Hackers have managed to take hold of Internet-connected Cellmate cages to demand ransom from unlucky BDSM enthusiasts to unlock their captured penises, Vice’s Motherboard revealed.
One alleged victim, who identified himself as Robert, said that he was asked for a 0.02-bitcoin payment from the hacker to free the man’s genitalia after he had lost access to his “locked’ Cellmate cage.
But fortunately to the man, this did not happen while he had the device on, Robert said in a chat.
Another victim told the media that he “wasn’t the owner of the cage anymore” and lost full control over it, as he got an extortion message from the hacker demanding money for the unlock.
Some screenshots of victims’ online conversations with the purported hacker were shared online by the founder of ‘vx-underground’, a website that collects samples of malware attacks. In one of the alleged conversations demanding ransom, the attacker told the unfortunate user “your cock is mine now”.
However, it’s not clear from the report whether anyone had actually physically suffered from the attack or had their money transferred to hackers to set their penises free.
Penises Freedom at Risk
The Cellmate lock, mostly used in the BDSM community to remotely control users’ erections, is powered by Chinese Internet-connected sex toy manufacturer Qiui. The device is operated through a mobile app, which sends a signal to unlock the Bluetooth-connected chamber with an API.
The only other way to open the cage is with the help of bolt cutter or some other invasive instrument able to break the metal ring encircling the user’s penis.
🔑 CHASTITY SLAVES APPROACH 🔑
— 🇦🇺 Mistress Amy 🇦🇺 (@MistressAmy420) January 11, 2021
I am now taking GENUINE applications for Chastity Agreements.
✅ $50 chastity establishment fee
✅ $5 per day
✅ cellmate cage PREFERRED, but not mandatory
✅ can be part of orgasm/denial schedule
TRIBUTE, and approach to discuss. pic.twitter.com/i9g16Y8S45
In October 2020, it was unveiled by security researchers that a detected flaw in Qiui devices left their users exposed to outside control of their genitalia’s freedom after the API was left open and not secured with a password.
A security researcher from Pen Test Partners, Alex Lomas, said at that time that there was “no emergency override function” in the case of involuntarily shutdown, “so if you’re locked in there’s no way out.”
In communication with the media, Qiui executives pledged to fix the bug, but explained that switching to a new API for futue users would create vulnerabilities for existing ones, so it’s unclear how the situation was resolved in the end.
Lomas has confirmed that ransom-demanding messages were sent out by hackers to Qiui users and called on companies to maintain better communication with security researchers to avoid such vulnerabilities in the future.
The US distributor for the chastity cages told Motherboard in an email that the vulnerability allowing hackers to hack the sex devices was now fixed in the new version of the app powering the penis-lockers.
According to Quiu website, the company believes that “a true chastity experience is one that does not allow the wearer to have any control.” However, it looks like things might have gotten out of hand with respect to the loss-of-control issue following the “penis-locking” attacks.
