A connectable dildo suffers from numerous vulnerabilities that make it trivial for attackers to steal users’… well, “private” data.
The “Siime Eye,” which comes to us from Svakom, is aptly named in that it’s a $250-vibrator that for some reason comes with… a camera.
All a user needs to do is turn on the device, connect to its AP (SSID: “Siime Eye”) using the default password (“888888”), open the Android or iOS app, and “install” it. From there, they can view the livestream or take pictures and video.
Tantalizing, I know.
Turned on by other researchers’ work involving smart sex toys, Pen Test Partners decided to examine Siime Eye. They quickly found a hard-coded IP address that accepted blank admin credentials. An attacker can therefore easily access the device’s Wi-Fi AP, which is configured as an access point. The AP name is also static, meaning someone could technically geolocate other users via a wardriving site like wigle.net.
But that doesn’t come close to the worst of it.
With the help of some eBay clips, a BusPirate, flashrom, and a Stanley knife, Pen Test Partners dumped the dildo’s root Linux filesystem, exposed the contents of /etc/passwd, and wrote themselves in as a root user. They then grepped for “root” after poking around on /bin/camera, one of the filesystem’s binaries. This process revealed reecam4debug, the sex toy’s telnet password.
The researchers explain in a blog post what attackers could do with their exploit:
“In this case, overexposure of system services means we could write a rogue application, compel a user to connect our app to the device using the default credentials, and then use the already-inbuilt functionality to perform unsolicited actions on the device. If we could get a user to connect their device to their home Wi-Fi, we (or any website loaded within the user’s home network, in a JavaScript drive-by) could siphon all video data, Wi-Fi passwords, and a list of local networks off it and send it somewhere unsolicited.”
Bad actors could take it one step further. If they could gain physical access to a Siime Eye and access the AP, they could almost certainly establish a root shell and gain access to an unprotected version of the video stream.
It’s bad enough there are IoT products our there that threaten our kids’ privacy.
But this device rests on a whole other level of insecurity. Users should therefore think long and hard (pun intended) about whether they want to keep using Siime Eye.
If the device is indispensable, they should change the Wi-Fi password to something complex. They can also try to contact Svakom, but as Pen Test Partners didn’t receive a response after three separate messages, that might be an unfulfillable fantasy.
You can hear further discussion about this latest example of IoT security insanity in the “Smashing Security” podcast, hosted by Graham Cluley and Carole Theriault.
Smashing Security #015: 'Bad vibrations'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Do we really need Smart Dildoes?