*Privacy (and context) not included - IoD assessments

RenderMan

9 min read
*Privacy (and context) not included - IoD assessments

Below are a set of assessments for the same devices as assessed by the Mozilla Foundation in their Privacy not included Valentines 2019 list.  These are meant to supplement the Mozilla assessments and help provide some context to their findings.

For more information and background, please read the accompanying article

Lovense Lush, Hush, Max and Nora
We-Vibe Sync
Lioness
Fleshlight Launch
Je Jou Nuo
Vibratissimo Panty Buster
Kgoal Kegel Exerciser
Notes and Appendix

Lovense Lush, Hush, Max & Nora

Lovense Remote v3.4.6 - Released 1/30/19

  • Camera/Microphone permission: Yes, necessary for the audio and video calling features of the app and sound reactive functions
  • Location services permission: Yes, required for Bluetooth functions 1. Does not make any calls to query the users location. Does ask for the 'fine' location permission which is not absolutely necessary for Bluetooth function
  • Product uses encryption: Yes, the app gets an A rating2 for SSL/TLS on it's primary API endpoint of apps2.lovense.com. Device Bluetooth connections are short range and utilise standard Bluetooth encryption
  • Shares data with third parties: No information sent directly to third parties via app. Their privacy policy does allow for some aggregate and non-identifiable uses for product improvements, etc
  • Passwords: App requires login but does not enforce strong passwords. Bluetooth pairing on NORA and MAX utilise hard coded default PIN
  • Deletes Data: Option to delete all content (messages, pics, etc) but not whole account. Their privacy policy does provide a way to have it deleted by contacting the company
  • Manages Security Vulnerabilities: Lovense was the first adopter and test bed for the IoD vulnerability disclosure framework. security@lovense.com works and has been used by several researchers successfully and found to be very responsive
  • Comments: The alleged "hack" of the HUSH toy in the past was a local attack where an unpaired HUSH (or any other Lovense toy) would broadcast a default name that could disclose it's presence and who may be using it.  This however could apply to any IoD device and is an issue with Bluetooth in general. Due to human anatomy, the signal attenuation was significant and any hijack would require an attacker to be within about 4-5 feet of the wearer.  Additionally, the mentioned pending lawsuit appears to have little merit and a cursory look appears to be an attempt at a cash grab, similar to the We-Vibe Lawsuit.

We-Vibe Sync

We-Connect v3.0.3 - Released 12/22/18

  • Camera/Microphone permission: Yes, necessary for the video calling features of the app
  • Location services permission: Yes, required for Bluetooth functions1. Does not make any calls to query the users location (Note: earlier versions of the app did query user location, but only as required as part of their lawsuit settlement. See this article, about half way through)
  • Product uses encryption: Yes, the app gets an B rating2 for SSL/TLS on it's primary API endpoint of mm.sic-apps.net. Device Bluetooth connections are short range and utilise standard Bluetooth encryption and bonding
  • Shares data with third parties: Some crash analytics and feedback may be sent to hockeyapp domain (Common third party crash analytics company). (Note: Functionally difficult to verify as app is very secure and not easy to decompile due to security measures We-Vibe added recently).  Their privacy policy does allow for some aggregate and non-identifiable uses for product improvements, etc
  • Passwords: App does not require logon for remote control. Users generate one time links that setup a "pairing" between partners, only one partner at a time is allowed.  (Note: Mozilla's assertion by unnamed "security experts" that We-Vibe devices are easy to connect to remotely (i.e. via internet) are welcome to contact me and prove it)
  • Deletes Data: No option in the app to remove cached data specifically. No account or login is needed, so none to delete. Unclear what data may be retained on We-Vibe servers
  • Manages Security Vulnerabilities: No. No public security reporting instructions or contact info easily located. No disclosure process is available. Only general contact email available. (Note: Mozilla indicates they do, however they do not have any easy to find documentation on the process or contact information)
  • Comments: Even before the We-Vibe Lawsuit, the We-connect app was the best I had audited. After the lawsuit, they re-engineered the app and made it even better. It is still the high water mark for IoD apps I have assessed. That said, they have no public, easily found way to report security issues. Despite repeated attempts by the IoD project and other researchers, We-Vibe has not engaged with security researchers and seems openly hostile to them in some ways.

Lioness

Lovense Remote v3.4.6 - Released 1/30/19 (Note: IoD does not have a lioness in our test device library, as such, analysis is not complete)

  • Camera/Microphone permission: Yes, microphone. Appears to be for analytics and bug reporting features of zendesk. Not well disclosed in their FAQ or site
  • Location services permission: Yes, required for Bluetooth functions1. Does not make any calls to query the users location
  • Product uses encryption: Yes, the app gets an A rating2 for SSL/TLS on it's primary API endpoint of api.lioness.io. Device Bluetooth connections are short range and utilise standard Bluetooth encryption and bonding
  • Shares data with third parties:  Extensive use of Zendesk, Instabug and Crashlytics for app feedback and crash reporting. These are third party services well used in mobile apps, however the data collected in crash reports, etc, is not clear.  Zendesk has a screen capture functionality built in. The criteria it is used is unclear and not clearly disclosed.
  • Passwords: App requires login and uses auth0 service (which enforces strong passwords) however there is no obvious option to change your password (this is not good)
  • Deletes Data: No option to delete all content (messages, pics, etc) or whole account.
  • Manages Security Vulnerabilities: While they may indicate they do internally, they do not have a vulnerability disclosure program, bug bounty program, or other easily found way to report vulnerabilities. Additionally, they seem hostile to researchers as per their terms of service (see comments below)
  • Comments: While they are doing some things right, some things are questionable.  The large amount of usage and performance analytics is unusual. As is the lack of obvious way to change passwords.  The most concerning though is their Terms of Service expressly forbidding testing of their systems (see the "THINGS YOU CANNOT DO ON THE LIONESS SERVICE" section of their terms of service). Seeing something like this makes them seem hostile to researchers and makes anyone who finds a vulnerability and tries to report it think they may be turned over to the police. Terms of service are generally thought to not be enforceable for the most part, however it doesn't paint a pretty picture.

Fleshlight Launch

Feel Connect v2.1.12 - Released 1/17/2019

  • Camera/Microphone permission:  Yes, necessary for the video calling features of the app
  • Location services permission: Yes, required for Bluetooth functions1. Does not make any calls to query the users location
  • Product uses encryption: Yes, the app gets an A rating2 for SSL/TLS on it's primary API endpoint of api.feel-app.com. Device Bluetooth connections are short range and utilise standard Bluetooth encryption and bonding
  • Shares data with third parties: Third party analytics collection. Additionally the app integrates with other websites. Usage data may be collected by these sites separate from the app and its privacy policy
  • Passwords: Password is required for kiiroo.com account to register the device for warranty. The site does not require strong passwords.  Additionally, the device/app integrate with other websites for content. Those other sites may have their own password strength policies
  • Deletes Data: No option to delete account from the app. Their Privacy Policy may allow you to request your data be deleted by contacting Kiiroo directly
  • Manages Security Vulnerabilities: Sort of; Kiiroo was an early adopter of the IoD vulnerability disclosure framework and had a very beautiful page for it. However, they appear to have removed at some point.  I have contacted them and inquired and am waiting on a response. This will be updated when I receive a response
  • Comments: The Feelme platform needs some further research, however the amount of data collected for basic usage of the app with the device is minimal.  Kiiroo had a decent grasp of security from collaboration with the IoD project however that seems to have been sidetracked with recent growth and changes. Efforts are underway to re-establish this collaboration and solidify their commitment.

Je Jou Nuo

Je Jou v1.0.4 - Released 6/7/2017

  • Camera/Microphone permission:  Does not require the camera or microphone permission
  • Location services permission: No, however the version of the Android development kit they are targeting (SDK 18, which is android 4.4) predates the requirement of location permission for Bluetooth connections. It also means that most modern Android devices will not run it properly or without several warnings
  • Product uses encryption: The app has some peculiarities making analysis difficult, possibly due to its age. However these may be intentional as it has been flagged as malware according to 9 of 60 anti-virus engines on VirusTotal.com
  • Shares data with third parties: Unclear due to possible obfuscation and anti-analysis techniques. (Note: If it is malware, it may collect and share a lot with many third parties)
  • Passwords: Password not required
  • Deletes Data: No option to delete account from the app
  • Manages Security Vulnerabilities: No. Failure to update app, and failure to notice that the app is now being flagged as malware shows their lack of attention to security issues
  • Comments: I've reached out to Je Jou to alert them to the fact their app is flagged as malware and that they should take steps to update and fix their app.  I will update if/when I get a response. For now, best not use the app until a response is received and an update issued.

Vibratissimo Panty Buster

Vibratissimo v3.5 - Released 11/04/2018

  • Camera/Microphone permission:  Yes, necessary for the video calling features of the app and sound reactive functions
  • Location services permission: Yes, required for Bluetooth connections1, but also required for geographic (users in range) features
  • Product uses encryption: Yes, the app gets a B rating2 for SSL/TLS on it's primary API endpoint of vibratissimo.com. Device Bluetooth connections are short range but do not utilise all the available encryption and bonding
  • Shares data with third parties: Some crash analytics and feedback may be sent to flurry.com domain (Common third party crash analytics service)
  • Passwords: Passwords are required but not required to be strong. The app makes requests to the server at vibratissimo.com using SSL/TLS (https), but the server also supports unencrypted (http) connections, making is simple for an attacker to force connections to be unencrypted for easy capture or manipulation
  • Deletes Data: App provides the option to delete the account
  • Manages Security Vulnerabilities: No. After others found vulnerabilities the most egregious issues were fixed, but there remains a great many deficiencies that they noted almost a year ago and reported but the vendor has yet to address (verified as of the writing of this article)
  • Comments: Sadly, after independently verifying some of the issues noted above, and discovering a few of my own, it appears that Vibratissimo has not gotten the message about security and privacy. Efforts to establish a relationship with them will continue, but until then, utilise at your own risk.

kGOAL Kegel Exerciser

kGoal beta v3.3 - Released 2/4/2019

  • Camera/Microphone permission:  No
  • Location services permission: Yes, required for Bluetooth connections1. Does not make any calls to query the users location
  • Product uses encryption: Yes, the app gets a B rating2 for SSL/TLS on it's primary API endpoint of kgoal-app.kgoal.com. Some links to the privacy policy and other documentation still using unencrypted connections.  Device Bluetooth connections are short range and uses standard Bluetooth encryption and bonding
  • Shares data with third parties: Some crash analytics and feedback sent to crashlytics and hockeyapp services
  • Passwords: Passwords are required but not required to be strong
  • Deletes Data: App provides function to delete workouts immediately after, but not in bulk. App does not provide an option to delete account information
  • Manages Security Vulnerabilities: Sort of. After many years of neglect (2 years between v2.5 and v3.0) there has been a recent flurry of activity and development on the app. Likely this was spurred by the Mozilla researchers reaching out to the vendor and them realising they needed to update or suffer negative perceptions
  • Comments: I applaud the company for realising they needed to step up. They have a ways to go however and further analysis is required. I will be reaching out to them to see what assistance or guidance can be offered

Notes

  1. Since Android 6.0, Bluetooth connections have required the location permission in order to scan the local area for what devices are nearby. If you read the Android developer documents regarding Bluetooth Permissions and Bluetooth Low Energy, you would see that Bluetooth use by an app requires
    the ACCESS_COARSE_LOCATION permission at a minimum in order to function. This is a decision by Android/Google, and not something the developers or vendors have a choice about.  This permission, when granted, allows the app to query the user or device location, however it does not mean that the app actually ever does so.  If no calls for the location are made, the app is not actually aware of the user or devices location and thus cannot disclose it
  2. The SSLlabs.com website is a generally recognised standard way to test the relative security of SSL/TLS security implementations against generally accepted best practices. While two sites may both use SSL/TLS (HTTPS), there are many different ways to configure it, with some options weakening or strengthening security. Links are provided to the site for each API endpoint and if the results are stale, it will automatically re-run the test against the current best standards