Cellmate Male Chastity Devices Found Vulnerable and Dangerous for Users

By Ava McKinneyOnline Safety

Cellmate Male Chastity Devices Exposed to Hacking Risks

Security analysts from Pen Test Partners have examined a highly unusual device: the Cellmate male chastity belt, produced by the Chinese company Qiui. These gadgets allow owners to give their partners remote control over access to their genitals, with the device being locked or unlocked via Bluetooth and a dedicated app.

However, experts discovered that due to numerous security flaws, hackers can also remotely lock or unlock these devices. There is no manual override or physical key for the Cellmate, meaning that users who get locked in could find themselves in a very uncomfortable situation.

Researchers found that the only way to open a locked device is by using bolt cutters or an angle grinder to cut through the steel shackle, which is positioned around the user’s testicles. Alternatively, the device can be opened by overloading the circuit board that controls the lock, which requires applying about three volts of electricity (the equivalent of two AA batteries).

“Over the years, we and other researchers have repeatedly found similar issues with various manufacturers of sex toys. Personally, I believe that such intimate devices should meet higher security standards than, say, smart light bulbs,” said Pen Test Partners expert Alex Lomas.

Manufacturer’s Response and Ongoing Issues

Interestingly, researchers reported the security issues to Qiui back in April of this year. While the company was initially responsive, it later became clear that their engineers were unable to fully fix the vulnerability, and Qiui eventually stopped replying to the researchers’ emails.

The main problem with Cellmate lies in its API, which is used for communication between the device and the mobile app. The API was left open and unprotected by a password, allowing anyone to take control of any user’s device. This not only lets hackers remotely operate the Cellmate, but also gives them access to sensitive information, including location data and passwords.

Qiui updated its app in June in an attempt to fix the issue, but users who still have older versions remain vulnerable. Alex Lomas explains that the developers are now in a difficult position: if they completely disable the old API, it would fix the vulnerability, but users who haven’t updated the app would be locked out. If the API remains active, old app versions stay open to attack.

Qiui’s CEO, Jake Guo, told TechCrunch that a full fix was expected in August, but that deadline has passed and the problem remains unresolved. In one email, Guo said that “the fix will only create more problems.”

After months of communication with the developers, Pen Test Partners decided to go public with the information about Cellmate’s issues, hoping this would push for a complete fix. The security experts are deliberately withholding some technical details to prevent hackers from exploiting the vulnerability.

User Complaints and Broader Security Concerns

According to TechCrunch, this vulnerability is just one of many problems for Cellmate owners. Reviews in the Apple App Store and Google Play Store reveal that the app often stops working unexpectedly.

  • “The app completely stopped working after three days, and I got stuck!” wrote one user.
  • “This is a DANGEROUS app!” warned another Cellmate owner.
  • Another one-star review reads: “After the update, the app stopped unlocking the device. This is terrible, considering what we trust it with, and there’s no explanation on the [manufacturer’s] website.”
  • One more user complained: “My partner is locked in! This is outrageous, since it’s still unclear if this will be fixed, and there are no new email responses. Very dangerous! And scary! Given what this app controls, it should be reliable.”

“It’s very hard to tell just by looking at a product or app whether it securely stores your data or collects detailed usage information,” says Lomas. “I hope that in the future, some countries and states will start introducing standards for IoT products. For now, before buying, just search for ‘product name + vulnerability’ or look for security pages on the manufacturer’s website (and not just generic claims about ‘military-grade encryption’).”

Unfortunately, the security of sex toys and other intimate devices is often lacking and is no better than most other IoT gadgets. For example, in 2017, Pen Test Partners found numerous issues in “smart” vibrators equipped with cameras. At the DEF CON conference, researchers also discussed problems with another smart vibrator, the We-Vibe 4 Plus, which was found to be spying on users and sending all possible data back to the manufacturer. Similarly, Hong Kong-based sex toy maker Lovense was also caught collecting data on its users.

Leave a Reply