A Security Flaw in a Chastity Cage for Men Could Permanently Lock in Their Penis

From skyrocketing sales of vibrators during the coronavirus pandemic to people trying to salvage their long-distance lockdown relationships with the help of Bluetooth sex toys, we’ve seen it all in 2020. And just when we thought this year couldn’t get any weirder, here comes some bizarre news of a flaw in sex toy that gives the word “lockdown” a whole new meaning.

A vulnerability has been found by security researchers in an internet-connected sex toy for men that can be hacked, and remotely and permanently lock in the user’s genitals.

The CellMate Chastity Cage, built by Chinese firm Qiui, has been billed as the “world’s first app controlled chastity device,” and is meant to allow a trusted partner to remotely lock/unlock the chamber using an app. It would then lock with a metal ring underneath the user’s penis. But the product has no manual overrides, so if hacked, owners might’ve been forced to use a grinder or bolt cutter to free themselves from its metal clamp. Ouch.

“There is no emergency override function either, so if you’re locked in there’s no way out,” wrote Alex Lomas, a researcher at U.K.-based cybersecurity firm, Pen Test Partners, which has brought to light problems with other sex toys in the past as well.

The security team has also discovered that data requests to the app can be made without any authentication and the unsecured API also allows access to private messages and the precise location from the user’s app. The data includes the user’s name, birth date, phone number, their plaintext password, and the exact GPS location from where the app was last opened. “It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” wrote Lomas.

PenTest Partners have also claimed that they contacted Qiui about the vulnerabilities back in April this year but the company hasn’t respond.

The Internet of Dongs, a project that examines sex toys for vulnerabilities, also contacted Qiui after noticing the API flaws. The researchers managed to get in touch with Qiui’s CEO but claim the CEO and the company failed to address the API issue while introducing new problems.

According to PenTest, it was only recently that Qiui has released an update for CellMate’s mobile app. The new update requires all API requests to be authenticated.

TechCrunch reported there was no evidence that the hack had been exploited by anyone yet.

Qiui joins a long list of sex toys with security problems that inherently don’t exist in non-internet-connected devices. In 2016, a bug in a Bluetooth-powered “panty buster” was found to let anyone remotely control the sex toy over the internet. In 2017, a smart sex toy maker settled a lawsuit after it was accused of collecting and recording “highly intimate and sensitive data” of its users.

Follow Varsha on Instagram.