Penetration tester releases proof-of-concept code for hijacking smart buttplugs

Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities.


Smea's attack starts by compromising the Hush's Bluetooth dongle, then using that to send malicious commands or upload malicious code to the insertable sex-toy component. The compromise attacks Lovesense's implementation of the Bluetooth Low Energy protocol, and the vulnerability may also be present in other devices (the chips haven't been manufactured since 2017, and its manufacturer, Nordic Semiconductor, has published a security advisory based on Smea's findings).

Smea's attack was successful in part because Lovesense's control app was built with the Electron Javascript framework, which has many known security defects that expose many browser apps to attacks, including Slack, Whatsapp, and Skype.


Smea's proof of concept code is live on Github, with the injunction "don't be a dick, please don't actually try to use any of this."

In an interview with Gizmodo's Dell Cameron, Smea speculates on whether hijacking a sex-toy should be considered sexual assault and concludes, "Personally, I don't know if that's the case or not. I know it would be a really shitty thing to do either way, so people should not do it."


smea: The idea is that from the dongle you can actually compromise the app that's running on a computer. IoT developers have all these newer technologies, like javascript-based applications, working together with these super-low level microcontrollers. They don't necessarily understand the implications of, for example, dumping raw input from the dongle to HTML. So that actually is the way I'm able to get inside the [buttplug] app, due to this weird interface between super-old technology and newer web technology.

From there you can compromise other [buttplug] apps through the social feature of the app, either through straight-up chats, by sending a message with HTML, or by compromising the dongle of the remote partner [using the feature that allows you to] send messages to control the partner's toy. And that actually allows you to exploit a vulnerability inside the dongle's code, which is in the JSON parser.

A Buttplug Hacker Talks Security, Consent, and Why He Hacked a Buttplug [Dell Cameron/Gizmodo]

(via Four Short Links)