Smart chastity device’s security flaw let hackers ‘permanently’ seal users up, researchers warn

A word of caution for chastity kink fans: Unless you’re willing to have your cock and balls “permanently” locked up by a total stranger, you may want to avoid the Qiui Cellmate Chastity Cage. The sex tech device’s security flaws reportedly granted hackers the ability to nonconsensually lock up users’ genitals remotely.

The Cellmate is an Internet-of-Things chastity cage, a miniature device that locks users’ penises in a form-fitting jail. The device is used as part of a chastity kink, which is a Domination-and-submission fetish for preventing a sexual partner from experiencing sexual pleasure.

In theory, the Cellmate lets the dominant play partner lock and unlock their submissive cage-wearer via Qiui’s mobile app. But cybersecurity organization Pen Test Partners published a blog report on Tuesday revealing the smart chastity device’s app has flaws. A series of weak authentication features granted unauthorized third-party users access to any given user’s name, phone number, birthday, linked devices, unencrypted password, and GPS location. Hackers could then use this information to remotely lock any user into chastity, forcing them to wear the Qiui Cellmate for as long as the hacker desired.

“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” Pen Test Partners warned in its report. “There is no emergency override function either, so if you’re locked in there’s no way out.”

Qiui Chastity Cage Sex Tech

Unfortunately, Pen Test Partners found the Cellmate wasn’t easy to unlock by hand, forcing users to slice into the device or pry open its circuit board and direct voltage to the lock’s motor. In most cases, a locked-out user would have to run to the emergency room to safely remove the device.

“A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.” Pen Test Partners said in its post. “Further, users are likely to want to keep their private lives private. They should expect privacy by default and security by design.”

Pen Test Partners contacted Qiui with its findings in May, and while the company took steps to fix the app’s security flaws, not all of the issues were patched. After Qiui became uncooperative with concerned researchers, Pen Test Partners published its findings. It remains unclear if any hackers successfully locked any users into chastity, although some users reported Qiui’s app “had bugs that would cause the device to stay locked,” essentially forcing the wearer into chastity, TechCrunch reported.

“We had particular problems during the disclosure process, as we would usually ask the vendor to take down a leaky API whilst remediation was being implemented,” Pen Test Partners wrote in its post. “However, anyone currently using the device when the API was taken offline would also be permanently locked in!”

Qiui Chastity Device Sex Tech Toy

Qiui’s security flaws are deeply troubling to chastity kinksters and sex tech experts. Kyle “qDot” Machulis, the programmer behind the open-source sex toy programming library Buttplug, criticized Qiui for its irresponsible sex tech designs. Machulis said Qiui’s self-described “basement team” should not have built a BDSM-based device if it could not “build security up front.”

Edge play is hard enough person to person,” Machulis tweeted. “Adding tech possibly adds the developments of 1000s of developers and engineers who most likely weren’t thinking of your interests.”

Riley Crawford, a chastity kinkster alarmed by the Qiui Cellmate’s flaws, similarly stressed that the kink requires strong safety measures and communication skills between its practitioners and therefore cannot be treated lightly by sex tech designers.

“One of the main ethical and consent concerns you have to know when you’re getting into [chastity] (with another partner, at least) is that focus on safety and comfort of the person being caged is paramount, adherence to standard kink safety practices is a definite must, safewords become extra necessary in play where the caged individual is being degraded (as a lot of chastity play tends to lean into), as well as making sure both people in said scene trust each other enough to both hold their play partner’s keys and also be caged,” Crawford told the Daily Dot. “The fact that the company’s response was shockingly poor sort of proves the unreliability of the device … They’ve actively allowed others to intrude onto scenes or lifestyle choices by two consenting parties, as well as the fact there was no other safety mechanism to get it off, is absurd.”

Similar privacy issues have plagued sex tech in the past. Popular sex toy creator We-Vibe was subject to a data collection lawsuit in 2016, which ultimately led the company to pay $4 million for unsolicitedly collecting information on its toys’ users. The Mozilla Foundation, the developers behind the Mozilla Firefox web browser, has regularly sounded the alarm on major privacy violations among sex tech designers, including Je Joue and We-Vibe. The Qiui Cellmate is just the latest in a much lengthier history plaguing a growing sex industry.

“It’s a pretty big blunder on the producer’s part, and if someone bought one of the cages or even just read any of the articles, it’d probably be enough to give them a somewhat negative view of the kink,” Crawford said. “I think it’ll affect how people view [chastity] from an outside view too, especially in the age where there’s huge leaps and bounds in tech specifically related to kink and sex.”

The Daily Dot reached out to Qiui and the Pen Test Partners for comment.