7313 stories
·
58 followers

Security Researchers Hacked a Bluetooth-Enabled Butt Plug

1 Share

The rectums of the world are clenched in fear after Italian infosec researcher Giovanni Mellini revealed just how easy it is to hack a Bluetooth-enabled butt plug in a blog post on Tuesday.

The device in question is Hush by Lovense, which is billed by the company as "the world's first teledildonic butt plug" that you can "control from anywhere!"

Unfortunately for Lovense, the butt plug has also joined a host of other teledildonic products that are remarkable for being insecure. In other words, even though you can control your butt plug "from anywhere," it would appear that anyone within Bluetooth range can control it, too.

Read More: The Internet of Dildos is Watching You

As detailed by Mellini in his blog post, he was able to hack the butt plug using a Bluetooth Low Energy (BLE) scanner developed by Simone Margaritelli and freely available on Github. Bluetooth is considered to not be the most secure way to send information wirelessly, but its low energy version is even more vulnerable to attacks. Still, it has found wide use in Internet of Things (IoT) devices because it drains less battery to use.

As Margaritelli wrote about the scanner used in the butt plug hack, "BLE is a cheap and very insecure version of Bluetooth, in which you have no channel hopping and no built in protocol security." This means it's relatively easy to execute a man-in-the-middle attack, in which a hacker would trick the butt plug into thinking it's talking to the user's phone and to capture information packets being sent between the devices (aka sniffing).

So why would anyone put BLE on a device then? Per Margaritelli's blog post, "If you wanna build and sell some IoT-smart-whatever crap, and you wanna do it quickly because your competitor is about to go on the market with the same shit, you take Bluetooth, you strip it from the very few close-to-decent things it has and voilá," you have a BLE-enabled device.

Using this tool in tandem with the Lovense phone app, Mellini said he was able to remotely pair with the butt plug without any sort of authentication, password, or PIN. After he had paired with the butt plug, he was able to make it vibrate on command.

The device can be remotely operated from up to 30 feet away while the user is standing, or up to 10 feet away while the user is sitting, according to Lovense's website. This means a ne'er-do-well would have to be pretty close to the butt plug in question to commandeer it. Still, the Lovense app is connected to the internet, which means an enterprising hacker could take advantage of the vulnerabilities discovered by Mellini for a truly remote butt plug hack.

According to Mellini, this hack likely could've been avoided by choosing a less insecure wireless protocol.

"It is very easy to hack BLE protocol due to poor design choices," Mellini wrote. "Welcome to 2017."

Motherboard reached out to Lovense for comment and will update this post if we hear back.

The sex toy industry has made a valiant effort to reinvent itself by connecting pleasure gadgets to the internet, but so far the nascent teledildonics space has been plagued by insecure smart dildos.

Privacy will be key if teledildonics are ever going to be adopted in a big way. But for now, these intimate objects are a little too public.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .



Read the whole story
fxer
3 hours ago
reply
Bend, Oregon
Share this story
Delete

Senators Reach Deal to Stabilize ACA Insurance Markets for Two Years

1 Comment
Sens. Patty Murray, D-Wash. (left), and Chairman Lamar Alexander, R-Tenn., say they have a tentative agreement to appropriate the subsidies for the next two years, restore money used to encourage people to sign up for Affordable Care Act health plans and make it easier for states to design their own alternative health care systems.

The bipartisan agreement could help stabilize insurance premiums next year so that younger, healthier people will buy policies. President Trump has embraced it, but other GOP leaders have not.

(Image credit: Tom Williams/CQ-Roll Cal via Getty Images)

Read the whole story
fxer
3 hours ago
reply
"Senate Majority Leader Mitch McConnell, R-Ky., would not commit to bringing the bill up for a vote"
Bend, Oregon
Share this story
Delete

Windows 10 Fall Creators Update: Lots of small changes—and maybe the revolution

1 Share

Enlarge / Oddly, Microsoft's Mixed Reality house has no windows. (credit: Microsoft)

It has arrived: Windows 10 version 1709, build 16299, the Fall Creators Update. Members of the Windows Insider program have been able to use this latest iteration for a while now, but today's the day it will hit Windows Update for the masses.

As with the Creators Update earlier this year, the Windows Update deployment will be slow to start off with. After a spate of issues around the Anniversary Update, which shipped in 2016, Microsoft took a more measured approach with the Creators Update. It took about five months for the previous update to reach two-thirds of machines, as the company rolled the operating system out first to systems known to be compatible, then expanded its reach to an ever larger range of hardware and software, and finally opened the floodgates and offered it to (almost) any Windows 10 machine.

Again like the Creators Update, anyone who is impatient and wants to forcibly install the new version will be able to do so with the Update Assistant and Media Creation Tool when they get updated, presumably at some point today.

Read 39 remaining paragraphs | Comments

Read the whole story
fxer
3 hours ago
reply
Bend, Oregon
DMack
3 hours ago
A fall update means we all get to fix our moms' PCs when we go home for Christmas
Share this story
Delete

ACME Support in Apache HTTP Server Project

1 Share
Comments

ACME Support in Apache HTTP Server Project

Oct 17, 2017 • Josh Aas, ISRG Executive Director

We’re excited that support for getting and managing TLS certificates via the ACME protocol is coming to the Apache HTTP Server Project (httpd). ACME is the protocol used by Let’s Encrypt, and hopefully other Certificate Authorities in the future. We anticipate this feature will significantly aid the adoption of HTTPS for new and existing websites.

We created Let’s Encrypt in order to make getting and managing TLS certificates as simple as possible. For Let’s Encrypt subscribers, this usually means obtaining an ACME client and executing some simple commands. Ultimately though, we’d like for most Let’s Encrypt subscribers to have ACME clients built in to their server software so that obtaining an additional piece of software is not necessary. The less work people have to do to deploy HTTPS the better!

ACME support being built in to one of the world’s most popular Web servers, Apache httpd, is great because it means that deploying HTTPS will be even easier for millions of websites. It’s a huge step towards delivering the ideal certificate issuance and management experience to as many people as possible.

The Apache httpd ACME module is called mod_md. It’s currently in the development version of httpd and a plan is being formulated to backport it to an httpd 2.4.x stable release. The mod_md code is also available on GitHub.

It’s also worth mentioning that the development version of Apache httpd now includes support for an SSLPolicy directive. Properly configuring TLS has traditionally involved making a large number of complex choices. With the SSLPolicy directive, admins simply select a modern, intermediate, or old TLS configuration, and sensible choices will be made for them.

Development of mod_md and the SSLPolicy directive has been funded by Mozilla and carried out primarily by Stefan Eissing of greenbytes. Thank you Mozilla and Stefan!

Let’s Encrypt is currently providing certificates for more than 55 million websites. We look forward to being able to serve even more websites as efforts like this make deploying HTTPS with Let’s Encrypt even easier. If you’re as excited about the potential for a 100% HTTPS Web as we are, please consider getting involved, making a donation, or sponsoring Let’s Encrypt.


Comments
Read the whole story
fxer
5 hours ago
reply
Bend, Oregon
Share this story
Delete

Han Solo film, called Solo, has wrapped up production

2 Shares
The cast of <em>Solo</em> takes a break.

The cast of Solo takes a break. (credit: Disney)

Today, the next standalone Star Wars film wrapped. Directed by Ron Howard—after a bitter departure from previous directors Phil Lord and Christopher Miller (The Lego Movie)—the movie at last has a name. It will be called Solo. The film explores Han Solo's early adventures and is rumored to give us a glimpse of how Han won the Millennium Falcon from Lando.

Howard announced the wrap in one of his many snaps from the production. Han Solo will be played by Alden Ehrenreich (Beautiful Creatures), and Donald Glover (Atlanta, Community) will be Lando Calrissian. Emilia Clarke (Game of Thrones) plays Kira, who is one of the adventurers Han will meet, and Thandie Newton (Westworld) has an unknown role. Joonas Suotamo will play Chewie.

Howard didn't just finish up the film that previous directors Lord and Miller worked on for six months. He did extensive reshoots, and it seems likely that he changed the film quite a bit from the original comedic vision. The film was written by Lawrence Kasdan, who worked on the first trilogy with Lucas, along with his son Jon Kasdan. It's due in theaters on May 25, 2018.

Read on Ars Technica | Comments

Read the whole story
fxer
5 hours ago
reply
Bend, Oregon
Share this story
Delete

Most sushi fish isn't fresh

1 Share
Comments

Comments
Read the whole story
fxer
5 hours ago
reply
Bend, Oregon
Share this story
Delete
Next Page of Stories