Researchers have discovered a serious security flaw with a Bluetooth-enabled butt plug that allows hackers to remotely take control of the vibrating sex toy.
Italian security researcher Giovanni Mellini published his findings in a blogpost on Tuesday, October 18, describing how he was able to send a vibrate command to a Hush butt plug from his laptop.
The Hush device, manufactured by Lovense, is designed to be a "long-distance love toy" and is described by the sex toy startup as "the world's first teledildonic butt plug" that can be "controlled from anywhere."
Mellini said the idea to hack a butt plug started as a joke between a friend but decided to follow through after wanting to explore the security of the Bluetooth Low Energy (BLE) protocol.
"This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design," Mellini explained in his blog.
The BLE protocol vulnerability was first discovered by another security researcher called Simone Margaritelli, who wrote a scanner that Mellini used in the butt plug hack. Margaritelli described BLE in a separate blogpost as "a cheap and very insecure version of Bluetooth, in which you have…. no built-in protocol security."
The device is one of dozens of sex toys that manufacturers have launched in recent years that can connect to smartphones and computers via WiFi and Bluetooth in order to allow users to control them remotely and download software updates.
However, security experts warn that these companies too often treat cybersecurity as an afterthought.
Read more: Are hackers spying on your baby?
Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products.
"There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user's phone to our server and on the client side. We take our customer's private data very seriously, which is why we don't serve any on our servers."
The Hush butt plug is the latest so-called smart device to come under scrutiny and is part of a growing trend of manufacturers overlooking cybersecurity risks with their products.
Last year, security researchers from cybersecurity firm Trend Micro demonstrated how they could hack a web-connected vibrator.
"If I hack a vibrator it's just fun," Raimund Genes, chief technology officer at Trend Micro, said at the time. "But if I can get to the back-end, I can blackmail the manufacturer."
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Anthony Cuthbertson is a staff writer at Newsweek, based in London.
Anthony's awards include Digital Writer of the Year (Online ... Read more
To read how Newsweek uses AI as a newsroom tool, Click here.
