In brief
- Cellmate smart chastity cages were hacked and locked by an attacker.
- The attacker demanded a ransom of 0.02 BTC (about $650) from locked users.
- An API flaw was exposed in October that allowed hackers to take control from afar.
There’s been a surge of internet-connected smart devices that offer seeming upgrades over the normal, “dumb” versions of products, including features like remote access and control. But here’s one smart device that you might want to rethink attaching to your body—and, yeah, there's a Bitcoin twist.
Vice reports today that an app-controlled smart chastity cage product called Cellmate—which locks the wearer’s penis within a polycarbonate shell—was hacked, with the attacker taking control of the devices and demanding a ransom in Bitcoin from affected users.
The attacker reportedly locked the cages of several victims and demanded a ransom of 0.02 BTC (about $650 as of this writing) each to free them from their respective cage. “Your cock is mine now,” the attacker told one victim, according to screenshots shared with Vice by security researcher "Smelly" of vx-underground.
Cryptocurrency is typically preferred in ransomware attacks due to the difficulty in tracking transactions. Bitcoin is a popular coin for such demands, as seen in some recent high-profile ransomware attacks, although privacy-centric coins like Monero are also common.
The news comes following an October report about a security flaw in the Cellmate API, which UK security firm Pen Test Partners said could leave attacked users permanently trapped.
“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device,” the firm wrote. “There is no physical unlock. The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.”
Qiui, the Chinese manufacturer of Cellmate, reportedly stopped responding to Pen Test Partners following approximately six months of communication about the issues from Pen Test and other security researchers and journalists. Given the latest word about attackers targeting Cellmate users, it appears that the API flaw still has not been addressed.
"Almost every company and product is going to have some kind of vulnerability in its lifetime. Maybe not as bad as this one, but something," Pen Test Partners security researcher Alex Lomas told Vice. "It’s important that all companies have a way for researchers to contact them, and that they keep in touch with them."