Taking a screwdriver to unlock your IoT sex toy is nuts

As we described on a recent episode of the “Smashing Security” podcast, serious security flaws in the API of a so-called “smart” chastity lock meant that men could find their umm.. personal equipment permanently inaccessible.

It’s what you might call a cock-up lock-up.

The Bluetooth Qiui Cellmate attaches itself to a man’s penis, allowing a remote partner to lock up your proverbials if they think you don’t deserve to use them for a while.

Sign up to our newsletter
Security news, advice, and tips.

And with no umm.. manual over-ride, you could find your pickle in a right pickle if an unauthorised third-party exploits the flaws to lock the cage without your permission. Built from a mixture of polycarbonate and toughened steel, removal is non-trivial and might involve taking an angle grinder or bolt cutters to a delicate part of your anatomy.

The fine fellows at Pen Test Partners, who first uncovered the flaw and attempted to convince Qiui to fix their product, produced a video with an alternative way to override the lock which involved prising open a circuit board on the Cellmate and applying a voltage to two wires to drive a motor to unlock the sex toy.

Notably, the video demonstrates the technique with a Qiui Cellmate which is not currently attached to someone’s penis. I suspect that makes things a little less fiddly.

Personally I wouldn’t be keen to either have an angle grinder near my nuts or to apply an electrical charge anywhere in their vicinity, but then I (hopefully) wouldn’t be found wearing one of these gadgets in the first place.

Inevitably, news of the security hole caught the media’s attention, and Qiui has now come forward with its own video demonstrating how the device can be opened with a screwdriver.

No, still not rushing to experiment with that either…

And before you think the threat of a malicious party locking someone else’s cock lock without permission is overhyped, it appears some owners have been receiving threats demanding a ransom be paid…

QIUIのハッキングされたら届くメール
焦らずレポートしたら、解錠されます pic.twitter.com/bprXtRUFgI

— 貞操奴隷 (@teisoudorei_000) October 8, 2020

For more discussion of this latest IoT security disaster, be sure to listen to the latest “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.