The Internet of Things That Can Be Hacked grows daily. Lightbulbs, trucks, and fridges all have computers inside them now, and all have been hacked by someone. But at least you don’t put those inside your body.
The makers of the We-Vibe don’t admit any wrongdoing. But they will pay $3.75 million after allegations that the app was collecting user’s “highly sensitive information.”
Two years ago, someone had the good idea to put a bluetooth connection inside a vibrator, and the We-Vibe 4 Plus was born. The vibrator can connect with a smartphone app that its makers say “allows couples to keep their flame ignited – together or apart”: that is, it can be controlled remotely, while, say, making a video call.
Other vibrator manufactures are also using the vulnerable app, but have yet to be targeted by legal actions. If you own any bluetooth connected device, beware!
At the Def Con hacking conference in Las Vegas, two independent hackers from New Zealand, who go by the handles goldfisk and follower, revealed that the way the vibrator speaks with its controlling app isn’t really secure at all – making it possible to remotely seize control of the vibrator and activate it at will.
In their talk, Hacking the Internet of Vibrating Things, Follower argued that despite titters at the back of the room, the security of a sex toy should be taken seriously. “The company that makes this vibrator, Standard Innovation: They have over 2 million people using their devices, so what’s at stake is 2 million people.”
“A lot of people in the past have said it’s not really a serious issue,” he added, “but if you come back to the fact that we’re talking about people, unwanted activation of a vibrator is potentially sexual assault.”
Potentially worse still, the pair discovered that the app itself was phoning home, letting the manufacturer discover some very intimate information about users.
And, oh boy, did they collect some sexy details, the Register reported — like what time and how intense you like it and the temperature of the device. They even found the vibration modes you prefer: With the We-Vibe 4 Plus, there are 10 modes, but you can also create your own custom vibe. Your personally blended mix of pulse, wave, wave, pulse, tide, bounce, cha-cha-cha could be in the hands of hackers.
The lawyers for the anonymous plaintiffs contended that the app, “incredibly,” collected users’ email addresses, allowing the company “to link the usage information to specific customer accounts.”
Customers’ email addresses and usage data were transmitted to the company’s Canadian servers, the lawsuit alleges. When a We-Vibe was remotely linked to a partner, the connection was described as “secure,” but some information was also routed through We-Connect and collected, the lawsuit says.
The unhappy users allege in their lawsuit that they never agreed to the collection of this data. Standard Innovations maintains that users “consented to the conduct alleged” — but instead of taking the case to court, the company agreed to settle.
An estimated 300,000 people bought the Bluetooth-enabled devices.
Under the terms of the settlement, anyone who bought an app-enabled vibrator can receive up to $199 dollars; anyone who actually connected it to the app can collect up to $10,000. The actual amount paid out will depend on how many people file claims; the company estimates people who bought the app will get around $40, and people who used the app around $500.
The high-end vibrators cost between $119 and $199, if purchased through the We-Vibe website.
Standard Innovation also agreed to stop collecting users’ email addresses and to update its privacy notice to be clearer about how data is collected.
In a statement, Standard Innovation called the settlement “fair and reasonable.”
Getting off while plugged in? You might want to make sure your hardware is protected.