Image: Pen Test Partners/YouTube
Last year, a hacker locked the internet-connected chastity cages of several men and asked for a ransom after taking advantage of vulnerabilities in the device’s mobile app infrastructure. One victim, who had his device on when the hacker took control, had no choice but to use bolt cutters to free himself, which left him “bleeding and it fucking hurt,” as he told Motherboard recently.
Now, the European distributor of the chastity cage, which is called CELLMATE, wants everyone to know that it’s safe to use the device after the release of a new app, which it says fixed the vulnerabilities in the API used to control it. The vulnerabilities were found last year by the security firm Pen Test Partners, which specializes in finding bugs in Internet of Things devices. The distributor says it contracted with a third party to do an additional penetration test of the cock cage’s app.
“Our product and brand (CELLMATE) has received quite a bit of negative attention because of this publication. Now, you can think ‘negative publicity is also publicity,’ but unfortunately it turned out completely different for the CELLMATE,” Dennis Jansen, who works for Desudo, a distributor of the CELLMATE device, told Motherboard in an email, referring to our first story on the hack. “This wrongly created the image that our product could be hacked, after which the genitals of the wearer would be permanently locked up. Although such a situation was not even realistic at the time of publication (as you can read and see here), this story has made current and potential users unfairly frightened of our product. You will understand that this has had absolutely no positive effect on the attention and interest in using the CELLMATE.”
Jansen pointed out that on the CELLMATE support page, the company tells users that it can unlock the device remotely in case of any issues, and that under dire circumstances, there’s an “emergency escape” mechanism that only requires a screwdriver. CELLMATE and its app are made by a China-based company called Qiui.
“The security issue reported by Pen Test Partners was in the QIUI app, not the CELLMATE chastity device. But because one is inextricably linked to the other, we have, in collaboration with QIUI, made every effort to solve the security issue as quickly as possible,” Jansen continued. “And with success! When the all-new QIUI 3.0 app is installed, users do not have to worry that their personal data or security is at risk.”
To support this claim, Jansen referred to a third-party security assessment (called a penetration test) which they showed Pen Test Partners. Jansen declined to share the third party pen test. TK
One of the people who got hacked last year, who asked to be identified only as Robert, said he was not aware of the “emergency escape.” Robert said that knowing that the company says the app is now safe makes him feel better about the device, “but doesn’t make me want to put it on again.”
The founder of Pen Test Partners, Ken Munro, and the researcher who audited the CELLMATE, Alex Lomas, both confirmed to Motherboard that they did receive the third-party assessment and that the document says the issues are now resolved. But they also said they can’t confirm the results, as they have not audited the device and its app and API since last year.
“I don’t think I can comment more about the safety or otherwise of the product at this stage, I think people hopefully have enough information to make their own judgements,” Lomas told Motherboard in an online chat.
Munro agreed with Lomas, and said the third-party audit “suggests that the bits they tested look OK.” But he also noted that it took nine months for Qiui to fix the issues that Pen Test Partners found, which the company reported to Qiui in April of last year.
“They finally took action only after we had published the story,” Munro said in an online chat. “That says a lot…”
In other words, yes, the CELLMATE may not be hackable right now. But given how the company dealt with the vulnerabilities found last year, use the cage at your own risk.
Subscribe to our cybersecurity podcast CYBER, here.