> The We-Vibe product line includes a number of Bluetooth-enabled vibrators that, when linked to the "We-Connect" app, can be controlled from a smartphone. It allows a user to... give a partner, in the room or anywhere in the world, control of the device.
Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is about the company's own data-collection practices, but just imagine the freakout if one fine day Vladimir Putin took control of all these devices at once.
Has anyone done a security review of the device and the associated app? If ever a service called for a thorough penetration test... (Bah-dum-bum! Thank you, I'll be here all week, tip your wait staff.)
I'm wondering if the lack of hacks came from actual good engineering on the company's part -- hope springs eternal! -- or if the device was just too niche to catch the interest of the black hats?
We started out wanting to learn how the device worked, wondering how secure it was and then discovered that what the manufacturer was doing was of more immediate concern. (FWIW the original suit was filed about a month after our DEF CON talk.)
> I'm wondering if the lack of hacks came from actual good engineering on the company's part
As you'll see in the talk, they appeared to have done some things right (e.g. secure network connections) but there are a lot of moving parts (device hardware, firmware, app, backend servers, chat, audio, video, control) and we barely scratched the surface.
> if the device was just too niche to catch the interest of the black hats?
It caught our attention but our hats were black with sparkly skulls on them. :)
To what end? The devices don't stay connected. You have to turn them on, open the app and sync them up. At best you get to alter the vibration patterns several hundred people at once. At best you've very mildly annoyed somebody and they'd just chalk it up to a buggy app.
Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is about the company's own data-collection practices, but just imagine the freakout if one fine day Vladimir Putin took control of all these devices at once.
Has anyone done a security review of the device and the associated app? If ever a service called for a thorough penetration test... (Bah-dum-bum! Thank you, I'll be here all week, tip your wait staff.)
I'm wondering if the lack of hacks came from actual good engineering on the company's part -- hope springs eternal! -- or if the device was just too niche to catch the interest of the black hats?