Lovense Hush device

A security firm's investigation of modern smart sex toys has revealed just how exposed most IoT devices running BLE (Bluetooth Low Energy) really are.

The issue at the heart of this problem is the use of Bluetooth LE for most of today's smart sex toys and a vast majority of other IoT devices.

Vendors choose Bluetooth LE over classic Bluetooth because of the LE part of BLE. Smart devices running over BLE consume less battery and last longer.

The problem is that BLE has fewer security features compared to classic Bluetooth, and as Alex Lomas, a security researcher at Pen Test Partners, points out based on his expertise, "when [BLE security] is implemented it’s often done poorly." This became evidently clear during one of Pen Test Partners' (PTP) most recent investigations.

BLE pairing process wide open

PTP, a well-known UK-based company specialized in security audits of smart devices, has discovered almost the same BLE-related security flaws in several smart toys, such as the Lovense Hush butt plug, the Kiiroo Fleshlight sleeve, the Lovense Nora rabbit vibrator, the Lovense Max sleeve, and LELO smart wand.

Experts say the process that allows these smart sex toys to pair with a local smartphone via BLE is wide open to anyone sitting near the devices.

"Note that there is no PIN or password protection, or the PIN is static and generic (0000 / 1234 etc) on these devices," Lomas said. "In fact, we’ve found this issue in every Bluetooth adult toy we’ve looked at!"

For example, when a user pairs a smart device, such as a smart home alarm, with a smartphone, the homeowner is asked to enter a PIN on the smart home alarm keypad.

"The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN," Lomas explains. "Where do you put a UI [keypad] on a butt plug, after all?"

Smart sex toys are broadcasting their location

The other issue is that some of these devices have been so poorly designed that they have the same identifier which they broadcast to nearby users looking to pair up.

For example, the Lovense Hush butt plug uses the same LVS-Z001 identifier. Lomas says that an attacker could drive around a city with a powerful antenna and map out all sex toys ready to pair up.

Sites like WiGLE already provide a similar service, but for WiFi-enabled devices. It's probably a good idea to expect that a similar service will pop up online offering up-to-date maps of Bluetooth or Zigbee-enabled devices.

Because some devices use the same identifier, everyone could use such services to map out sex toy usage across a city or larger geographical area.

"We went hunting… and found some devices in an exploitable state… in people," said Lomas. It usually takes one step to go from mapping insecure devices to attacking insecure devices.

WiGLE map showing WiFi devices on a San Francisco street
WiGLE map showing WiFi devices on a San Francisco street

Issues present in other BLE devices

But the issues are not restricted to smart sex toys alone. For example, Lomas says he found the same poor design choices in the deployment of BLE in smart hearing aids used by his father.

"These things cost £3500 and need to be programmed by an audiologist so not only could an attacker damage or deprive someone of their hearing, but it’s going to cost them to get it fixed," the expert said.

Expert proposes mitigations

Fixing the issues Lomas found is a problem of teaching vendors about better security design choices.

For example, Lomas proposes that for smart devices where you can't deploy a UI for entering pairing PINs, vendors at least implement a hold-down button to allow a pairing operation to take place.

Another proposition is that IoT vendors tone down BLE signal strength, at least for some sensitive devices such as smart sex toys, so an attacker would need to be physically adjacent to the device in order to pair.

Lomas also proposes that vendors use unique pairing PINs per device, which come at the small cost of placing a sticker on the device's box.

To prevent triangulation and identification, Lomas also proposes that smart sex toys advertise their nearby presence by using fake names, disguising themselves as printers or other devices.

Better security and privacy protections are needed, especially since the upcoming version of the Bluetooth standard — version 4.2 — would allow more than one person to pair with a BLE device, meaning an attacker wouldn't even need to wait for the device owner to disconnect.