Voting machines weren't the only thing getting penetrated at DEF CON this year.
When most people think about Internet of Things (IoT), they think about light switches, voice controllers and doorbell cameras. But over the past few years, another class of devices has also gained connectivity – those used for sexual pleasure.
One such device, the Lovense Hush, advertised as "the world's first teledildonic buttplug," became the subject of a Sunday morning DEF CON talk this year after a hacker named "smea”Managed to exploit not only the device and its associated computer dongle, but software used with it for social interaction (read: people remotely playing with each other's buttplugs).
The talk in Las Vegas' Paris Hotel & Casino drew hundreds of mostly hungover conference-goers who couldn't help but chuckle at every mention of the word "buttplug." But the implications for the sex toy industry are obviously quite serious, especially if exploiting a device enables an attacker to compromise the computer They are linked to or spread malware via the buttplug's accompanying social software – all of which smea demonstrated was possible live on stage.
What's more, smea's talk highlights the question of whether it should be considered a sex crime to hack a buttplug and issue it commands absent the owner's consent. And the idea that such a device could, perhaps, be armed in some way was also raised during a laugh's talk, if only briefly. In the end though, he concluded that the threat may be almost nonexistent in the wild and that people should continue enjoying their buttplugs.
Gizmodo caught up with the laughter after the conference to learn more about what prompted his research and to get his thoughts on the ethical dilemmas involved. The transcript has been lightly edited for clarity.
Dell Cameron, Gizmodo: What kind of work are known for the past? Was this talk about buttplugs your first presentation at DEF CON?
smea: My previous claim to fame, I guess, is hacking game consoles. So, Nintendo 2DS, I was really active in that scene. I also did some work on the Wii U. I used to make games on the original Nintendo DS as well, so kind of my background. My first DEF CON was last year and I talked about hacking the 3DS.
Gizmodo: So what made you focus your research on sex toys this year?
smea: Basically what happened is that I came out as gay two years ago, and so I started making a lot of gay friends. At some point, one of them mentioned, “Oh, there are these buttplugs that are Bluetooth connected.” And as this security-oriented hacker guy, I was like, “Well that can't be secure.” So I bought one and started looking at it and obviously came up with a few funny applications for it, so I figured it could be a kinda fun conference talk. They said how it happened.
Gizmodo: Your talk obviously deep into the technical aspects of the vulnerabilities you found, which you also exploited in a live demonstration on stage. But can you sum up basically how these buttplugs can be compromised and the implications?
smea: So the idea was that you could compromise the dongle. By design, nothing prevents you from uploading your own code to the dongle. You can compromise sex toys in the same way because, again, they prevent you from just uploading your own code.
From there, you can actually compromise the dongle back over Bluetooth using the actual vulnerability found in the implementation of the Bluetooth Low Energy Protocol (BLE) by Nordic Semiconductor – the manufacturer of the actual chip that's used by both the dongle and the sex toy .
There are actual actual vulnerabilities that could affect other devices. Kind of unclear to me at this point if anything else is vulnerable. Some people think it might affect other devices, maybe some smart lock gateway, but there is no confirmation of that at this point. These older chips have been phased out as, I think, 2017. So any device is older than likely to be vulnerable, but it is not clear how many of those are out there.
(Note: Nordic Semiconductor released a Security Vulnerability Notice in response to smea's talk related to its nRF51 BLE stacks. “The impact on an application can be high, rendering it non-functional until a reset occurs to reload the software. The severity ranges from low, recoverable to reset, to high, if instructions can be injected for execution, ”the company said, adding:“ All BLE protocol stacks from Nordic Semiconductor released after July 2016 are not affected by this vulnerability. ”)
Gizmodo: Are you able to use this attack to exploit anything beyond the dongle and buttplug itself?
From there you can compromise other [buttplug] apps through the social feature of the app, either through straight-up chats, by sending a message with HTML, or by compromising the dongle of the remote partner [using the feature that allows you to] send messages to control the partner's toy. And that actually allows you to exploit a vulnerability inside the dongle's code, which is in the JSON parser.
Gizmodo: What made the buttplug application itself vulnerable?
So when you see that WannaCry-type application running in the demo, what was happening there is that I downloaded the .exe file from the internet and just ran it. So from there, yes, I can actually compromise other applications on the device, to actual ransomware, encrypt all the files and stuff like that. [The app] is running what we call for windows a medium level of privilege. And actually actually really strong. It basically allows you to access every file on the system.
Gizmodo: The idea of hacking buttplug is funny and drew a lot of laughter from the crowd, but you also mentioned at the start of your talk that seizing remote control of someone's sex toy might be considered a sexual assault.
smea: What I said during the talk was something along the lines of, “Yeah, it might count legally as a sexual assault.” Personally, I would know if the case or not. I know it would be a really shitty thing to do either way, so people shouldn't do it. But beyond that, I think it is important to take a look at the security of devices at least in part because of that.
I feel like the buttplug, not that big of a deal because assuming you can just control it remotely, just going to make it vibrate a little bit. That definitely might make someone uncomfortable and might definitely be a problem. However, it is not as big a deal as some of the more advanced contraptions.
Gizmodo: Are there any safety concerns?
smea: One of the things I brought up during the conference was that gaining access to sex toys might allow you to bypass some safety features and that could cause physical harm, assuming those safety features were implemented in software. I probably think really really possible with these [buttplugs], but you have other devices that have motors that are meant to rotate parts of the toy and stuff like that. If those have security features implemented in software that could be a real problem.
Gizmodo: Were you surprised by the amount of interest in your talk? And do you plan to do another at DEF CON 28?
smea: I was honestly kind of surprised by the response. Like you said, the room was pretty full, which, for a talk at 10am on a Sunday, was not expected at all. Kind of encouraging. I probably foresee myself always pursuing more of the buttplug stuff myself, just because I think I think much more to do at this point. But I would definitely give another talk next year.
One of the things I brought up during the talk was like, yeah, with this BLE vulnerability, I think there is a lot of opportunity out there because not a lot of people have really looked at that code. This was really a low-hanging-fruit vulnerability. But it seems likely that you are going to be more of those who are interested in maybe looking at different Bluetooth chipsets and trying to find vulnerabilities there. If that pans out, hopefully, there would be talk about that at some point. But who knows.
You can watch smea's entire talk here or look over his "butthax" repository on GitHub.