physical unlock. An angle grinder or other suitable heavy tool would be required to cut the wearer free."
The flaw found was linked to the smartphone app that connects to the Cellmate, Alex said.
The app communicates with the sex toy's lock using an API, a piece of software that allows two bits of tech to talk to one another.
However, Qiui, the China-based firm behind the toy, did not ensure the API was secured with a username and password, exposing it to almost anyone.
Alex said an attacker could easily lock “everyone in or out” in an instant.
"There is no emergency override function either, so if you’re locked in there’s no way out," he wrote.
How to stay safe from hackers
- Protect your devices and networks by keeping them up to date: use the latest supported versions, use anti-virus and scan regularly to guard against known malware threats.
- Use multi-factor authenticationto reduce the impact of password compromises.
- Tell staff how to report suspected phishing emails, and ensure they feel confident to do so, investigate their reports promptly and thoroughly.
- Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions
- Prevent and detect lateral movement in your organisation’s networks.
It's not known if anyone exploited the vulnerability, which also surrendered access to the private messages and the location of users.
Qiui was informed of the flaw in June, but by August had still not fixed it.
Pen Trust Partners said the decision to make the bug public was made after Qiui repeatedly missed self-imposed deadlines to sort it out.
“This reinforced our decision to publish: clearly others were likely to find these issues independent of us, so the public interest case was made in our minds,” Alex wrote.
In other news, a major Instagram bug lets hackers snoop on you through your phone.
Scammers are using Google Alerts to send out links to malware.
And, Windows 10 users are being told to update their PC to escape an 'Eternal Darkness' flaw.
Are you worried about your cyber security? Let us know in the comments!
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]
Source: Read Full Article