Sex

Meet Brad, the Guy Keeping Your Vibrator Safe from Hackers

download (32)

Over the last few years, the world has started waking up to the disconcerting vulnerabilities of internet enabled sex toys. Information security (infosec) experts and white hat hackers have shown, often through eye-catching stunts, that thanks to apparent security oversights, it is possible for malicious actors to access data on certain toys’ users, muck with toys’ operations, and even take control of them. Back end monkeying could shut down toys until a user or manufacturer pays a ransom. Stolen data on things concerning usage time, location, device pairing, account names, emails, or IP addresses, or a user’s sexual orientation—not to mention pilfered chat logs, images, audio, or videos connected to a toy—could be used for humiliation, extortion, or even physical stalking. Hijacked devices could be used to commit long-distance assault, a type of sex crime our legal system is clearly not yet equipped to handle. And that’s just scratching the surface of mischief bad actors could get up to by hacking toys.

As the sex toy industry continues to boom, smart toys grow more common and cheaper, and toy makers develop rigs capable of monitoring and recording more intimate data, the risks associated with these vulnerabilities grow more real and potent. The infosec community, though, does not seem to be tackling this threat full force. They’ve conducted an illustrative hack and reported a vulnerability here and there. But their reports sometimes take a juvenile tone, seemingly trivializing the adult industry and the security challenges toy makers and consumers face. And, as sex tech industry observer Jenna Owsianik sees it, most of their efforts are apparently piecemeal or one-off stunts, performed “to get their names in the headlines and thus more attention and likely work to their businesses that operate outside of sex tech.”

Videos by VICE

A lack of dedicated infosec attention to sex toys puts the onus on users to educate themselves about how their devices work, and on manufacturers to catch every possible security flaw. But that isn’t practical. Few users will jump through the hoops necessary to guarantee their digital security. And few manufacturers, especially small outfits accustomed to making “dumb” toys, will have the resources or expertise necessary to spot every risk.

Fortunately, at least one hacker, Brad Haines, a Canadian with almost two decades of infosec experience who goes by “RenderMan,” has been running a project for almost two years now aimed squarely at this issue: the Internet of Dongs (or IoD, a play on a term for smart devices writ large, the Internet of Things, or IoT). Originally conceived as an archive for his own hacks and vulnerability reports, Render has turned the IoD into a sex toy security information and advocacy hub. The project aims to help sex toy makers learn about best security practices, infosec researchers and white hat hackers communicate their findings to the industry, and consumers know how to interpret news stories or industry claims about toy security.

“I am attempting,” Render tells me, “to bridge between the infosec world’s collective knowledge and the connected sex toy vendors to create a safer world of smart masturbation for all.”

Render, like a few other hackers out there, has actually been thinking about the risks associated with smart sex toys for over a decade, “ever since the first Bluetooth vibrator— The Toy, now defunct—came on the market.” But he only decided to start seriously exploring the field around the start of 2016, as the smart sex toy market began to heat up. He started to test some toys on the market at the time, donated by The Traveling Tickle Trunk, a sex shop in his home of Edmonton, Alberta. He claims he applied to speak on his findings at that year’s DEF CON hacker convention, including on flaws in major sex toy We-Vibe’s privacy policy language (which technically omitted information about their app’s data collection), as well as other potential vulnerabilities. However New Zealand hackers g0ldfisk and follower wound up speaking at the conference about their own research on We-Vibe, which Render claims “matched mine perfectly.” This overlap, he claims, was a wake-up call.

“It was nice to know that, one, I was not the only one crazy enough to look at these issues,” he says, “and, two, that the issues I found were now independently verified.” When, after the talk, a consumer hit We-Vibe with a lawsuit that later ended in a highly publicized (but little understood) $3.75 million settlement over that policy snafu, Render adds, “I put my plans for launching the [IoD] into overdrive in order to ride the wave” of newfound public awareness. The Internet of Dongs officially came into being at a conference in November 2016.

From the outside, Render’s project seems simple. He parses toys with an expert eye, looking for any tiny flaw or concern; to date, he has dissected toys from at least eight companies.

But some companies can get suspicious of external hackers reporting flaws in their systems. That is likely especially true when those hackers are reporting highly technical and seemingly obscure security bugs to an industry with little experience with white hat reporting. “Most companies, when I first engage them,” says Render, “their reaction is pretty universal, like, ‘OK, you want something, you’re going to hold us ransom, or whatever.’”

“They’re suspicious,” he adds, “because this is weird.”

Sometimes, that suspicion and an unwillingness to engage can be to a company’s own detriment. Render claims he tried to report his findings to Standard Innovation, We-Vibe’s parent company, before they got sued, but never heard back. And Ken Munro of the British infosec firm Pen Test Partners claims that, pre-IoD, when they tried to report vulnerabilities in Lovense’s Nora vibrator, they “were completely ignored by the vendor.” Later research into Svakom’s Siime Eye, a dildo with an endoscopic camera on the end which Pen Test found could easily be hacked, conducted around the same time Render was getting the IoD up and running, “also resulted in a brick wall from the vendor,” says Munro.

Fortunately, Render had a connection at another firm he reached out to in late September 2016: Lovense. According to Lovense spokesman Joris Guisado, the company had talked to other hackers in the past, including someone who reached out in January 2016 for information on their toys for a personal project. That individual, he says, later made a proper intro between Lovense and Render, who pointed out some potential flaws in their user email privacy. By the end of 2016, Lovense had enough faith in the project to partner with the IoD moving forward.

Render also got some valuable early support and credibility when he, early in the IoD’s history, sent an apparently drunken email to Pornhub after learning about their (iffy) charitable ventures, asking if they might want to support his work. They responded almost immediately, becoming a sponsor soon after his launch and supplying him with cash to acquire new toys. “Our involvement with this project,” explains Pornhub VP Corey Price of the streaming giant’s rapid backing for Render, “demonstrated our continued commitment to a holistic approach to sexual wellness, security, and privacy.” Not bad values to try to align one’s brand with, for an unclear but likely relatively low investment, given all the ethical criticisms Pornhub faces in the adult world.

Timing the project’s rollout to the We-Vibe lawsuit was a solid move, too. Sure, We-Vibe wasn’t actually hacked. But the lawsuit was a huge wake-up for developers about the potential costs of stumbling into a security or privacy flaw. It also, says Veronique Verreault, founder of techy toy company Miss VV’s Mystery, led customers to ask more security-minded questions. Verreault acknowledges that for small companies and start-ups, the imperative to move fast is strong, and the cost of a deep investment in security, can be daunting. But, she says, “there is no way for us not to collaborate” with the IoD and similar ventures, “because that will make us look bad.”

Early in 2017, Render did report some vulnerabilities to Miss VV’s Mystery, which they moved to fix with his help. Verreault says the changes they had to make did wind up costing her a few customers, but concludes that the guarantee of safety for consumers was worth it.

It doesn’t hurt that Render has established himself as a moderate, skeptical voice on toy security issues. He used his platform to debunk a story that circulated last year, claiming that there was a major security flaw in a Lovense product allowing it to record and store user audio. (“Media outlets picked up that Reddit thread, started by a person who admitted they weren’t tech savvy,” says Owsianik. “I assume for the salacious clickbait headlines about sex, security, and so-called secret and unauthorized sex session recordings.”) He has even criticized Pen Test, a brother in arms of sorts, for the sensationalist tone of some of their past vulnerability reporting. And he’s downplayed the threat of controlling someone’s vibrator or butt plug via short-range Bluetooth hacking, a major source of media scares. “If you’re worried about someone hacking your vibrator from within six feet of you,” he says, “you’ve got a bigger problem. The call is coming from within the house.”

“It’s always good to have a serious project giving an informed opinion,” says Lovense’s Guisado.

Throughout 2017, Render established relationships with, and secured open support from, not only Lovense and Miss VV’s Mystery, but also major sex tech companies like OhMiBod, Kiiroo, Mystery Vibe, and Vibease. He has been working with these companies to identify any security bugs in their toys, and help them develop vulnerability reporting pathways and protocols. Render says he’s been heartened by how many companies have recognized the need to step up their game as soon as he’s approached them, sometimes going so far as to look into regular third party security auditing, bug bounties for white hat hackers, and hiring staff privacy specialists. And, says Munro, since the IoD got up and running, it has been easier to report vulnerabilities to the companies they’ve worked with. “So we strongly support its work,” he says of IoD.

But the project is still very much in its infancy, and Render acknowledges he slacked on the project for much of 2018, thanks to his full-time job and general life getting in the way—he says he receives no compensation for his IoD efforts, and runs a Patreon to try to cover web hosting and other operational costs.

Thankfully, the IoD is not alone in the connected sex toy security advocacy space anymore. Standard Innovation’s Alexander notes that a number of researchers, hacker groups, and industry collectives are starting to do dedicated work on these issues. And Pornhub’s Price says the company is always eager to support similar initiatives. As these parallel projects gain steam, working on their own or in conjunction with the IoD, they may be able to build on the foundation Render has built.

No matter where the IoD and other projects go, though, they’re already doing a great service to toy users and developers. Render and his ilk are helping us confront a new, precarious reality of potential sexual insecurity. As Render often calls it, a “brave new world with such dongs in it.”

Sign up for our newsletter to get the best of VICE delivered to your inbox daily.

Follow Mark Hay on Twitter.