%% date:: [[2023-06-15]] parent:: %% # [[The Cyber Security of Smart 'Adult' Toys - or Lack of it!]] speaker:: "[[Ken Munro]] and [[Jo Dalton]]" conference:: [[EuroSTAR 2023]] - [[Pen Test Partners]], [[UK]] ''Teledildonics" is a real term! Coined in 1975 Why we need regulation - Risk of sextortion - It's not just about sex toys, it's about the apps and information that they collect - Lovense (2015) - video chat - screenshots could be taken, and were stored during the SD card - Default Bluetooth PIN of 0000 - Butt plug hijack - butt plug "just pairs" without a PIN - You could put ransomware on it - You could make it overheat while it was being used - You could turn it into a hacking device - back door your back door - Kiiroo Onyx, a FleshLight with a mobile app - Session link to connect never expires, and you could connect to see photos - Lelo - BLE just works - always pairable when powered on - You can go hunting for smart sex toys! - WeVibe - They collected data like email addresses, user location, and behaviour. - FIned, but they still collect location data. - Drone dildo?? - Wifi code: 88888888 - default blank password - Reused code from a drone for a dildo - You could connect to cameras - Root shell for dildos? - Scary hookup apps - Brought in information from dating apps that were public - They were able to pin down the exact house people were in. - This was used in Saudi Arabia to persecute queer people - WhosHere Plus allowed Egyptian police to track and persecute gay men. - Ultimate Cock block: Metal chastity belt - You could stop the belt from working - v2 has small electric shocks now! - These are serious issues despite the topic. - Learnings - Don't rush to market and overlook security - Validate user input - Strongly authentiate users with MFA, but don't overlook authorising their requests - Don't roll your own encryption - Smart devices require extra cyber security skills - Get cyber advice early in a project and get the security validated in a penetration test -