Shutterstock

Hacking a sex toy is possible — and it could have dangerous results

A few years ago, FlexiSPY (a monitoring software for electronics) introduced FlexiFLESH, the world’s first app meant for strangers to hack smart sex toys and take over anyone’s device from afar. With just the touch of a button, FlexiFLESH allows you to connect via Bluetooth to a remote-operated toy and discover when a person is using it, at what speed, at what settings, and in what location — and then override their controls and anonymously work the device yourself. Plus, thanks to proprietary Climax Tracker software, you can see exactly what’s happening in the person's body leading up to orgasm, and watch what happens with the data the moment they peak.

Just one thing though: It’s completely fake. FlexiFLESH was an elaborate April Fools joke, introduced at a hacker conference to show how bad things could get if our remote-operated smart sex toys really were compromised.

While the app isn't real, the idea behind it illustrates a very real problem with Internet-connected sex devices (such as the commonly used We-Vibe, KIIROO, and Lovense toys) that let you connect with a lover remotely so they can control the device while video or audio chatting with you. Your data may not be secure, and potentially, a third party could control your toy without your consent — and control of both your body and information could theoretically lead to everything from blackmail to rape.

The dust-up that hackers first latched onto began in 2016 with We-Vibe, a sex toy that lets the user wear the device while their connected partner controls it from anywhere in the world. After users claimed We-Vibe was storing their information without their consent, linking identifying details like name and email address to patterns like intensity settings and frequency of toy use, they formed a class action lawsuit. The makers of We-Vibe, Standard Innovations, debated the claim that they didn’t obtain consent, but settled for about $3.75 million. In 2018, a similar lawsuit was filed against the sex toy company Lovense (the case is still ongoing). Meanwhile, another company, OhMiBod, proactively examined its data collection methods in response to the We-Vibe lawsuit.

Shutterstock

Since the lawsuit, We-Vibe now only collects anonymized aggregate data of the functions used and how long the device was on, and only if the user opts in. To ensure no personal information is attached, the company has also ended all need to register or sign in. Lovense collects usernames and passwords, app logins, Bluetooth connections, and operating system versions — but again, only if the user has agreed to share the information. The data logs are frequently cleared, and the company now employs a group of hackers to regularly try and identify vulnerabilities. OhMiBod goes even further, only storing usernames and passwords for accounts (which aren’t required to use the device), leaving any other data stored locally on users' phones so the company can't track, analyze, or report it.

With OhMiBod, if you and your lover are connected and someone attempts to break in, the whole connection will shut down. If someone does manage to hack into a product made by OhMiBod or its competitors, though — which all the companies interviewed for this piece agreed is a possibility, however remote — the results could be disastrous.

“Depending on the data provided when you create an account, it could be the same as any other type of identity theft,” says Rob Pritchard, founder of The Cyber Security Expert. “People could get mortgages or take out credit cards in your name, if there’s enough personally identifying information. But specifically around the preferences for the device, you don’t want it posted all over your Facebook, or used as blackmail, especially when there’s video.”

In 2017, cyber security company Pen Test Partners discovered not only a sex toy that was sending unsecured user data outbound, but another that had a camera on it that could be exploited, with the video feed watched from afar.

“You could see some really personal things, if that’s what you wanted to do,” Ken Munro, a consultant at Pen Test, tells Mic. “There’s a huge privacy invasion problem there, whether it’s the data or it’s very personal and sensitive video footage.”

There's also the major concern that in some countries, people can be arrested or killed for having sex with someone that isn’t their spouse, or for using a sex toy in general, says Dr. Holly Richmond, a sex tech consultant and sex therapist. Additionally, the potential hacking raises the issue of informed consent.

“If someone did hack into a device and control it under the guise of being a partner when in fact, they are a stranger, we get into a new realm of ethical quandary,” says Mal Harrison, director of the Center for Erotic Intelligence, a collective of researchers, educators, and activists who focus on human eroticism. “Is this a form of rape, when an unknown user is controlling our toys as we use them?”

While these possibilities are alarming, it's important to remember that even though the possibility exists to hack into a sex toy, it’s never actually been done outside of hackers proving they can do it in a conference-style setting — at least not that anyone has reported. So if you’re concerned about using your toys in the face of technical vulnerabilities, you don’t need to be too worried.

Shutterstock

Still, there are a few things you can do to help yourself avoid any potential problems in the future when buying and using a smart sex toy. Make sure you’re investigating the toy maker and buying a device that’s reputable; cheap devices are cheap for a reason. Thoroughly read the FAQ or terms and conditions for your new toy when you get one. If it doesn’t say what data is collected, how it’s used, and how it’s secured, stay away. See if the company has a way of updating the device so the security software doesn’t go out of date, too.

“Once they’re manufactured and sold, there’s usually no way for a service provider to update them to push out security updates, so they become very unmaintainable,” Pritchard explains.

For the toy and any corresponding app, make sure that you need to hit a consent button when you want to use the toy over Bluetooth or wifi. If the connection is always ready and available, anyone in range could potentially get access. Change the toy’s wifi name to something innocuous, like “earbuds,” and if it has a password, update it to be more secure. And remember, always turn it off or put it in sleep mode when you aren’t using it, so no one nearby can see the connection.

If you still aren’t comfortable, consider some tech-free methods of getting off. “Sometimes we forget how easy it is to rub one out on the arm of a couch or corner of an upholstered leather barstool,” Harrison says.