Hacked Butt Plug Can Be Controlled 'From Anywhere'

butt plug hack bluetooth sex toy
Hackers were able to send vibrate commands to the Hush butt plug. Giovanni Mellini

Researchers have discovered a serious security flaw with a Bluetooth-enabled butt plug that allows hackers to remotely take control of the vibrating sex toy.

Italian security researcher Giovanni Mellini published his findings in a blogpost on Tuesday, October 18, describing how he was able to send a vibrate command to a Hush butt plug from his laptop.

The Hush device, manufactured by Lovense, is designed to be a “long-distance love toy” and is described by the sex toy startup as “the world’s first teledildonic butt plug” that can be "controlled from anywhere."

Mellini said the idea to hack a butt plug started as a joke between a friend but decided to follow through after wanting to explore the security of the Bluetooth Low Energy (BLE) protocol.

“This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design,” Mellini explained in his blog.

sex toy hackers vibrator dildo wifi bluetooth Security experts warn sex toys connected to the Internet are becoming more vulnerable to hacking. Lovense

The BLE protocol vulnerability was first discovered by another security researcher called Simone Margaritelli, who wrote a scanner that Mellini used in the butt plug hack. Margaritelli described BLE in a separate blogpost as “a cheap and very insecure version of Bluetooth, in which you have…. no built-in protocol security.”

The device is one of dozens of sex toys that manufacturers have launched in recent years that can connect to smartphones and computers via WiFi and Bluetooth in order to allow users to control them remotely and download software updates.

However, security experts warn that these companies too often treat cybersecurity as an afterthought.

Read more: Are hackers spying on your baby?

Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products.

“There are three layers of security,” Lovense said in a statement last year. “The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers.”

The Hush butt plug  is the latest so-called smart device to come under scrutiny and is part of a growing trend of manufacturers overlooking cybersecurity risks with their products.

Last year, security researchers from cybersecurity firm Trend Micro demonstrated how they could hack a web-connected vibrator.

“If I hack a vibrator it’s just fun,” Raimund Genes, chief technology officer at Trend Micro, said at the time. “But if I can get to the back-end, I can blackmail the manufacturer.”

Join the Discussion