We discovered that cam models using the app could be inadvertently unmasked, flagging their online activities to employers and others they may not want to share this information with. However, those for whom modelling was a part-time activity and had other employment may be alarmed to know that their sex toy could inadvertently inform their employer.
A related vulnerability allowed remote hijack of the toy over the public internet.
The Lovense Connect app makes regular outbound requests for an API server at ‘apps.
A ‘ping’ or heartbeat of sorts if you like, even if the app is running in the background.
Whilst checking that another vulnerability in a smart sex toy had been fixed, we discovered something more concerning.
The device in question was geared towards adult webcam models/performers.
Any user of the same network (assuming no client segregation) can see these requests and deduce that the user has the app installed.
That means that, for example, other users of the same Wi-Fi network (maybe friends and relatives? Here’s the request: If the user has another employment in addition to cam modelling and uses the same smartphone for email, social networking also, then taking that phone to their work place could cause significant problems.
Fortunately, the vendor involved responded promptly and effectively to responsible disclosure.
The ‘ping’ issue is now fixed in the latest version of the app.