[THREAD sorry]

So @smealum's #defcon #buttplug talk is done.

Piecing together what I can from slides posted to Twitter since going to Defcon would requires leaving the house.

AFAIK, our software is not affected by this specific exploit chain.

Info and some thoughts follow.
I will warn that this thread will be painfully technical.

If you're following me for intimate UI/UX contexts and don't wanna see a bunch of talk about OS API models and firmware and what not, feel free to mute this thread, I'll tag everything from here out with #meltbutt too.
So, to begin, an explanation of what's up:

@smealum presented today at @defcon 27, outlining a multi-exploit chain for Lovense toys, mostly between the Lovense electron app and their USB key, partially having to do w/ the firmware for the Nordic chip on the USB key.

This is a pretty good thread of slides from the talk, and gives you an idea of the information I'm working from. #meltbutt

I don't have enough information to talk about the exploits themselves yet, so I'll gonna concentrate on one of the things I mentioned in this thread (and something that would be out of scope at defcon): Why does this technology chain even exist? #meltbutt
Like, yes, it sounds wild that anyone would need:

- A bluetooth buttplug at all, ever
- A USB key that does USB-to-Serial-to-BLE
- An app built on top of a full browser, with all of the upkeep and exploits that come along with it.

So let's step through that.

Quick thread interruption: Here's another thread of more slides outlining the exploit itself thanks to the awesome @gurgdev. Once I've had some time to check it out I might do something else about my thoughts on that. #meltbutt

So, Bluetooth Buttplugs. Why?

Well, mostly: Because sex.

Computer Controlled Sex toys have been around since the late 90s (and theorized since the 70s-80s)

Up until the late 2000's, they were mostly wired. Either RS-232 or USB.

Basic bluetooth toys appeared in the late 00's, working on BT2 (aka BT Classic, aka RFCOMM/"Serial Port over BT that works if the wind is blowing in the right direction and mercury isn't in retrograde").

Once smartphones happened and got BTLE, development took off.

No one wanted a wire going to their butt so bluetooth sex toys got popular, even though they barely work.

Turns out humans are big bags of meat and water and radios hate meat and water.

So putting a radio in meat and water makes the radio angry.

Humans hate getting human juices on wires so they deal with putting a radio in meat and water for the promise of no wires.

Wireless combined with ability to have an app on your personal phone (vs say shared desktop), meant btle sex toys got popular and are the market.

So, without getting into the specifics of usage quite yet, that's why bluetooth buttplugs.


Why USB Key?

This is where we intersect with usage and business models.

Sex toys are hardware.

HW is usually a loss leader.

With the context of sex, you can usually sell anything at a wacky markup because who's gonna walk into ye ol' dildo shoppe and go "THESE PRICES?!", eh?

People will only buy hardware once and thus you're kinda out on recurring revenue until your planned obsolesce date.

And ✨Capitalism✨doesn't like that!

Therefore, we build a recurring revenue structure!

Up until last year, getting recurring revenue in sex had been a drag due to the "Teledildonics Patent", a piece of American Owned IP that basically forbid anyone from making computer controllable sex toys without licensing it.

Established 1997, RIP August 18, 2018.

(I swear I'm talking about USB keys here just gimme like 2-3 more tweets)

6-7 companies were sued to death by the patent holder in 2015.

Lovense, the center of our story today, licensed that patent so they could make their bluetooth sex toys without getting sued.

Alongside this, needing to establish longevity in the market, Lovense created their own IP portfolio, including a patent on how cam models interact with toys.

Because it turns out, sex toys are widely used by the sex worker community!

Imagine that!


One of the most popular ways to use computer controlled toys right now is via cam models.

Here's how that usually works:

- Cam Models buy a toy
- Toy hooks to the service they use to stream video (Chaturbate/Streammate/Camsoda/etc)
- Customers give models "tokens"
- Cam Service pings API that turns token giving amount/frequency into vibration speed
- Boom, Economically Closed Loop of Sex

So, if Lovense owns a patent on this loop, that means the cam services are required to use Lovense's API, which means cam models have to use Lovense's toys.

Vendor lockin achievement unlocked.

Of course, now we have to think about the technology stack involved in this.

We don't know what technology a cam model will own.

They could be streaming from their phone, or a desktop, or both.

We don't know what that hardware will be. PC? Mac? Android? iOS?

If Lovense's toys don't work, the cam model has to fuss with the tech while on stream.

I'm not sure if you've ever been on video while trying to debug tech while that tech is inside you.

It's not easy. And it's not sexy. And people usually won't pay you for it.

If lovense toys only worked via phones (due to BTLE being phone only mostly, and their app being mobile), then Lovense was beholden to the radio on whatever phone the model had.

Those bluetooth radios vary WILDLY in quality and affinity levels toward meat/water bags.

That also means that the model had to possibly pay attention to multiple machines. Their phone for the Lovense App *plus* their computer possibly running OBS or whatever proprietary streaming software their cam service gave them.

While also concentrating on customers.

So, Lovense needed a desktop version of their app, which would mean models could focus on a single machine for both streaming management and toy management.

This means BTLE on the Desktop!

A land of untold nightmares!

Now this is the part where I get to brag because buttplug.io is the only sex toy development platform I know of currently that does Bluteooth LE EVERYWHERE.


(NetBSD not included because users felt sex itself wasn't secure)

But, that has only arisen through YEARS of development pain. And there's a big thing that's missing from that list.

We only support Win 10 for Bluetooth LE.

There is no support for Win 7. Period. The end. Not gonna do it. Nope.

But, we're an open source project. We can make that kind of decision.

Lovense is a business, and as a business, needs to support the widest customer base possible.

Lovense has to support Windows 7.

Now it turns out that Win10 has a Bluetooth LE API built into it that sometimes sort of works. That's what Buttplug (the library) uses.

Windows 7, no such luck. You've got choices, none great.

BTLE on Win7 is done either via:

- Proprietary stacks to USB dongles
- Bitbanging BTLE over known USB protocols to BTLE dongles (this is what node's noble library does)
- Various USB-to-serial-to-BT chips like BlueGiga, nRF, etc.

You can emulate Serial similar to BT2's RFCOMM via 2 characteristics on a service in BTLE. A lot of devices do this, even if they don't go with a virtual COM port on the host end.

And that's exactly what Lovense did.


Lovense made a USB-CDC (aka USB Serial) key to translate to BTLE (this is where the nRF chip and JSON parser exploit are), so they could talk to their toys on any OS supporting USB-CDC.

Models pay Lovense $12 for the USB key, have toy "just work" on desktop, suddenly their shows are more streamlined and they can concentrate on using their toy and gettin' them tokens instead of trying to get it to work.

That's why this USB key exists.

*deep breath*




Ok, so now we know what bluetooth buttplug and why USB Key to talk to bluetooth buttplug.

Now why are we building an app based on a whole ass god damn browser for this?

You might notice I say "we" there.

Lovense aren't the only one that do this.

Intiface, my "user facing" application that embeds Buttplug (the library), is based on Electron.

There's reasons Intiface uses Electron, and being an ex-browser engineer I can get away with some super neat complicated excuses that will be in another thread if people want it.

But, I've got skin (or, well, being a buttplug, body safe silicone) in the game here too.

But let's get back to why Lovense is using electron.

It's pretty simple, but requires some knowledge of web tech history.

Before Electron, and before the modern WebAPI push, there were Chrome APIs.

Lovense's USB key has been around for at least, like... 5? 6? years?

Back when they first released it, the Google Chrome Browser had APIs (hung off the "chrome" object that existed at global scope) that would allow you to access things Javascript wouldn't let you.

This included access to the file system, HID devices, serial devices, etc... These were brought up as part of the ChromeOS project.

However, non-standardized web APIs are always looked down upon.

So they starting removing those APIs and porting them to the web.

Introducing new APIs to the Web is a process that I'm going to skip, but now the Blink Engine (which backs Chrome, Brave, the new MS Edge, Opera, etc) has things like WebUSB and WebBluetooth to access HW from webpages, with standards w3c proposed (but not ratified).

Lovense originally built their desktop USB key accessing app as a Chrome extension using the original Chrome APIs.

When those APIs disappeared, with no replacements for HID or Serial, they needed another way to access their hardware.

Thus, Lovense moved their toy control to Electron, in order to preserve the UI while being able to add the HW access in the parent process portion of Electron, using node libraries for the native hardware access.

There is a CHANCE Lovense could port their app back to the web using WebSerial/WebHID once those come out of origin trials.

I am not getting into a discussion about the efficacy/security of web hardware APIs.


Anyways, there you have it. This is why this tech stack exists the way it does, which is why it became a target for exploits @smealum found.

I'm not saying they're good reasons, but after talks like this people say


There's your why.

The radio exploits will have a much larger impact than just this niche segment of hardware, but this niche segment of hardware is what I concentrate on, so I figured I'd at least fill everyone in on this, 'cause I have fuck all better to do with this knowledge anyways.

If you have any questions, please feel free to comment and ask. My DMs are open if you're not comfortable asking on public timeline.

I'm also happy to talk to media, though for anything specifically security related I'll usually just say "talk to @internetofdongs".

I hope everyone had a great @defcon, and I hope this information provides you more context to go with what was presented there.

We now return you to your regularly scheduled buttplugs, already in progress.

*commercial break*




Donate to my patreon, if the lord moves you to do so.

At $3, you'll get stickers.

And because someone is gonna do this at some point anyways (though also impress on whoever you give this link to that they should smash the fuck out of that like/subscribe button):

Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to buttplug.io 🍑🔌 - Open Source Sex Tech
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!