Lovense, producer of smart sex toys, struggled for months with a vulnerability, discovered an ethical hacker in March. Malicious people could penetrate the user accounts from remote -controlled vibrators without a password. The e-mail addresses behind the accounts could also be traced. In the meantime the Lek has been closed, Lovense reports in a statement.
The company from Hong Kong, which says he has more than twenty million users, produces, among other things, vibrators, vibrating eggs and butt plugs that can be controlled with an app via Bluetooth. Users can manage the vibrations of the devices remotely via the app.
That can be a solution for people in a long -distance relationship, the website of the company recommends the products. Lovense also provides services to webcam models from erotic sites such as only fans. For example, they can let their viewers pay money to vibrate the toys during a live stream.
Chance
About the Lek is for the first time in one Blog post of an ethical hacker who calls himself BobdaCker. The hacker has an account at Lovenense himself and discovered the leak when she “was messing around” in the app, writes the hacker, who wants to remain anonymous, to this newspaper via MessageApp Signal. She blocked her ex-lover and observed the data that the app exchanged with the server. It turned out that the eX e-mail address was included.
In March the ethical hacker already reported the Lek at Lovense, but an adequate response from the company was not forthcoming. That is why she decided to make the leak public early this week. For example, she came into contact with another ethical hacker, who told her to have reported the same vulnerability in the software to the company in 2023.
Three days after BobdaChacker’s blog post, Lovense released a new automatic update of the app and the Lek was closed. Lovense writes in one declaration On the website that they wanted to know for sure that the update would offer permanent protection and this process wanted to ‘not rush’. The company also says it has not found any evidence that there would be actually access to user data.
“Of course I don’t know the processes there, but I think it’s difficult [voor het bedrijf] To say this with certainty, “says Steven Derks, board member of the Privacy First Foundation.” I consider the chance of a data breach, ie inspection or theft of personal data, very high. “
‘Shocking’
Such a leak can have serious consequences, says Derks. “The Camm models that these products also use often operate under pseudonyms. If you can link an email address to it, you can quickly find out more about a person. That makes the way free to blackmail, doxing [online publiceren van perssoonsgegevens] and intimidation. ”
Even in another way, according to Derks, the leak is a violation of privacy: “You can really violate someone’s physical integrity when you invade an account and control a sex toy.” He calls “shocking” that the company has certainly waited for four months to close the leak. Derks: “You would expect such a large manufacturer of intimate toys to have security in order.”
Easytoys and Bol.com, among others, sell Lovense’s sex toys. Earlier this week, the web shops announced that it would stop the sale, after reporting about the leak in the Ad. Now that this is being closed, the forty erotic products are offered for sale on bol.com, a spokesperson says NRC. The webshop says that the case does not take light. “We continue to keep close contact with our distributor and demand closely supervision of Lovense.” EasyToys also says it resumes the sale of the sex toys.