ESET: Two Bluetooth portable sex toys were prone to MiTM attacks

Security researchers at ESET found that two popular portable sex toys were susceptible to man-in-the-middle attacks. The We-Vibe Jive and the Lovense Max Masturbator did not ask for verification or authentication for the Bluetooth Low Energy connections.

Both sex toys, popular devices according to ESET, used the ‘just works’ pairing method. In addition, according to ESET’s white paper, they used the number zero as the temporary key during pairing. Every Jive and Max device would therefore pair with any device that wanted to pair with the sex toys. In this way, malicious people could intercept the commands to the sex toys and read them. For example, these malicious parties could see when a sex toy was activated and what it should do. At the same time, these sex toys could be taken over with the MiTM attack, whereby the attackers could send commands to the toys themselves.

ESET also found security and privacy issues specific to one of the two devices. For example, when the Jive was not connected to another device via bluetooth, it would continuously try to pair with a device. In doing so, the device identified itself as a Jive. When the smartphone app is closed, it also immediately disconnects from the device, so the Jive openly searches for another device.

This meant that an attacker could search for Jive devices with a bluetooth scanner. The Jive is designed to be worn during the day and in public. Malicious persons could thus locate a Jive carrier using a bluetooth scanner based on the bluetooth strength. These attackers could also connect to and control the Jive using the Jive app or via a web app.

In addition, there were problems with the Jive within the We-Connect app that allows users to share photos among themselves. This is because metadata such as location and smartphone model were sent along with these photos. That way, users could locate the creators of those photos. The four-digit pin code that this app used was also easy to brute-force due to the lack of a temporary or permanent block when incorrect codes were entered.

The Lovense Max mainly had problems with the Lovense Remote app. This app comes with a chat app that allows users to send photos and text to each other. Users could forward photos they received to other users, without the creator being able to do anything about it or receive a notification. Received photos could also be downloaded. The app also did not have a delete function that deletes messages and photos for both interlocutors, as other chat apps do. When a user blocked an interlocutor, that partner still had access to all messages and files. Also, the app did not block screenshots and photos were only secured with https and not with end-to-end encryption. Chat partners were also identified within XML files with the email address they used to create the account. In this way ‘anonymous’ users could still be identified.

The last two Max issues revolved around a sharing feature and the updates. Users could create a URL that would allow other users to take control of the device. Users could share this url via, for example, a chat app. However, the identification token in this url consisted of four characters and could therefore be brute-forced. ESET developed a Firefox extension that did this automatically and found a connected Max that way. This URL would deactivate after half an hour, although some URLs appeared to remain active for days. Finally, it turned out to be easy to update the firmware of the Max with malicious code.

The two sex toys are vibrating sex toys, with the Jive for women and the Max for men. The manufacturers of the two devices claim to have resolved the bugs detected by ESET. The Jive was fixed in August with We-Connect version 4.4.1. The leaks in the Max have been closed with Lovense Remote app version 3.8.6. It became available on June 27.