Pin It
Chastity belt on Parks and Recreation
Parks and Recreation

A sex toy security flaw almost permanently locked men in chastity belts

Next stop: penistentiary

It’s undeniable that the internet has brought us many great things: new connections, memes, the ability to work from home during a global pandemic. But for a handful of horny men, it’s also brought one devastating negative: the risk of never seeing their penises again.

A recently-unearthed flaw in an internet-controlled chastity lock meant that users were at risk of having their device remotely administered by anyone on the internet, leaving them vulnerable to being permanently locked in.

The sex toy, billed as the “world’s first app-controlled chastity device”, was created by Chinese-based company Qiui, and works by allowing a trusted partner to remotely lock and unlock the belt via Bluetooth using an app.

The security flaw was discovered by researchers at UK-based security firm, Pen Test Partners, who found that the Application Programming Interface (API) – which the app and lock communicate via – was left open without a password, leaving individual users’ devices vulnerable to hacking.

What’s more, if a user got his penis trapped in the chastity lock, researchers say he would need a heavy-duty bolt cutter or angle grinder to be freed – a pretty embarrassing trip to the hospital IMO.

Writing in a blog post, Pen Test Partners also said the flaw meant that users’ precise location data, as well as personal information and private chats were leaked. The firm went on to explain that “the risk of personal data leakage seems more likely to be exploited and give reward to an attacker” than locking someone in their device.

Pen Test Partners first learned of the flaw in April 2020, and, after contacting Qiui with the problem, received assurances that it would be fixed. On June 11, an updated version of the Qiui Cellmate app was uploaded to app stores, which “mostly resolved issues” by forcing any lock requests to be authenticated. 

However, Pen Test Partners say the old APIs were still active, while the new ones continued to leak user locations. According to TechCrunch, Qiui couldn’t take the vulnerable API offline because it would have locked in anyone currently using the device. Qiui eventually missed three self-imposed deadlines to fix the problem, with the chief executive telling TechCrunch: “When we fix it, it creates more problems.”

While it’s not known if any users actually got hacked and locked into their chastity belts, a number of negative reviews on the app store highlights the plethora of flaws in the toy. “The app stopped working completely after three days and I am stuck,” wrote one reviewer. Another complained that the toy left a scar “that took nearly a month of recovery”.