Voting machines weren’t the only thing getting penetrated at DEF CON in 2019.
This article has been updated since its original publication.
When most people think of the Internet of Things (IoT), they think about light switches, voice controllers and doorbell cameras. But over the past several years, another class of devices has also gained connectivity — those used for sexual pleasure.
One such device, the Lovense Hush, advertised as the “world’s first teledildonic buttplug,” became the subject of a Sunday morning DEF CON talk this year after a hacker named “smea” managed to exploit not only the device and its associated computer dongle, but software used with it for social interaction (read: people remotely playing with each other’s buttplugs).
The talk in Las Vegas’ Paris Hotel & Casino drew hundreds of largely hungover conference-goers who couldn’t help but chuckle at every mention of the word “buttplug.” But the implications for the sex toy industry are obviously quite serious, especially if exploiting a device enables an attacker to compromise the computer they’re linked to or spread malware via the buttplug’s accompanying social software — all of which smea demonstrated was possible live on stage.
What’s more, smea’s talk highlighted the question of whether it should be considered a sex crime to hack a buttplug and issue it commands absent the owner’s consent. And the idea that such a device could, perhaps, be weaponised in some way was also raised during smea’s talk, if only briefly. In the end though, he concluded that the threat may be almost nonexistent in the wild and that people should continue enjoying their buttplugs.
Gizmodo caught up with smea after the conference to learn more about what prompted his research and to get his thoughts on the ethical dilemmas involved. The transcript has been lightly edited for clarity.
Dell Cameron, Gizmodo: What kind of work have been known for in the past? Was this talk about buttplugs your first presentation at DEF CON?
smea: My previous claim to fame, I guess, is hacking game consoles. So, Nintendo 2DS, I was really active in that scene. I also did some work on the Wii U. I used to make games on the original Nintendo DS as well, so that’s kind of my background. My first DEF CON was last year and I gave a talk about hacking the 3DS.
Gizmodo: So what made you focus your research on a sex toy this year?
smea: Basically what happened is that I came out as gay two years ago, and so I started making a lot of gay friends. At some point, one of them mentioned, “Oh, there’s these buttplugs that are Bluetooth connected.” And as this security-oriented hacker guy, I was like, “Well that can’t be secure.” So I bought one and started looking at it and obviously came up with a few funny applications for it, so I figured it could be a kinda fun conference talk. So that’s how it happened.
Gizmodo: Your talk obviously dove deep into the technical aspects of the vulnerabilities you found, which you also exploited in a live demonstration on stage. But can you sum up basically how these buttplugs can be compromised and the implications?
smea: So the idea was that you can compromise the dongle. By design, there’s nothing preventing you from uploading your own code to the dongle. You can compromise the sex toys in the same way because, again, they don’t prevent you from just uploading your own code.
From there, you can actually compromise the dongle back over Bluetooth using an actual vulnerability that’s found in the implementation of the Bluetooth low energy protocol (BLE) by Nordic Semiconductor — the manufacturer of the actual chip that’s used by both the dongle and the sex toy.
So that’s an actual real vulnerability that could potentially affect other devices. It’s kind of unclear to me at this point if anything else is vulnerable. Some people think it might affect other devices, maybe some smart lock gateway, but there’s no confirmation of that at this point. These older chips have been phased out as of, I think, 2017. So any device that’s older than that would likely be vulnerable, but it’s not clear how many of those there are out there.
(Note: Nordic Semiconductor released a Notice of Security Vulnerability in response to smea’s talk related to its nRF51 BLE stacks. “The impact on an application can be high, rendering it non-functional until a reset occurs to reload software. The severity ranges from low, recoverable on reset, to high, if instructions can be injected for execution,” the company said, adding: “ All BLE protocol stacks from Nordic Semiconductor released after July 2016 are not affected by this vulnerability.”)
Gizmodo: Are you able to use this attack to exploit anything beyond the dongle and buttplug itself?
smea: The idea is that from the dongle you can actually compromise the app that’s running on a computer. IoT developers have all these newer technologies, like javascript-based applications, working together with these super-low level microcontrollers. They don’t necessarily understand the implications of, for example, dumping raw input from the dongle to HTML. So that actually is the way I’m able to get inside the [buttplug] app, due to this weird interface between super-old technology and newer web technology.
From there you can compromise other [buttplug] apps through the social feature of the app, either through straight-up chats, by sending a message with HTML, or by compromising the dongle of the remote partner [using the feature that allows you to] send messages to control the partner’s toy. And that actually allows you to exploit a vulnerability inside the dongle’s code, which is in the JSON parser.
Gizmodo: What made the buttplug application itself so vulnerable?
smea: The thing about the app is that it was written with Electron [an open-source framework developed and maintained by GitHub that allows you to build applications using only javascript-based HTML]. Even though the app relies entirely on Chromium, which has a really strong sandbox in Windows, in this case, it’s actually running on Windows without any kind of sandbox. So what I was doing in the demo is downloading an .exe file from the internet, and I just ran it because there’s no sandbox involved. I can just do that without actually having to exploit Windows or anything.
So when you see that WannaCry-type application running in the demo, what was happening there is that I downloaded the .exe file from the internet and just ran it. So from there, yes, I can actually compromise other applications on the device, do actual ransomware, encrypt all the files and stuff like that. [The app] is running what we call for Windows a medium level of privilege. And that’s actually really strong. It basically allows you to access every file on the system.
Gizmodo: The idea of hacking buttplug is funny and drew a lot of laughter from the crowd, but you also mentioned at the start of your talk that seizing remote control of someone’s sex toy might be considered sexual assault.
smea: What I said during the talk was something along the lines of, “Yeah, it might count legally as sexual assault.” Personally, I don’t know if that’s the case or not. I know it would be a really shitty thing to do either way, so people should not do it. But beyond that, I do think it’s important to take a look at the security of devices at least in part because of that.
I feel like for the buttplug, it’s not that big of a deal because assuming you can just control it remotely, it’s only going to make it vibrate a little bit. That definitely might make someone uncomfortable and might definitely be a problem. However, it’s not as big a deal as some of the more advanced contraptions.
Gizmodo: Are there any safety concerns?
smea: One of the things I brought up during the conference was that gaining access to the sex toy might allow you to bypass some safety features and that could cause physical harm, assuming those safety features were implemented in software. I don’t think that’s really necessarily possible with these [buttplugs], but you have other devices that have motors that are meant to rotate parts of the toy and stuff like that. If those have safety features implemented in software that could be a real problem.
Gizmodo: Were you surprised by the amount of interest in your talk? And do you plan to do another at DEF CON 28?
smea: I was honestly kind of surprised by the response. Like you said, the room was pretty full, which, for a talk at 10am on a Sunday, that was not expected at all. That’s kind of encouraging. I don’t foresee myself necessarily pursuing more of the buttplug stuff itself, just because I don’t think there’s much more to do at this point. But I would definitely give another talk next year.
One of the things I brought up during the talk was like, yeah, with this BLE vulnerability, I think there’s a lot of opportunities there because not a lot of people have really looked at that code. This was really a low-hanging-fruit vulnerability. But it seems likely there’s going to be more of those, so I’m interested in maybe looking at different Bluetooth chipsets and trying to find vulnerabilities there. If that pans out, hopefully, there would be talk about that at some point. But who knows.
You can watch smea’s entire talk here or look over his “butthax” repository on GitHub.