Siime Eye

A "smart" dildo with an embedded video camera, sold under the name of Siime Eye and created and assembled by US manufacturer Svakom, contains a slew of security flaws that allow attackers to watch video streams without authorization and even go as far as to replace firmware and completely take over the device.

The Siime Eye, pictured above, is a device that doubles as a sex toy and as a video recorded, thanks to a camera and LEDs embedded in its tip.

This setup allows the owner to stream sex acts to a nearby by computer or smartphone, where he can record his/her pleasuring.

Smart dildo is also a WiFi access point... yep!

But as we've gotten accustomed to, this new wave of "smart" devices aren't really that smart. In a technical write-up published today, security researchers from Pen Ten Partners detailed a series of flaws that could make customers reconsider buying such a device.

For starters, the dildo comes with its own WiFi access point that uses the default "Siime Eye" network SSID and "88888888" password. This means an attacker in the device's WiFi range can install the mobile app and watch a live video stream and past video recordings and image snapshots.

In addition, the device also comes with a web-based administration panel that anyone can access on 192.168.1.1:80 with user "admin" and a blank password.

Telnet access anyone?

Both of these attacks are possible from the user's local network. To enable remote access to the device, researchers say an attacker could access a specific URL which turns on Telnet access.

After tinkering in the dildo's firmware, researchers also found with some relative ease the password for the root account, which gave attackers the ability to connect to the dildo from a remote location with system-level privileges.

With the root password in hand and with remote Telnet access, researchers said attackers could rewrite firmware if they chose to.

"The point about the RCE is that one can push new firmware to the dildo if one really wanted to," Ken Munro, Pen Test Partners researcher, told Bleeping Computer today. "So one could do just about anything with it if you had the time and inclination to write dildo firmware!"

For example, an attacker could push new firmware that saves copies of all video recordings on his server. The attacker could then sell these recordings to niche adult video companies, or just dump the videos on Dark Web adult portals specialized in these types of intrusive and voyeuristic experiences.

Dildo ran reused drone firmware

According to Beau du Jour, the other Pen Test Partner researcher that has looked at the Siime Eye's firmware, some of the code appears to have been taken from drone firmware.

Du Jour says the firmware contains features that would make sense if someone was managing a drone, and not a dildo's camera. Even worse, du Jour discovered features that would allow an attacker to send content to Skype accounts or email inboxes.

These features didn't appear to have been used for the smart sex toy and looked like dead code left behind by a sloppy developer. In theory, an attacker could use these left-over secret features, and skip writing his own custom-made dildo firmware.

Mapping Siime Eye users

Furthermore, because Siime Eye contains an embedded WiFi access point, an attacker could write a script that exploits these dildos automatically, and then war-drive through a city, hacking any nearby sex toys.

But the worst part is that the name of this WiFi access point is also static, meaning users can't change it.

An attacker could drive around the city and collect the location of these toys, create a map of all the Siime Eye users nearby, potentially linking each device to a real person. This exposes Siime Eye users to blackmail attempts and public ridicule.

"If you’re a user, change the Wi-Fi password to something complex and long," du Jour advised Siime Eye customers. Below is Munro summarizing their research in a YouTube video.

Vendor remains quiet

For their part, the Pen Test Partners team has tried three times to contact Newark-based Svakom, without any success. Attempts from members of the press have also been unsuccessful. After more than three months, researchers went public with their findings today.

In the past, the same security firm found flaws in another smart sex toy. Earlier this year, smart sex toy vendor WeVibe agreed to settle a class-action lawsuit for $4 million after it was discovered they collected intimate data without authorization from their customers.

Pen Test Partners haven't reached out to CERT yet, but researchers are thinking of filing a complaint with the FTC, Munro told Bleeping Computer.