Security researchers from U.K.-based Pen Test Partners revealed a security flaw in the ‘smart’ chastity sex toy named Qiui Cellmate on Tuesday, October 6, 2020. According to Tech Crunch, a vulnerability in the system could have resulted in users’ being permanently locked-in with the device in the penis.
The Qiui Cellmate is touted as the “world’s first app-controlled chastity device” that is controlled via the Internet. The sex toy works by locking in a user’s penis inside a chamber with a metal ring.
The chastity lock mechanism, in turn, can be controlled by a partner who can lock and unlock the said chamber via Bluetooth using a mobile app, notes Tech Crunch. The mobile application reportedly communicates with the device in question through an API.
However, security researchers found that the API was left unsecured and open online without requiring the use of a password, meaning anyone could have taken advantage of the flaw and control any user’s device.
Apart from leaving the API vulnerable to hackers and malicious attackers, the API also leaked user location data as well as personal information, private chats, and plaintext passwords share by Pen Test Partners.
What’s worse, The Verge notes, is that the chastity cage does not come with a physical key or a manual override function, leaving locked-in users a few options to free themselves from the device.
According to the site, one way of freeing the penis is by using bolt cutters or an angle grinder to cut through the steel shackle. Another method would be to overload the circuit board with three volts of electricity, approximately by using two AA batteries, reveals Pen Test Partners.
In a blog post released by Pen Test Partners, the security researchers said that the vulnerability was initially found in April of this year. However, while the company assured the public that a fix would be issued in June 2020, Tech Crunch reports that a patch has yet to be deployed by the company.
Researchers said that although Qiui gave an update and provided a patch for the flaw, this fixes only applied to new users, leaving existing customers and user accounts vulnerable.
Tech Crunch similarly reached out to the China-based company in June. However, chief executive officer Jake Guo of Qiui said that they would issue a patch in August, but that deadline went unheeded. In a statement, Guo said, “We are a basement team. When we fix it, it creates more problems.”
Due to the uncommunicative nature of the Chinese firm, the security researchers, alongside other news sites, decided to publish the report in attempts to caution users and customers alike.