Smart Chastity Belts Leak Sensitive User Data

A cybersecurity expert has discovered that an unnamed manufacturer of male smart chastity belts is exposing user data, including email addresses, passwords (in plain text), home addresses, IP addresses, and in some cases, even GPS coordinates.

The researcher, who chose to remain anonymous, told TechCrunch that he was able to access a database containing records of over 10,000 users. Access was gained through two vulnerabilities, which the expert reported to the company on June 17, 2023.

However, journalists report that the chastity belt manufacturer has yet to fix the identified issues and has not responded to inquiries from either TechCrunch or the cybersecurity specialist. Journalists even contacted the company’s hosting provider, who promised to alert the device manufacturer about the problems, as well as the Chinese CERT, in hopes they could also reach out to the company.

After receiving no response from the manufacturer, on August 23, the cybersecurity researcher defaced the company’s homepage in an attempt to draw the developers’ attention and warn users about the danger.

“The site has been disabled by a friendly third party. [The company] left the site open, allowing any script kiddie to access all client information, including passwords in plain text and, contrary to the company’s claims, device shipping addresses. If you paid for a device and now can’t use it, I’m very sorry. But thousands of people have accounts on this site, and I couldn’t in good conscience leave all this at risk,” the expert wrote on the manufacturer’s website.

Less than 24 hours later, the company removed the researcher’s warning and restored the website. However, the vulnerabilities remain unpatched and are still exploitable.

Because the vulnerabilities have not been fixed, the publication is withholding the company’s name to protect users whose data is still at risk.

Additional Security Issues and Previous Incidents

In addition to the database vulnerabilities, the researcher found open PayPal payment logs on the company’s website. These logs contained information about PayPal-linked email addresses and the dates users made payments.

This is far from the first time experts have found security issues in smart adult gadgets. For example, in 2020, researchers from Pen Test Partners reported security flaws in Cellmate male chastity belts, manufactured by the Chinese company Qiui.

At the time, analysts noted that the devices had numerous security problems, allowing hackers to remotely lock and unlock them. There was no manual override or physical key for the Cellmate, meaning locked users could find themselves in extremely unpleasant situations.

In 2021, it was revealed that extortionists had begun exploiting these vulnerabilities, attacking users of the Qiui Cellmate app and locking their devices. Hackers demanded 0.02 bitcoin (about $270 at the time) from victims to unlock their chastity belts.