On a recent trip to Berlin, Alex Lomas’ acquaintance posed him a challenge: Can you find a Bluetooth-enabled butt plug in the wild, and can you turn it on without its owner’s help? Lomas, a penetration tester with the British cybersecurity firm Pen Test Partners, pulled out his phone, consulted the detection app LightBlue, and quickly identified a Lovense Hush, purportedly “the most powerful vibrating buttplug on the market”, that Lomas says was nestled in the rear end of a stranger. What’s more, that Hush was vulnerable, open to hacking by anyone who knew how.
Image: Jim Cooke/Gizmodo
As the world hurtles toward total app-connectivity, the gap between what our devices can do and what the law can address widens, particularly with teledildonics – or, sex tech that you can control remotely, over the internet. A sex toy hacking situation such as the one Lomas identified isn’t likely to occur outside a lab, but linking a vibrator to the internet opens up the possibility that it might, and we should be ready to discuss it.
Lomas published the results of his experiment on the Pen Test Partners blog, and coined the term “screwdriving”, a sexualised play on wardriving (or the drive-by stealing of other people’s Wi-Fi). In a Skype interview with Gizmodo, he summarised the procedure in layman’s terms: Hush uses Bluetooth Low Energy, basically the more modern version of Bluetooth, to connect with smart devices. If you are wearing the butt plug out in public, and a designated partner is standing within about 9m of your tuchus, then that partner can control its vibration speed and pattern discreetly from their phone. Which is all well and good, Lomas said, unless that person wanders out of (admittedly limited) connectivity range. In that case, Hush “will sort of fail open into a discovery mode, ready for other people to discover and then take control” to pair with the plug – there’s no password protection, or the PIN is an easily guessed 0000 or 1234 – and pilot your anal experience, uninvited. (In an email, a Lovense rep explained that this is indeed the case, although the toy does have a function that automatically turns it off if the connected device falls out of range. Lomas pointed out that the customer would have to know that any of this is even possible, which many won’t.)
Lomas did not sync with the Hush and dial up the vibration, but he could have, and therein lies the problem. A consumer could venture out into the world, intending to have a secret erotic experience with one person, but end up having telesex with someone else entirely. But what kind of crime even is that – cyber, sex, or some kind of newfangled hybrid? And is anyone out there equipped to handle it?
The answer seems to lie somewhere in the neighbourhood of not really, which is slightly surprising as news of sex toy vulnerability becomes more and more frequent. White hat hackers have already exposed a number of adult companies – Lovense, WeVibe – as unstable repositories for the surprisingly detailed stores of intimate user data they have been collecting, mostly unbeknown to their customers. WeVibe’s data insecurity led to invasion of privacy lawsuits and modest settlements, yet the possibility that random third parties could insert themselves into a mutual masturbation session on Skype or a camming platform such as Chaturbate has been less widely discussed. Hush isn’t the only assailable toy: Pretty much any BLE-enabled toy (or indeed device, whether that’s a hearing aid or a smoke detector) could be opened to outside probing. Products connected to apps such as Body Chat seem pretty open to outside intervention, while the camera-equipped Siime Eye vibrator is easily hijacked by anyone with the know-how, potentially affording strangers vividly detailed views of your genitalia. That victim would certainly be able to claim invasion of privacy, but a breach of that scale seems more significant.
To be fair, the possibility that an unwanted third party could hack a sex toy is sliver slim: As Lovense explained in its response to Lomas’ experiment and in an email exchange with Gizmodo (of the Internet of Things sex toy makers contacted, Lovense was the only one to respond), Hush can only connect to one device at a time, and screwdriving would require sophisticated knowledge of BLE and “Lovense protocol”, along with “BLE sniffing hardware” most people don’t have. Even if someone did manage to pounce on your butt plug’s lapsed BLE connection, they’d need to be extremely close: Within 9m and “a clear line of sight”, so probably following you around. But it’s possible to buy long-range Bluetooth transmitters and receivers, and Lomas reported that a number of readers tweeted at him post-publication to say they’d successfully located their neighbours’ toys through a shared wall.
Lomas acknowledged that some Hush buyers may be into a stranger’s surreptitious involvement, and that’s perfectly fine; the problem, as he sees it, is that the average consumer probably won’t realise they have consented to a semi-private experience – that they are, “essentially, walking around with a giant butt plug transmitter” broadcasting out their anuses, or inadvertently offering a telescopic tour inside their vaginas.
Indeed, in considering teledildonic hacks from a US legal perspective, consent should be a big part of the equation: Instinctually, a stranger surprising you with genital vibrations reads as a violation. Legally, sexual assault doesn’t require penetration, merely “sexual contact or behaviour that occurs without the explicit consent of the recipient”. According to Shanlon Wu, a defence lawyer in Washington DC and a former US federal sex crimes prosecutor, the absence of consent like what would result from a remotely controlled, hacked sex toy signals sex assault.
“The typical definition of a felony-type sexual abuse is an unconsented-to penetration,” whether it’s with a body part or an object, Wu said. As regards the latter, he doesn’t see the legal equation changing if it’s a hand or a device controlling the object’s movement. Wu acknowledged that some lawyers might get bogged down in the virtual aspect of the offence, and view wearing a teledildonic device as blanket consent to its use. But consent is not transferrable, he said.
Wu offered an analogy: “If I’m entering a boxing match … I’m consenting, obviously, to the contest with my opponent. If he hits me, I can’t be yelling, ‘Oh, he assaulted me, he punched me!’ because we’re consenting to punching each other. But if his corner man, his manager, comes out and clocks me in the head during the match, they can’t argue, ‘You consented to a boxing match, so anybody gets to beat up on you.’” Similarly, if you consent to someone using a sex toy on you, that isn’t an invitation for any passerby to join in.
“Consent is consent whether it’s in person or whether it’s remote, and I think that’s the thing to focus on,” Wu said. He sees this form of cyberstealthing as a straightforward sexual assault prosecution, but Stewart Baker – a partner at the law firm Steptoe & Johnson where his practice covers cyberlaw and technology-related issues – disagreed.
“I’m having trouble fitting this neatly into a sex crime framework,” Baker told Gizmodo. “If somebody breaks into your dildo, they’re criminally responsible,” he said, but the question is how.
While Baker agreed that vibrator hijacking skewed the concept of consent, he also speculated that trying it as a sex crime could raise complicating questions about agreed-upon partner participation. If the sex toy in question comes with a built-in camera, that could implicate its owner in ways that won’t sit well with many people: Baker noted that consensual sexting between teens has already translated to several child pornography prosecutions in the US, and if two minors are using a camera-equipped vibrator with one another on Skype or any other internet-connected video platform, they could inadvertently land themselves in a similar world of legal hurt. The clearest path forward Baker sees is prosecuting screwdriving as a cyber crime, under the 1986 Computer Fraud and Abuse Act in the US, which encompasses all wittingly unauthorised access of a computer as well as the filching of its contents. While it does not specifically address teledildonics, the CFAA arguably offers a means of placing consent in a cyber context.
“The difference between being authorised and having consent is vanishingly small,” Baker said, “and so if you don’t have authority to do something with somebody else’s dildo, then if you’re doing it remotely over the internet, you’ve committed a crime that could turn out to be a felony [under the CFAA].”
Who’s likely not liable, though? The manufacturers, unless they have somehow misrepresented the product, Baker said. (The Lovense rep with whom Gizmodo spoke said they would broach the idea of adding a clarifying label to product packaging with the CEO.) While civil suits have resulted from toymakers’ insecure data collection methods, when it comes to a telesex hack, the only person responsible is the hacker. Which means it’s reasonable to request that both the manufacturers and the law figure out how to address sex toy vulnerabilities.
For both Wu and Baker, screwdriving cases remain relegated to the realm of the hypothetical and some disagreement on prosecuting such a crime likely stems from a lack of precedent. A CFAA violation and a sexual assault are both felony crimes, though, and their possible sentences vary widely. Arguably more important are the implications of treating a sex toy hijacking as a computer-related crime, rather than a crime against a person. Doing so risks minimising an offence that ultimately hinges on unasked-for intimate contact, and a lawyer who argues that wearing a device like Hush in public is opening themselves to its unauthorised use is victim blaming.
The legal approach to screwdriving, though, would likely depend on whatever real life victims materialise, and as sex tech veers increasingly toward IoT connectivity – syncing with an app, virtual reality masturbation sessions, setting off a cross-country partner’s vibrator – without manufacturers pausing to patch security holes, it seems reasonable to expect they will. And while it’s probably not time to agonise over whether or not a hacker is waiting in the wings of your Skype sex session, ready to hijack your vibrator at any moment, it might be time to start thinking about what the future of sex crimes looks like. Better now than after we’ve arrived.