Hacker Who ‘Got Inside’ A ‘Smart’ Buttplug Explains Why He Did It

With the market for internet-connected sex toys growing, allowing partners to interact sexually over great distances by controlling each other’s sexual devices via smartphone apps—often referred to as “teledildonics”—the adult toy industry now faces the same hazard faced by the makers of any other internet-connected “smart” product: hacking. That was made clear earlier this month at a well-attended lecture given by a hacker identifying himself only as “smea” at the 27th annual DEF CON hacker’s convention in Las Vegas earlier this month. At the talk, smea explained in great detail how he “got inside” an internet-connected, interactive buttplug, according to a report by the tech news site Gizmodo.  But why would a hacker bother penetrating a buttplug? “I came out as gay two years ago, and so I started making a lot of gay friends,” smea told Gizmodo. “At some point, one of them mentioned, ‘Oh, there’s these buttplugs that are Bluetooth connected.’ And as this security-oriented hacker guy, I was like, ‘Well that can’t be secure.’” And in fact, the hacker found that the Lovense Hush, which advertises itself as the “world’s first teledildonic buttplug,” was not in fact secure. The chip used by the device’s “dongle”—the peripheral that connects the device to a computer or piece of technology—could be “compromised,” the hacker explained. That allows a hacker not only to remotely control the buttplug without the end user’s consent, but to upload malware code to the sex toy—malware which then spreads to any computer or device that interacts with the high-tech buttplug. In response to smea’s DEF CON lecture, Nordic Semiconductor, makers of the buttplug’s chip as well as the chip in the device’s dongle, released a statement explaining the newly discovered vulnerability. But the company added that only devices “released prior to July 2016” were subject to the vulnerability exposed by the hacker. But, smea noted in his Gizmodo interview, “it’s not clear how many of those there are out there.” Beyond the possibility that a “smart” buttplug could be used to spread a malware computer infection, smea’s hack raised the question of whether a hacker who gains control of a user’s buttplug without that user’s consent could be committing not only a cyber crime, but a sex crime. “It might count legally as sexual assault. Personally, I don’t know if that’s the case or not,” smea told Gizmodo. “I know it would be a really shitty thing to do either way, so people should not do it.” A hacker may also be able to bypass safety features in the software of internet-connected sex toys as well, smea explained, saying that any such device that uses software to implement user safety features could have “a real problem.” Photo by YouTube screen capture