Sex tech took over CES in Las Vegas last week, with vibrators, Kegel trainers and even a Band-Aid-esque patch to prevent premature ejaculation on display.
Almost all of these devices connect to apps, and many collect data. But what happens when sex tech or the apps that power them get hacked?
This year, more than 20 billion connected devices will be installed worldwide, including sex tech products with apps that monitor orgasms, save vibration patterns, or let you connect with your long-distance partner's pleasure gadget. Since most operate over a Bluetooth connection and with an app, breaches are possible and even likely.
The good news: some established vendors in the sex tech space are taking security seriously -- or at least are trying to. There are consequences to inaction. A high-profile lawsuit in 2016 accused sex tech company We-Vibe of transmitting user preferences, usage data and email addresses to its servers without consent. The company settled the case for $3.75 million in 2017.
Security is top of mind for companies that have seen the impact of lawsuits or breaches, said Nicole Schwartz, a researcher for Internet of Dongs, which pairs security pros with sex tech vendors to find vulnerabilities in devices. But generally speaking, when it comes to security, sex tech products are "all over the map," she added.
Sex tech tends to fall into three categories, said Schwartz: products from established players with technology backgrounds; products conceptualized by one person who then exports the designing and manufacturing to a third party; and novelty products brought to market quickly to make fast cash.
"Two out of three of these companies are not conscientious about security," Schwartz said. "The ones you are going to see at CES are obviously a little more tech-minded, so you're seeing a particularly biased section of the market."
In 2016, security consultant Brad Haines wanted to learn more about IoT security but found that most areas (like connected kitchen appliances) had already been well-researched. Meanwhile, the sex tech industry was beginning to boom, but no one in the security community had given those products a serious, professional security look. That year, Haines founded the Internet of Dongs.
"It was rather terrifying at the beginning, just how bad it was," Haines said. "This was an industry that never had to deal with connectivity before. There's no one around to say, 'That doesn't seem like a good idea.'"
The project uncovered some egregious issues. With one app, a single API query gave him access to the entire user base. He was able to hack into another product -- a webcam attached to a ring worn around the penis -- within 20 minutes.
Sex tech security concerns are less about someone hacking the device itself -- typically, you'd have to be within 10 feet or so of the device to do that, Schwartz said. The bigger problem is the app on your phone. That's where compromises are more likely to happen and where users have more control, she added.
Lioness -- a vibrator that pairs with an app -- meets Mozilla's Minimum Security Standards. The device has biofeedback sensors that measure pelvic floor movement and vaginal wall contractions, both of which indicate arousal. Looking at that data in the app helps women understand what conditions are most pleasurable, Anna Lee, co-founder and vice president of engineering, said at CES.
The app requires you to create a profile with an email address, but the rest can be anonymous. The company collects anonymized data, Lee said.
Lioness also has a Privacy page on its website that breaks down its policies in easy-to-understand terms.
"At the end of the day, vibrators are an intimate product," Lee said. "It's absolutely important how you secure that data for people and make sure that we don't have IoT devices that leaked that data and privacy."
Other companies at the show emphasized the security of their products as well. Vibrator and clitoral stimulator manufacturer Satisfyer launched an app that you can use anonymously, with no data stored or collected, a company representative said.
OhMiBod -- a husband-and-wife-owned company that sells Kegel exercisers, vibrators and other devices -- displayed a new Bluetooth-enabled vibrator for long-distance partners. The company doesn't collect data other than that needed to create an account, co-founder Brian Dunham said. While users can store information like vibration patterns or Kegel exercises directly on the app, "if you lose your device, you lose that data and history," Dunham said. "But we think that's a small price to pay for the added security."
Waiting on stronger security measures
More lawsuits have made some companies pause before connecting sex tech devices. Hong Kong-based Hytto, which makes products under the Lovense name, faced a class-action lawsuit in 2019. The plaintiff alleged the company secretly stored and monitored the personal data of users of its Lush vibrator -- including the time and date of use -- without their consent.
"We don't sell our users' data, and we only use it for customer service issues, and we wipe those logs regularly," Gerard Escaler, Lovense's chief marketing officer, said at CES. "The specific concern was there was something that was cached in the user's phone, which was addressed by an update that we did."
MysteryVibe's connected vibrators allow you to store vibration patterns and settings on an app. But if the app is deleted, all of that information is gone.
"We have no profiles, because we strongly believe nothing is unhackable," Soum Rakshit, MysteryVibe's CEO and co-founder, said at CES. The company has yet to release a long-distance user feature, because it wants to make sure security is tight enough, he added.
"A lot of people spend months debating the color of a product," Rakshit said. "If we can give security the same level of design importance, then we won't have to worry about it later. The biggest selling point is it saves you time and money if you do it in the beginning."
Notably, Osé, a robotic sex device designed to give women simultaneous clitoral and G-spot orgasms that won a CES 2019 innovation award, isn't yet connected to anything.
"Eventually, we want to have it Bluetooth- and app-connected, but we're waiting to make sure it's safe," said Mazie Houchens, an engineering technician at Lora DiCarlo. "Because we're an up-and-coming industry, especially in technology, we don't want to set ourselves up for failure."
How to choose a secure sex tech device
If you're concerned about the security of a device, there are a few steps you can take, Internet of Dongs researcher Schwartz said. "Check their website and see -- do they require you to create an account? Do they talk about security? Are they specific at all -- do they say things like 'We encrypt everything'?"
If you're using a sex tech device that connects to an app or website, make sure you create a new, non-identifying username, email and password, Schwarz recommends.
"Make it so even if somebody compromises your stuff, they're not going to have enough to really confirm that this is you," Schwartz said. If you break up with a partner who you had been using a device with, make sure you change all of your email and passwords associated with it as well.
Even if you don't create a user profile, your privacy could still be invaded, Ken Munro, consultant for security firm Pen Test Partners, told CNET. Almost all sex tech products use Bluetooth to connect to the user's smartphone. The Bluetooth advertising ID (the Bluetooth device name you see on your phone when trying to connect to a new device) is usually static, so your neighbors might be able to see it if it's on, Munro said. This is how the firm was able to locate and hack a number of sex tech devices.
Munro also contests the idea that some sex tech companies don't collect any data. "All mobile apps collect data in some shape or form," he said. "It was impossible to enable Bluetooth in an Android mobile app without the ENABLE_COARSE_LOCATION permission, so the app collected location data whether the developer intended it or not."
We're also seeing an increased range of sensors on adult devices, Munro said. That means more functionality, more data, and more opportunity to get privacy and security wrong, he added.
Until strong security standards are in place, users will have to ask themselves: How much does the benefit of a connected sex tech device outweigh the risk of a hack?
"For those in long-distance relationships, or those who travel for work often, it's a way to maintain intimacy between partners," security consultant Haines said. "Provided everyone involved is aware of and accepts the potential risks, this tech can make relationships stronger, and that's a worthy benefit."
Originally published Jan. 17.