A Hacker Remotely Penetrated Bluetooth Chastity Belts, Demanding Victims Pay Ransom

A Hacker Remotely Penetrated Bluetooth Chastity Belts, Demanding Victims Pay Ransom
Getty Images
To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

Who would’ve thought we’d live in a world where even sex toys can be hacked, but here we are.

A hacker managed to use ransomware to control an internet-enabled male chastity device via its Bluetooth function. Users were reportedly locked into the devices and asked to pay a ransom in Bitcoin in order to be freed.

According to Bleeping Computer, users of the Qiui Cellmate Chastity Cage were targeted after a security vulnerability was discovered last year that allowed the device to be locked and unlocked remotely. The chastity device is linked to a partner app via Bluetooth that typically allows the user not wearing the device to manually lock and unlock it.

According to Pen Test Partners, who initially published the flaw, the API endpoints were unauthenticated and used only a medium-sized “memberCode”. But using a shorter “friend” code managed to return a huge amount of personal information about the user.

Based on this Pen Test Partners said it wouldn’t take an attacker long to exfiltrate the entire user database for blackmail and phishing intentions. And because this is the world we live in, someone did indeed take the pleasure of exploiting this flaw.

Users found themselves permanently locked into their chastity devices with no option of escape via their connected app. The hacker then mocked the victims, asking them to pay 0.02 bitcoins – which equated to about $US270 ($350) at the time of the attacks – or be locked in permanently.

The device has no manual override for its lock, so victims were forced to use other means to try and remove it. Angle grinders were apparently considered, but thankfully there were some other solutions too.

After complaints came in, Qiui posted a video showing users how to manually unscrew the lock with a screwdriver. Another option was to contact support and ask them to unlock and reset the device remotely.

It’s also been reported that apparently none of the victims ended up paying the ransom. Qiui has since addressed these issues so updating the app to the latest software should allow the device to be used safely.