A few of the locktober participants could potentially experience a far longer lockup than they imagined should somebody with bad intentions be around and they be wearing a remote controlled cage .
Two independent security vulnerability researchers, a company named PenTestPartners and The Internet of Dongs Project, as well as private kinkster @mikeTsenatek, have looked into the QIUI Cellmate, which has become popular recently as the first bluetooth and app-controlled chastity cage on the widely available market.
The Cellmate’s features include a variety of app functions, such as giving your cage’s remote locking mechanism control to other user’s / transfering control to your cage owner, community engagement where you can make challenges and let others in the community vote for you to be locked for a period, and so forth. It honestly sounds quite cool.
However there are several security issues the two researchers found out, and one of them is very much quite important when considering their design.
The QIUI Cage opens only over bluetooth app signals, there is no manual safety mechanism that can be triggered in case of emergency.
This feature could quite easily become a trap for the wearer. Because the app’s API is insecure and can be hacked.
For how long are you wearing your CELLMATE, how happy are you with it and what is in your eyes the big advantage of this chastity device?
I’ve been wearing the CELLMATE for about two months. I love it. It fits comfortably and there is NO WAY of escaping. The big advantage with this device is that it has no key.
Bought it this summer. Very happy with it. Longest time I had it on was 5 days. You can easily make someone keyholder without having to be near that person (is also a risk offcourse).
Quick explanation. The API, or also Application Programming Interface. When an app sends data (your personal information) to a database (their server, where all that personal information is stored) somewhere else, the API lies inbetween as bridge essentially. It is the thing that regulates the access to that information, translates the information in certain ways to make sure everything goes smoothly, makes sure the requested access is correct etc. It is very well explained in the video below.
Now what the researchers found was that the QIUI App’s API that connect to their database, where all of your sensitive information such as username, password, name, phone number, birthday, exact location etc etc. is stored, is unsecured. They could access it without much trouble. Anyone with some skill could.
When informing the developers of this vulnerability, after an apparently frustratingly progressing conversation according to the researchers, they apparently updated their app together with new, more secure, API’s. However, they left some of the old ones still valid and functional, leaving this vulnerability still open.
This was especially concerning as with the app update also two new announced products came announced, an app controlled lockable buttplug and an app controlled shock collar. Although the plug seems to have an mechanical emergency release built in, and the collar is removable, there was still the risk of injury through forcing open the anus and fissures, and naturally, strong continuous shocks.
The communication of the company towards the research groups has been somewhat lacking in response to them and this issue. There were no answers to them despite the researchers informing them of still open security issues and also new ones developed out of their updated version. The only news seem to be that they have updated their API’s again, but the old vulnerabilities still exist. The passwords and your info could still be accessed and you could still be hack-locked remotely.
Should this happen to you, or should another issue occur that leaves your cage unable to open, the PenTest Partners have made a video on how to do so without big metal cutting tools, although for many, that still be another option.
As of the publsihing of this article, there have already been cases of such hacker attempts. Additionally, for the data stealing alone, the users might not even realize when it would happen.
Note from Se7en: From a personal perspective I find it a shame that this company handles their customers privacy and security that way. Especially since their general application ideas seem to be very innovative and could potentially bring much to the market. But poor security just undermines everything, even potentially good product ideas.
If you have such a device our advise is to change your personal data and password to something untrue and not used elsewhere or delete it, and if you want to continue using the device, take precautions. Else it might not only be a long locktober, but a long lockyear or more for you.
Additional Note: Another issue somebody found is that the battery, although it’s said to hold up to 12 months, is placed on the inside of the cage. So if you’re locked when that happens …. Furthermore in the first version of the cage, the casing of the battery compartment seems to might have been susceptible to water damage. Early buyers of them back at the release that please note this and take itinto consideration when using their devices.
Last but not least we’ve to ask our two guys again: How safe do you feel now?
Most likely hackers prefer big media attention or a large group of people affected by their actions. I don’t see that with the cellmate. Nonetheless should the company pay attention to the vulnerability of the system and the privacy of its users.
Well, like many users have experienced in recent days, I lost control of my device due to hacking. They are currently fixing the bugs and say it will be safe to wear again after tomorrow. I never felt unsafe. I will troubleshoot the CELLMATE over the next couple of weeks (without wearing it) before I start fully using it again. By the way, I am still locked in chastity, I just returned to a good old lock and key.