The 2009 romantic comedy The Ugly Truth didn’t leave much of an impression, but, in a small way, it was prescient. In one scene, Katherine Heigl’s character wears a pair of remote-controlled, vibrating panties to a serious business dinner after—bear with me—a coworker calls her prude. Over white wine and ceviche, the undies begin unexpectedly buzzing; the controller has fallen out of her purse and a young boy at the next table over is playing with it. Heigl shivers into a semi-suppressed climax in front of her coworkers, totally unaware of her orgasm’s underage puppeteer. It was funny, as long as you didn’t think about it too much.
Ten years later, a small group of security experts and sex-positive hackers are thinking seriously about the questions raised by Heigl’s scripted fiasco. What would it mean for a complete stranger to control something so intimate? Without your consent? And what if the person with the remote isn’t an unwitting kid, but an internet stalker or an abusive ex who’s hacked the vibrator? With the rise of “teledildonics,” or internet-connected sex toys, the risk of someone accessing an intimate product’s controls or the data it gathers is very real. And tech security experts think it’s only a matter of time before someone with bad intentions exploits the vulnerabilities of what’s in our bedside drawers.
Teledildonics are considered part of the "Internet of Things," which encompasses all of the everyday devices now hooked up to the internet. App-controlled air conditioners, Amazon’s Echo, and the popular Ring doorbell, which allows you to see who is at the door and talk to them via your smartphone, all fall under the IoT umbrella. So do butt plugs your partner can make vibrate and webcam-connected dildos that allow someone to watch you masturbate. Analysts predict the IoT to grow exponentially in 2020, with a projected 20.4 billion products in use by next year, and smart sex toys are being hailed as a godsend for people in long distance relationships.
Sex toys have long been a site of technological invention, though their true use was often obscured to evade censors, according to Buzz: A Stimulating History of the Sex Toy by Hallie Lieberman. They were disguised as home or bath products, like the “rolling pin” heat massager or the famed “muscle relaxer,” Hitachi’s Magic Wand. Later, manufacturers went to great lengths to make sure the technology didn’t imply that men were obsolete.
These days, sex toy manufacturers are confronted with a new set of issues. In other corners of the IoT, researchers have repeatedly shown how much personal information our connected devices gather, how little we know about how manufacturers will use the data, and how easy it is for hackers to steal it. In 2015, information security experts figured out how to pilfer Gmail login credentials from Samsung’s internet-connected refrigerators through a user’s Wi-Fi network. Last year, a popular GPS-tracking watch for kids sent parents into a tizzy after security researchers found its maker didn’t encrypt data, making it relatively easy for strangers to track a child’s whereabouts.
Data collected by high-tech sex toys, meanwhile, could reveal a user’s sexual orientation or with whom they’re using the toy. In 2017, a company called Standard Innovations settled an almost $4 million class-action lawsuit after users claimed the company’s Bluetooth-enabled We-Vibe 4 Plus couples vibrator kept track of how much time they spent using the device. As part of the settlement, Standard Innovation agreed to stop recording users’ personal information and destroy any collected data.
Any device that's connected to the internet can be exploited in some way, says Amie Stepanovich, IoT security expert and executive director of the Silicon Flatirons Center at the University of Colorado. Part of the risk in smart sex toys and other IoT products, she says, is that the internet is integrated into industries that don’t have much expertise in cybersecurity. While working as a policy manager at Access Now, a non-profit group dedicated to “open and free internet,” Stepanovich and her colleagues filed a complaint with the Federal Trade Commission after researchers revealed how woefully easy it was to break into a $249 Siime Eyevibrator from Svakom. The toy included a small camera on one end to record video to send to a partner. If you were within the dildo’s WiFi range and figured out the password, you had access to the footage.
There’s a high level of concern around the security of sex tech because the potential consequences are so grave: spying, sexual harassment, even revenge porn. “We’ve shown in several different cases that compromise of very personal video footage is possible,” says Ken Munro, a researcher at the security firm Pen Test Partners. “Very sensitive information could be exposed, perhaps even being used to blackmail someone.”
If someone hijacks a device’s controls via the internet—what the sex tech security world calls “screwdriving”—it could result in what many consider rape. The scariest thing about screwdriving, according to Munro (whose firm coined the term after they discovered a butt plug could be remotely controlled over Bluetooth), is that a victim wouldn’t know their device had been compromised until it was too late.
“If you thought you were using a device that was being controlled by your significant other, and it turns out that some other person who you do not know had interrupted that connection and taken over control of that device,” adds Stepanovich, “that's really severe.”
To date, the only known hacks took place in controlled spaces, executed by firms like Pen Test or by white hat hackers (computer security specialists who break into systems to test their security). At this year’s Def Con hacker conference in Las Vegas, a hacker named Smealum exploited a teledildonic butt plug from Lovense Hush, revealing how he could take control of the device and its associated computer dongle, while also spreading malware to the associated computer.
Smealum, whose real name is Jordan Rabet, began studying Bluetooth-connected butt plugs after he came out as gay two years ago, and was introduced to the devices by a friend. “It seemed silly that you should be able to hack a butt plug or any sex toy,” he says. But after looking into it, he says he realized “that finding security issues in those products would actually have real impact.” Rabet now believes there’s a population of creeps out there secretly hacking the toys of random people. Especially vulnerable, he says, are online sex workers: “Toys are being marketed as tools for cam models to make a living.” Using the vulnerabilities he found, or something similar, a cam model’s patron could remotely take over their computer. Even scarier, he adds, is that safety features of sex toys like max motor speed and safe battery charging may be implemented in software. “If that's the case, then whoever is controlling the software on your toy could remotely physically harm you.”
Unless it’s your intention to open yourself up to strangers, Rabet strongly recommends turning smart sex toys off when you’re not using them or making sure someone you trust always has a phone connected to it.
Because jurisdictions in the U.S. define sexual assault differently, the country’s legal system is not equipped to handle sex crimes like teledildonic sextortion or remote-controlled assault, according to cybersecurity watchdog Brad Haines. Haines works as a security analyst for a large company by day and, in his off hours, runs security hub Internet of Dongs (under the persona Render Man), looking for vulnerabilities in sex toys and alerting their makers to them. “Companies record data like who is connecting to who, or GPS information of their customers,” says Haines. “I found one vendor recently that was doing that, basically, by accident. I peeked under the hood, and could see GPS coordinates for every user in their search engine.” He won’t reveal which company this was, because they’ve since fixed the bug—but says many of the manufacturers he works with are Silicon Valley startups not yet well versed in tech security.
Haines doesn’t get paid for his off-duty security work on sex toys, but has the support of his fiancée, Nicole Schwartz, also a software developer moonlighting as a white hat sex toy hacker. Her speciality is teaching online sex workers how to encrypt their computer data so that clients can’t see their private information. Haines and Schwartz are known among their small circle of white hat hacker friends, one of whom works with Tesla to improve company security, as a “sex tech power couple.” They met at Def Con 20 years ago and have been attending almost every year since. At last year’s conference, they hosted a butt plug hacking contest for attendees: Schwartz slipped one in and challenged anyone to try and control it. The idea was to prove that it wasn’t possible to hack, unless you were in close proximity. “I was willing to be the guinea pig,” says Schwartz. “The guy who ended up winning felt weird about it, but I assured him I knew what I was getting myself into and told him, like, this wasn’t my first time wearing a butt plug.”
Haines and Schwartz are now planning a sequel of sorts to take place at their August nuptials. A hacker friend will write code to give a single remote control authority over multiple butt plugs. Willing wedding guests will wear the devices, and the remote will be passed around at the reception. “Why not?” asked Schwartz. “It’ll be the craziest post-wedding reception ever.”
Haines clarifies that while their work with sex toys can be fun, attacks are something they take very seriously. “We put our faith in companies and technologies and people, and hope and assume they’re secure and they've got the best interest of the customer at heart in terms of privacy and security,” he says. “Unfortunately? That’s not always the case.”
Rose is a Senior Editor at ELLE overseeing features and projects about women's issues. She is an accomplished and compassionate storyteller and editor who excels in obtaining exclusive interviews and unearthing compelling features.