Last October, security researchers warned that the Qiui Cellmate Chastity Cage had a serious security flaw that could allow hackers to turn a chastity device into a dick jail. Now, the device’s European distributors are saying the problem’s been fixed and your dicks are safe.
In an email to Gizmodo, a spokesperson from Dusedo — Cellmate’s distributor — wrote that our initial coverage caused consumers to be wary of the device and that such concern was unfounded as it “wrongly created the image that our product could be hacked, after which the genitals of the wearer would be permanently locked up.” The spokesperson went on to elaborate that the problem was with the Qiui app, which had an API security flaw, and not the device itself, but that “because one is inextricably linked to the other, we have, in collaboration with Qiui, made every effort to solve the security issue as quickly as possible.” A nearly word-for-word statement was also sent to Motherboard.
If, for whatever reason, you’re debating whether to get a “smart” male chastity device, perhaps reconsider. What can be connected to the internet can be hacked — and that includes dick prisons and other teledildonic gadgets.Read more
One of the original concerns with the Cellmate, aside from the security issue, was that the device appeared to lack an emergency physical override — something that was noted in customer reviews and Pen Test Partner’s original blog detailing the Cellmate’s security lapses. However, Dusedo sent Gizmodo a link to Cellmate’s support page, urging customers to download the 3.0 version of the app and a video detailing an “emergency escape” method that involves using a screwdriver. (Much less frightening than the Pen Test Partner’s original method of freeing a locked-up dick, which involved an angle grinder.)
As for the validity of the claim that the Qiui 3.0 update fixes the hacking issue, Dusedo wrote that it had provided Pen Test Partners with third-party test reports proving that “when the all-new QIUI 3.0 app is installed, users do not have to worry that their personal data or security is at risk.” In its blog, Pen Test Partners noted it had received the report and confirmed to Motherboard that the report itself did say the issues had been resolved.
Dusedo also sent both third-party test results to Gizmodo. In one focusing on the Qiui mobile app, the conclusion says: “During the penetration testing, it is found that the company has made great efforts in terms of application security protection, which lead to an app that is relatively difficult to attack and crack. However, there are still some problems and vulnerabilities to be improved. After feedback and retest, the developers have fixed the vulnerabilities efficiently. To sum up, the major problem is logical vulnerability, which should be paid] more attention to solve in the future.” A second test found no serious or medium-risk vulnerabilities but did find six low-risk ones.
While fixing the issue is good news, there are a few things that still need to be addressed. For starters, this was an issue that was disclosed to Qiui not only by Pen Test Partners, but also TechCrunch and at least two other security researchers. Qiui then blew past three self-imposed deadlines to fix the problem, and only did so after the flaw went public and received “negative media attention.”
Secondly, Dusedo claims that a situation where a hacker permanently locked up a person’s dick was “not even realistic at the time of publication.” Except Motherboard reported on two separate cases where people were hacked and subsequently extorted. In one, a user and his partner resorted to using a bolt cutter to remove the device, resulting in a cut to his penis. So yes, it’s nice that the support page now has a video detailing how to use the emergency escape, and it’s nice Dusedo also told Gizmodo that customers could “easily escape the cage” via the Qiui help desk. However, it’s not so nice that the support page notes that using the emergency escape mechanism will void your warranty as “it’s always possible for our support team to unlock and reset your Cellmate remotely.”
Given that some users and Pen Test Partners were wholly unaware that a failsafe existed, and that the company hasn’t exactly been responsive in the past, clearly a lot more could be done to make this information transparent and easily accessible so no one resorts to placing dangerous power tools near their giblets again. The support page detailing this information isn’t among the first results when you google “Qiui Cellmate,” “Cellmate Chastity” or “Cellmate Support.” You also won’t find it in a YouTube search. Qiui’s own site makes no reference to it. Neither does another seemingly official site (NSFW) for the product. You can’t find this information in an online manual unless you scroll all the way to the bottom to a link in tiny text, and even then, only one does. And you know, it’s just good karma not to penalise consumers for needing to use an emergency release in the event support staff don’t respond in a timely manner.
Needless to say, privacy and security are still major hurdles when it comes to teledildonics and internet-connected sex toys. Even though it’s good that Qiui has taken steps to rectify its security vulnerabilities, this is still a scenario where consumers need to do extra homework in deciding whether the risks are worth the kinky rewards.