Security flaws in the app for an internet-connected male chastity device could have allowed hackers to permanently lock a user’s penis into the sex toy, researchers have revealed.
Pen Test Partners, a security firm based in the U.K., discovered the vulnerabilities in the Qiui Cellmate smart chastity lock in April. It said that because there is no way to manually unlock the device, an “angle grinder or other suitable heavy tool would be required to cut the wearer free.”
It’s a chilling thought, and Pen Test Partners says it discovered numerous security deficiencies in the app.
While the possibility of getting locked into the chastity device was the most eye-catching danger of those discovered by the security firm, it is also notable that the app was leaking a litany of potentially highly sensitive user data, including names, locations, birthdays, passwords and phone numbers, which could be used for extortion, fraud or further nefarious purposes.
“For a realistic threat, the risk of personal data leakage seems more likely to be exploited and give reward to an attacker,” the researchers wrote in a blog post explaining the issue. “A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.
“Further, users are likely to want to keep their private lives private. They should expect privacy by default and security by design. If one wants to share very private information, then that should be by explicit intent of the user.
“Many adult toy vendors have shown almost complete disregard for privacy and security over recent years.”
Pen Test Partners says it first got in touch with Qiui about the product’s issues in April, and the company said it would resolve them by June 6.
Though it updated the app, not all of the issues were fixed, and the company chose not to respond to further communications from Pen Test Partners until July, when the security firm contacted two U.K. retailers of the device, one of whom promptly withdrew it from sale.
Qiui then said that it would fix the remaining issues in August, but again missed its deadline. Pen Test Partners decided to go public after security researcher Mike Tsenatek also discovered vulnerabilities in the app.
“This reinforced our decision to publish: clearly others were likely to find these issues independent of us, so the public interest case was made in our minds,” Pen Test Partners said.