By Karl Bode
If you hadn’t noticed yet, the internet of things is a security and privacy shit show. Millions of poorly secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.
So of course this kind of security and privacy apathy has extended to more creative uses of internet-connected devices. Case in point: last October, security researchers found that the makers of an IOT chastity cage — a device used to prevent men from being able to have sex — (this Amazon link has the details) had left an API exposed, giving hackers the ability to take remote control of the devices. And guess what: that’s exactly what wound up happening. One victim and device user say he was contacted by a hacker who stated he wouldn’t be able to free his genitals from the device unless he ponied up a bitcoin ransom.
Luckily his genitals weren’t in the device at the time, though it’s not clear other users were as lucky:
“A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely “locked,” and he “could not gain access to it.”
“Fortunately I didn’t have this locked on myself while this happened,” Robert said in an online chat.”
Given the often nonexistent security on internet of things devices, such problems aren’t particularly uncommon in devices like not-so-smart thermostats. It’s also a major problem in many hospitals where big medical conglomerates haven’t been willing to pony up the money necessary to keep lifesaving technology private and secure. That said, “I had to pay some kid in the Ukraine $750 so I could access my own genitals” is a new wrinkle many hadn’t seen coming.
It’s just yet another reminder that you shouldn’t connect everything to the internet just because you can. And you shouldn’t endeavor to engage in such innovation unless you’re willing to spend the money and take the time to ensure you’re adhering to basic security and privacy standards. Whether a heart monitor or a sex toy, most companies still aren’t after ten years of headlines like this. And despite some promising headway being made in policy, our response to the security dumpster fire that is the IOT remains a pretty hot, discordant mess.