If, for whatever reason, you’re debating whether to get a “smart” male chastity device, perhaps reconsider. What can be connected to the internet can be hacked — and that includes dick prisons and other teledildonic gadgets.
In this case, the device in question is the Qiui Cellmate Chastity Cage. It’s a Bluetooth chastity lock that allows for remote control. Meaning, you, the dong-haver, can lock up your wang in this thing and let a trusted third party control when your penis can see the light of day again. Security researchers from Pen Test Partners (via TechCrunch) found that this particular chastity lock has a flaw in which bad actors could “prevent the Bluetooth lock from being opened, permanently locking the user in the device.” Simply put, the companion app to the dong lock has a vulnerable API, meaning a savvy bad actor could swoop in and take control of the device without a password. While loss of control is, to some degree, the point of the fantasy, permanent internet jail for your weiner may be beyond the scope of typical kink. According to Pen Test Partners the vulnerability can be exploited very quickly and consistently.
Sex tech made a splash as a new category at CES 2020 — an event that was somehow just months ago — but it was specifically Lora DiCarlo’s Baci toy that dominated the show floor. The award-winning Baci is launching today alongside the company’s new virtual sexual wellness coaching service...Read more
To make matters worse, Pen Test Partners noted there’s no physical unlocking mechanism, as “the tube is locked into a ring worn around the base of the genitals.” The tube itself, according to Qiui, is plastic with a rubber coating — though the “secure rings” are apparently made of a metal alloy… meaning if such a thing were to happen, the researchers say you’d have to free the schlong with something like an angle grinder or another tool capable of cutting a device open. While I do not have a penis, the idea of having a bladed rotary power tool producing sparks near my genitals is making me wince in solidarity.
(Pen Test Partners has also published a workaround for if you happen to get stuck in the Cellmate against your will and the idea of an ER visit or power tools near your giblets makes you faint — though it does involve destroying the device.)
As potentially terrifying as this is, another issue is that Pen Test Partners also found that the Qiui Cellmate also leaked location, plaintext passwords, and other personal data via the API. Leaky personal data is always squicky, but it’s doubly so when it comes to private intimate details. As Pen Test Partners’ blog notes, leaking personal data is likely more valuable than locking up random people’s penises — but even so, when it comes to high tech kink, it’s not unreasonable for customers to expect a company to take extra security measures. Unfortunately, when it comes to teledildonics, this isn’t always the case.
What’s troubling is in this case, Qiui was notified of the flaw and then ultimately ghosted not only Pen Test Partners, but other journalists and researchers as well. TechCrunch reports it first became aware of the vulnerability in June and contacted Qiui. One problem was that taking down the faulty API would have potentially locked in anyone using the device. While the company’s CEO reportedly told TechCrunch that a fix would come in August, the company ultimately blew that deadline. According to a disclosure timeline from Pen Test Partners, at least two other researchers also found issues with the Qiui Cellmate and were also stonewalled by the company. In total, Qiui blew three self-imposed deadlines for providing a fix.
It’s not currently known whether this API vulnerability was exploited in the wild. The device has plenty of relatively positive reviews online, though some have commented that the app itself is buggy and point to the lack of a failsafe as a potential problem. There’s no kink-shaming on Gizmodo, but if you’re thinking about buying a contraption that can lock up your or a loved one’s dick, maybe go analogue.