When it comes to cybersecurity threats, we've heard of people's smart home locks being vulnerable to break-ins, we've heard of traffic networks being manipulated, and fleets of cars being hacked. But this is most definitely a new one.
A vulnerability discovered in a smart chastity cage device that locks in users' manhoods, makes it possible for a hacker to remotely permanently lock all devices currently in use.
Locked in for good
As the internet-linked chastity cage, called the CellMate Chastity Cage, has no manual override, users might have been faced with the scary prospect of having to use tools to brute force the device open, the BBC explains.
Thankfully, for any high-tech chastity cage users out there, the vulnerability has been fixed by its Chinese developer, Qiui, after a team of UK security researchers, Pen Test Partners, flagged the problem.
RansomWEAR, a new IoT threat model? Our @alexlomas has been busy with his cell mate and discovered an eye watering vulnerability. A smart male chastity lock cock-up - https://t.co/PyMmMMDrpP#LockedIn #IoTSecurity #AngleGrinder pic.twitter.com/hr4brvApzD— Pen Test Partners (@PenTestPartners) October 6, 2020
The researchers responsible for finding the vulnerability also published a workaround for the issue, that could help anyone currently locked in, detailed in their video below, as well as in a blog post revealing their findings.
Smart chastity gadget vulnerability
Qiui's Cellmate Chastity Cage is sold online for approximately $190 and is marketed as a device that could help users abstain from sexual activity or give their partner control over their body.
The Internet of Things-enabled cage is wirelessly connected to a smartphone via a Bluetooth signal, which triggers the device's lock and clamp mechanism. The root of the vulnerability comes from the fact that the software used in the device sends commands to a computer server used by the manufacturer.
Pen Test Partners believe there are approximately 40,000 devices in use due to the number of IDs granted by the Chinese developer. The security researchers say they discovered a method for tricking the server into disclosing a unique code assigned to each device, as well as personal information for each user.
The unique code could be used to make the server ignore app requests. By doing this the server would fail to unlock any of the identified chastity devices, leaving wearers locked into their devices.