Security

Smart Sex Toy Firm Forced To Pay £3 Million In Data-Tracking Lawsuit

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Security vulnerabilities and secret data tracking result in significant financial hit for Canadian sex toy firm

A Canadian manufacturer of smart sex toys has been forced to pay out $3.75 million (£3m) after being hit with a privacy infringement lawsuit for tracking customers’ sexual habits without their knowledge.

After being spanked in the court case, We-Vibe has agreed to pay customers up to $10,000 (£6,120) each after its “smart vibrator” and the connected app was found to be secretly tracking owners’ use and recording metrics such as the temperature of the device and the vibration intensity.

The app was also revealed to contain multiple security and privacy vulnerabilities, potentially allowing strangers to take control of the vibrator.

Data privacy

Peeping tech 

The agreement was reached between two anonymous complainants and Standard Innovation Corporation, We-Vibe’s parent company, in an Illinois federal court.

Customers who used the app are entitled to the full compensation amount of $10,000, while those who used the vibrator alone can claim up to $199.

Standard Innovation said in a statement: “At Standard Innovation we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers [with] more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app.

“With this settlement, Standard Innovation can continue to focus on making new, innovative products for our customers.”

This lawsuit serves to highlight a larger problem within the Internet of Things (IoT) industry where connected devices continue to be designed with security as an afterthought rather than a necessity.

“This is yet another example of IoT devices being rushed to market without proper consideration of privacy, and with rampant security vulnerabilities,” commented Cesar Cerrudo, CTO at IOActive. “We are connecting more and more of these devices to the internet and manufacturers are really not applying due diligence, which in the long run will be really costly.

“While they may get the upper hand in beating the competition to get products to market, they lose out in the long run. Fines and the reputational damage have the potential to sink a start-up before they have the chance to really get going. I mean, who will really trust this company after hearing it has been harvesting this most private of information?”

ENISA botnet report

Internet of Threats

Despite ever-more innovative use cases being developed for a range of industries, a growing number of security threats continues to plague manufacturers of connected devices in the IoT industry.

IoT malware is now more sophisticated than ever before and the recent hacking of a line of connected stuffed toys in which the personal data of more than 800,000 users was accessed is a prime example of the problems facing the sector.

The smart home is expected to be one of the next significant threat vectors in the IoT and, unless devices are designed with security at the core, the same old issues will continue to rear their ugly heads.

Do you know all about security in 2017? Try our quiz!