Internet of Dongs image showing Internet-concected sex toys.

Internet of Dongs: Project Hacks Sex Toys to Keep Your Intimate Life Private

Security researcher is bridging the gap between the sex tech and infosec industries.

Internet of Dongs image showing Internet-concected sex toys.

White-hat hacker Brad “RenderMan” Haines thinks it’s about time the sex tech world caught up with information security (infosec) best practices. That’s why last year he launched The Internet of Dongs (IoD) Project with the aim of hacking sex toys to detect security and privacy vulnerabilities.

Already his work is creating waves. IoD has reeled in support from well-known players in the community like PornHub and Kiiroo. Many sex toy vendors are also keen to use his project to improve customer protection. Looks like a win-win situation for everyone!

Future of Sex spoke with Haines to learn more about his project and its positive influence on the sex tech industry.

FoS: Why and when did you start Internet of Dongs and what’s your mission?

I’ve had the idea in the back of my head for almost a decade. Ever since the first Bluetooth-enabled vibrator came on the market, my hacker brain realized the potential for various threats that connectivity brought to these devices. In the intervening years, the “Internet of Things” (IoT) exploded (figuratively and in some cases, literally) and now everything is getting connectivity in one way or another, sex toys included.

I was looking for a new project and was looking at IoT devices. However looking at thermostats, webcams, and fridges seemed to be a very crowded field of researchers. That’s when I remembered my interest in connected sex toys and after a little research I found that the market was much larger than I expected and pretty much no one had ever looked at the security of them. To carve out my niche, I coined these devices the Internet of Dongs (IoD), as a branch of IoT, and boldly went where no hacker had gone before (for the most part).

The IoD project was created initially as just a site to house my research, but very quickly it became apparent that the problems were much larger than I expected. The site soon grew to encompass my efforts to inform and advocate for better security from vendors. It also has come to be a central point of contact to bridge the infosec researcher/hacker community and the vendors of these devices.

Ultimately, the project exists to make things safer for everyone, both vendors and consumers. If I’m able to remotely hijack a vibrator and control it instead of the person the user expected (we’ve found such vulnerabilities), by many definitions, that’s sexual assault, if not rape. We live in a world where remote rape is now a reality and I would assume that no one reading this wants to see anyone hurt because of a preventable security or privacy issue. It’s about being a decent human being. It’s a way to make the world a bit better.

FoS: What makes an Internet-connected sex toy vulnerable to hackers or security and privacy threats? And what can sex toy users and makers do to protect privacy?

To explain the threats, you need to understand what the IoD (and much of the IoT) industry is like. Until very recently, these vendors were creating “manually operated” devices without connectivity. They had lots of materials knowledge, ergonomics, and electro-mechanical engineering expertise, but almost zero in the way of security talent.

When they started to build connected devices, there was just no one in the industry around with the knowledge to say, “Is that such a good idea?” Compounding the problem is that societal aversion to “adult” topics and products mean that a lot of knowledgeable, technical people were not wanting to associate with the industry. As a result, they were building devices with no idea about the risks they were creating. They were genuinely naive and blissfully unaware what they were doing.

As a result of this environment, the devices, and more importantly, the software are making the same sorts of security errors that the high-tech industry was dealing with 15 years ago: no or poorly implemented authentication, poor or no use of encryption, and a failure to realize that any collection of personal data requires a level of security they were unprepared for. Compounding this is that given the nature of the data, you can’t always do things the way other industries would handle it. There are just no known best practices for IoD devices.

What the IoD project is trying to do is adapt the best practices that we in the infosec world have learned the hard way and present them in a form that the vendors can quickly understand and adopt. We’ve had great success so far with this strategy even though I am the first to admit, I don’t know what the hell I’m doing.

We’ve also expanded to try and educate users too. Users, unfortunately, have little power beyond their control of the market. Helping them in making educated decisions about what products to buy and their capabilities and if they are comfortable with the benefits and risks associated with this new technology. Something you should be doing with all aspects of your life, but few seem to be doing so.

FoS: Since launching, it seems like you’ve gained a lot of traction by getting support from PornHub and partnerships with sex tech vendors like Kiiroo and Lovense. How are these companies supporting what you do exactly?

When I started, a local store, the Traveling Tickle Trunk, gave me some floor demo and damaged devices to get me started. It was quickly apparent in my research that there was a lot more out there and they weren’t cheap and that I’d need some sort of funding to get devices to properly test.

After trying a few vendors in the InfoSec community and getting nowhere, I sent a drunken email to Pornhub after reading and article about some of the amusing things they’ve sponsored (i.e. a basketball teams jerseys). Amazingly I heard back right away. After explaining the project, the goals and initial results, they saw the value in the project and agreed to provide the financial support I needed to investigate all the toys I had found. Many people don’t know it, but as a company, they understand things like social responsibility and philanthropy. They also have a wicked sense of humor.

Lovense was the first company I reached out to. After pointing out some problems I’d found with their apps, they were very grateful for the help and new awareness for security and privacy. They immediately threw their support behind the project and were quite helpful in being my guinea pig to build the vulnerability disclosure and management framework. That framework is what I’m now using as a model for all vendors to help them raise their level of security and privacy in their products.

Kiiroo was actually just about to contact me when I contacted them. Like Lovense, they saw the value in the project and the awareness and knowledge I was bringing to the industry. They threw their support behind the IoD project immediately.

Since then I’ve connected with Mystery Vibe, Miss VVs Mystery (Miss on the go), Ohmibod and Vibease to get them onboard with my framework and helping them adapt it to their business.

As a matter of course, I try and purchase the devices I am testing with the funding Pornhub gave me. This means I am a legitimate customer and have a right to complain about poor security. It also keeps me from any conflicts of interest, so I never ask for anything. That said, should a vendor volunteer a freebie for further research, I’m not an idiot and have accepted some, but only if they offer.

I also have a Patreon setup with low goals just to cover basics like web hosting and other operational costs. The rest is out of my pocket and my donation of time to the cause.

FoS: Do you think the recent controversies surrounding the makers of the We-Vibe vibrator, such as the privacy lawsuit and the hacking of one of their toys at DEFCON, has attracted more support to Internet of Dongs? If yes, how so?

Most certainly the press coverage has helped greatly. Mostly it’s been for awareness that IoD devices exist. I’ve lost track of tweets and article comments that say, “Wait, they have Internet-connected vibrators now?” and the incredulous replies that follow.

The case showed that IoD devices mishandling their users’ data can be a costly mistake ($5 million Canadian in this case). This was an unfortunate wakeup call to the industry that was well timed with my launch of the project.

To clarify, the We-Vibe case was about an error in their privacy policy, not a security issue. The presentation at DEFCON, while it showed some vulnerabilities, pointed out that the app was sending certain information to We-Vibe servers. Most of this was the kind of anonymous usage and diagnostic data we all content to every day whenever we click “I accept” on a usage agreement. Things like favorite pattern, duration of usage, the internal temperature of the chipset, etc. Nothing terribly scary there. Your TV likely sends home more information.

The problem was that because accounts used email addresses as a username, there was enough information to potentially build a “dossier” or profile of a user. The fatal thing that led to the lawsuit was that the app’s policy was actually from their website, and thus never addressed or disclosed what was being collected and sent. That’s what the lawyers latched onto and sued over. There was no malicious use of the data collected, hacked, or otherwise disclosed. It was just a very expensive typo that they got nailed for.

FoS: Have you been in contact with Standard Innovation, the makers of We-Vibe? I wonder if they’d be interested in becoming one of your supporters.

They were the first one I tried to get a hold of. I had put in almost the exact same talk for DEFCON about my research on the We-Vibe. As a part of that research I wanted to report my findings to ensure that the issues were fixed before I talked to them. As early as May 2016, I tried emailing, tweeting, and even tried calling them on the phone to report these issues. Even today, I cannot get a response out of them about joining the IoD project and adopting our framework or even helping make it better. I try every few months to dig up more company emails or contact info but no one has replied. I still have security issues I’d like to report.

It may be that they are a bit gun shy after the lawsuit and want to put it behind them, but I figure that they could do tremendous things for the industry by helping other vendors learn from their mistake. Their app was before the lawsuit, and continues to be, the most secure one I’ve tested. Their insights, policies, and procedures could help a lot of people and make them look even more responsible after this debacle.

I’m not giving up and look forward to someone finally getting the message and chatting with me ([email protected] BTW. Hint!)

FoS: What are some of the biggest challenges Internet of Dongs is facing in carrying out its mission?

Time is the biggest issue. I work full time and this is a side project I can’t exactly bring into the office. So many dongs, so little time. There’s a lot of apps and devices that I may have quickly assessed at one time, but I need time to sit down and go through a formal methodology to assess and document any issues I find. I try to be as professional about this as I can in order to help counter the next issue.

The other issue currently is one of stigma. Modern society, especially North American society is really weird about sex stuff. As a result, it’s sometimes challenging to get people to take the work seriously. They either get grossed out for some reason, think it’s an excuse for me to buy stuff for my own pleasure (Note: all devices are new and for scientific research, not for normal “use”) or they don’t see why the research is needed at all.

To me, they are just devices, apps, servers, etc., like any other. It’s a Bluetooth device that pairs to a phone and receives commands to control I/O pins that output, in most cases, to motors. Everyone wants to have safe, private and secure products. Why should sex toy users be deserving of any less protection?

FoS: What’s in store for the future of Internet of Dongs?

More partners, more dongs, more vulnerabilities!

I just ordered another batch of devices and am going to be working on establishing connections with those vendors.

I’m starting to give more talks at conferences, so hopefully I can get some other researchers interested in the topic to help provide expertise in areas I lack. I’m also hoping to build relationships with infosec vendors willing to get over the stigma of the adult industry to provide the industry with resources they desperately need.

I’m also exploring speaking at one or several large adult industry conferences with representatives from some of my partner vendors to “throw down” the challenge to do better at security across the whole industry, not just IoD devices.

Lastly, I’m also sure the future will have me continuing to make my mother proud and very, very confused.

Image sources: Internet of Dongs