Over the weekend, the manufacturer solved the problem, which it attributed to a bug in the code for the Android version (only) of the app, Lovense Remote.
Lovense Remote controls up to six sex toys via Bluetooth. Using the mobile device’s microphone, the app “listens” for nearby sounds — music, for example — in case the user wishes to use them as action triggers. Thanks to a mistake in the code, devices recorded everything the mic picked up and stored the file as “tempSoundPlay.3gp.”
Lovense updated the Android app (v3.0.7), explaining to users audio files still must be recorded in order to provide sound-activated vibrations (which is one of the app’s primary draws), but the files won’t be stored for longer than a single session.
“The fix deletes the temporary audio file… after exiting the Sound Control feature, and the app will do an additional check and delete each time the app is started,” Lovense explained.
“No information or data is sent to our servers,” the company added.
RenderMan, hacker and founder of the Internet of Dongs Project, confirmed the problem and the fix. According to his research, the app’s developers improperly called the function to delete the audio file when the session was over.
“The most likely scenario is one of a bug that failed to take out the trash after it was done,” he noted.
Although RenderMan acknowledged previous misappropriation of data collected by connected sex toys (like the one that cost We-Vibe developers $3.75 million) and a bug in the Lovense Bodychat and Wearables apps that could have exposed users’ email addresses, he concluded the whole issue in this instance was overblown to begin with.
“I can’t imagine the usefulness of ambient sound recordings of users IoD usage would be of any use to vendors,” he wrote. “Have you ever stepped back and listened to people have sex? People make some of the most ridiculous sounds mid-coitus, so it’s only useful for comedy purposes, I think.
“Hopefully [there] are some lessons to be learned here for future issues, and we can get back to making the world safe and secure for consenting users to enjoy,” he added.
Another researcher who demonstrated Lovense’s Bluetooth-controlled Hush anal plug could be hacked advised users to be careful with all internet-connected devices.
“Anything that uses a camera and a microphone potentially has the opportunity to cause a privacy invasion,” said Ken Munro of Pen Test Partners. “At present, there’s a complete lack of standards, so it’s a Wild West right now.”