X

Vulnerable vibrator: Security researchers find flaw in connected toy

The We-Vibe 4 Plus could be breached by a hacker. Plus, what's the company doing with your personal information?

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

When it comes to internet-connected devices, I dare you to find something more intimate than a vibrator controlled by a smartphone app.

That's what Standard Innovation offers in its We Vibe 4 Plus, which pairs with a smartphone via Bluetooth and can be controlled by a partner, near or far. What could go wrong?

Well, two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical.

What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found.

"Do you want these people looking at [information like] what patterns you like? What intensity you like?" asked followr during a presentation of the findings at the 24th annual hacking event in Las Vegas called Defcon.

The researchers found the software flaw and learned what kinds of data are being sent back to the company by taking the vibrator apart and studying the information it sends and receives. They also took a close look at the product's terms and conditions.

Denny Alexander, communications manager for Standard Innovation, said the company will fix the software vulnerability, which he said a hacker would need to be nearby to exploit.

Alexander also said the company will be clarifying its terms and conditions to explain in "plain language" how it uses information gathered from the vibrators. It will also let users opt out of sending data on how they use the device.

The company uses the information on temperature to make sure there aren't problems in the CPU chips that runs the devices, Alexander said. As for the intensity level, that's part of its market research.

"It is to understand how people use the products," he said. If everyone is always using the highest possible setting, "then perhaps we don't have a powerful enough device."

Most users don't register with the company, so any data the vibrator sends is automatically anonymous, he said. And those who are registered -- is their data tied to their names? Alexander said the information the company collects was "mostly" anonymized last week when the researchers gave their presentation. Now it is all anonymized.

Followr and g0ldfisk said they want to challenge the idea that terms and conditions on Internet-connected devices should be used by companies as cover for collecting as much information as possible, especially when it comes to sex toys.

"That's sort of dodgy," g0ldfisk said.