Sex toy company admits to recording users' remote sex sessions, calls it a 'minor bug'

I have some news: the Internet of Things is a mess. A hacked refrigerator sounds slightly scary, but a vibrator-controlling app that records all your sex sounds and stores them on your phone without your knowledge? That's way worse.

Today, a Reddit user pointed out that Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. An audio file lasting six minutes was stored in the app's local folder. The users says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command — not constant recording when in use. Other users confirmed this app behavior, too.

A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug.

A company representative e-mailed a statement, confirming that the user on Reddit was a representative of the company:

As explained in the thread I linked above, we do not store any audio files on our servers. For sound feature to work, we have to create a local cache file. This file is supposed to be deleted in the end of each session but because of a bug in the last version of our Android app, the file wasn't deleted successfully. With this bug, the cache file was stored on the user's device until the next session where the new session overwrites on the previous cache file.

The representative also confirmed that the bug has been fixed, and that the cache file will be deleted at the end of each session with this latest version.

This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company — the Hush — was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users. In a separate case unrelated to the Lovense, a company called We-Vibe was sued after after its Bluetooth-enabled vibrators allegedly collected and recorded users' personal information. The company ended up settling the class-action suit for $3.75 million. Then,

All of this is to say that if you're going to purchase connected sex toys, do your research. Trust in the toys' makers is essential. Still, vulnerabilities exist in any smart device, so recognize the risks before going online.

The article was published on : theverge