,
50 tweets,
20 min read
Read on Twitter
I will warn that this thread will be painfully technical.
If you're following me for intimate UI/UX contexts and don't wanna see a bunch of talk about OS API models and firmware and what not, feel free to mute this thread, I'll tag everything from here out with #meltbutt too.
If you're following me for intimate UI/UX contexts and don't wanna see a bunch of talk about OS API models and firmware and what not, feel free to mute this thread, I'll tag everything from here out with #meltbutt too.
This is a pretty good thread of slides from the talk, and gives you an idea of the information I'm working from. #meltbutt
I don't have enough information to talk about the exploits themselves yet, so I'll gonna concentrate on one of the things I mentioned in this thread (and something that would be out of scope at defcon): Why does this technology chain even exist? #meltbutt
Like, yes, it sounds wild that anyone would need:
- A bluetooth buttplug at all, ever
- A USB key that does USB-to-Serial-to-BLE
- An app built on top of a full browser, with all of the upkeep and exploits that come along with it.
So let's step through that.
#meltbutt
- A bluetooth buttplug at all, ever
- A USB key that does USB-to-Serial-to-BLE
- An app built on top of a full browser, with all of the upkeep and exploits that come along with it.
So let's step through that.
#meltbutt
ANYWAYS.
So, Bluetooth Buttplugs. Why?
Well, mostly: Because sex.
Computer Controlled Sex toys have been around since the late 90s (and theorized since the 70s-80s)
Up until the late 2000's, they were mostly wired. Either RS-232 or USB.
#meltbutt
So, Bluetooth Buttplugs. Why?
Well, mostly: Because sex.
Computer Controlled Sex toys have been around since the late 90s (and theorized since the 70s-80s)
Up until the late 2000's, they were mostly wired. Either RS-232 or USB.
#meltbutt
Basic bluetooth toys appeared in the late 00's, working on BT2 (aka BT Classic, aka RFCOMM/"Serial Port over BT that works if the wind is blowing in the right direction and mercury isn't in retrograde").
Once smartphones happened and got BTLE, development took off.
#meltbutt
Once smartphones happened and got BTLE, development took off.
#meltbutt
No one wanted a wire going to their butt so bluetooth sex toys got popular, even though they barely work.
Turns out humans are big bags of meat and water and radios hate meat and water.
So putting a radio in meat and water makes the radio angry.
#meltbutt
Turns out humans are big bags of meat and water and radios hate meat and water.
So putting a radio in meat and water makes the radio angry.
#meltbutt
Humans hate getting human juices on wires so they deal with putting a radio in meat and water for the promise of no wires.
Wireless combined with ability to have an app on your personal phone (vs say shared desktop), meant btle sex toys got popular and are the market.
#meltbutt
Wireless combined with ability to have an app on your personal phone (vs say shared desktop), meant btle sex toys got popular and are the market.
#meltbutt
So, without getting into the specifics of usage quite yet, that's why bluetooth buttplugs.
ACT TWO:
Why USB Key?
#meltbutt
ACT TWO:
Why USB Key?
#meltbutt
This is where we intersect with usage and business models.
Sex toys are hardware.
HW is usually a loss leader.
With the context of sex, you can usually sell anything at a wacky markup because who's gonna walk into ye ol' dildo shoppe and go "THESE PRICES?!", eh?
#meltbutt
Sex toys are hardware.
HW is usually a loss leader.
With the context of sex, you can usually sell anything at a wacky markup because who's gonna walk into ye ol' dildo shoppe and go "THESE PRICES?!", eh?
#meltbutt
People will only buy hardware once and thus you're kinda out on recurring revenue until your planned obsolesce date.
And ✨Capitalism✨doesn't like that!
Therefore, we build a recurring revenue structure!
#meltbutt
And ✨Capitalism✨doesn't like that!
Therefore, we build a recurring revenue structure!
#meltbutt
Up until last year, getting recurring revenue in sex had been a drag due to the "Teledildonics Patent", a piece of American Owned IP that basically forbid anyone from making computer controllable sex toys without licensing it.
Established 1997, RIP August 18, 2018.
#meltbutt
Established 1997, RIP August 18, 2018.
#meltbutt
(I swear I'm talking about USB keys here just gimme like 2-3 more tweets)
6-7 companies were sued to death by the patent holder in 2015.
Lovense, the center of our story today, licensed that patent so they could make their bluetooth sex toys without getting sued.
#meltbutt
6-7 companies were sued to death by the patent holder in 2015.
Lovense, the center of our story today, licensed that patent so they could make their bluetooth sex toys without getting sued.
#meltbutt
Alongside this, needing to establish longevity in the market, Lovense created their own IP portfolio, including a patent on how cam models interact with toys.
Because it turns out, sex toys are widely used by the sex worker community!
Imagine that!
(PAY SEX WORKERS)
#meltbutt
Because it turns out, sex toys are widely used by the sex worker community!
Imagine that!
(PAY SEX WORKERS)
#meltbutt
One of the most popular ways to use computer controlled toys right now is via cam models.
Here's how that usually works:
#meltbutt
Here's how that usually works:
#meltbutt
- Cam Models buy a toy
- Toy hooks to the service they use to stream video (Chaturbate/Streammate/Camsoda/etc)
- Customers give models "tokens"
- Cam Service pings API that turns token giving amount/frequency into vibration speed
- Boom, Economically Closed Loop of Sex
#meltbutt
- Toy hooks to the service they use to stream video (Chaturbate/Streammate/Camsoda/etc)
- Customers give models "tokens"
- Cam Service pings API that turns token giving amount/frequency into vibration speed
- Boom, Economically Closed Loop of Sex
#meltbutt
So, if Lovense owns a patent on this loop, that means the cam services are required to use Lovense's API, which means cam models have to use Lovense's toys.
Vendor lockin achievement unlocked.
#meltbutt
Vendor lockin achievement unlocked.
#meltbutt
Of course, now we have to think about the technology stack involved in this.
We don't know what technology a cam model will own.
They could be streaming from their phone, or a desktop, or both.
We don't know what that hardware will be. PC? Mac? Android? iOS?
#meltbutt
We don't know what technology a cam model will own.
They could be streaming from their phone, or a desktop, or both.
We don't know what that hardware will be. PC? Mac? Android? iOS?
#meltbutt
If Lovense's toys don't work, the cam model has to fuss with the tech while on stream.
I'm not sure if you've ever been on video while trying to debug tech while that tech is inside you.
It's not easy. And it's not sexy. And people usually won't pay you for it.
#meltbutt
I'm not sure if you've ever been on video while trying to debug tech while that tech is inside you.
It's not easy. And it's not sexy. And people usually won't pay you for it.
#meltbutt
If lovense toys only worked via phones (due to BTLE being phone only mostly, and their app being mobile), then Lovense was beholden to the radio on whatever phone the model had.
Those bluetooth radios vary WILDLY in quality and affinity levels toward meat/water bags.
#meltbutt
Those bluetooth radios vary WILDLY in quality and affinity levels toward meat/water bags.
#meltbutt
That also means that the model had to possibly pay attention to multiple machines. Their phone for the Lovense App *plus* their computer possibly running OBS or whatever proprietary streaming software their cam service gave them.
While also concentrating on customers.
#meltbutt
While also concentrating on customers.
#meltbutt
So, Lovense needed a desktop version of their app, which would mean models could focus on a single machine for both streaming management and toy management.
This means BTLE on the Desktop!
A land of untold nightmares!
#meltbutt
This means BTLE on the Desktop!
A land of untold nightmares!
#meltbutt
Now this is the part where I get to brag because buttplug.io is the only sex toy development platform I know of currently that does Bluteooth LE EVERYWHERE.
Win/macOS/Linux/Android/iOS
(NetBSD not included because users felt sex itself wasn't secure)
#meltbutt
Win/macOS/Linux/Android/iOS
(NetBSD not included because users felt sex itself wasn't secure)
#meltbutt
But, that has only arisen through YEARS of development pain. And there's a big thing that's missing from that list.
We only support Win 10 for Bluetooth LE.
There is no support for Win 7. Period. The end. Not gonna do it. Nope.
#meltbutt
We only support Win 10 for Bluetooth LE.
There is no support for Win 7. Period. The end. Not gonna do it. Nope.
#meltbutt
But, we're an open source project. We can make that kind of decision.
Lovense is a business, and as a business, needs to support the widest customer base possible.
Lovense has to support Windows 7.
#meltbutt
Lovense is a business, and as a business, needs to support the widest customer base possible.
Lovense has to support Windows 7.
#meltbutt
Now it turns out that Win10 has a Bluetooth LE API built into it that sometimes sort of works. That's what Buttplug (the library) uses.
Windows 7, no such luck. You've got choices, none great.
#meltbutt
Windows 7, no such luck. You've got choices, none great.
#meltbutt
BTLE on Win7 is done either via:
- Proprietary stacks to USB dongles
- Bitbanging BTLE over known USB protocols to BTLE dongles (this is what node's noble library does)
- Various USB-to-serial-to-BT chips like BlueGiga, nRF, etc.
#meltbutt
- Proprietary stacks to USB dongles
- Bitbanging BTLE over known USB protocols to BTLE dongles (this is what node's noble library does)
- Various USB-to-serial-to-BT chips like BlueGiga, nRF, etc.
#meltbutt
You can emulate Serial similar to BT2's RFCOMM via 2 characteristics on a service in BTLE. A lot of devices do this, even if they don't go with a virtual COM port on the host end.
And that's exactly what Lovense did.
SEE I TOLD YOU I WAS GONNA GET BACK TO USB.
#meltdown
And that's exactly what Lovense did.
SEE I TOLD YOU I WAS GONNA GET BACK TO USB.
#meltdown
Lovense made a USB-CDC (aka USB Serial) key to translate to BTLE (this is where the nRF chip and JSON parser exploit are), so they could talk to their toys on any OS supporting USB-CDC.
#meltbutt
#meltbutt
Models pay Lovense $12 for the USB key, have toy "just work" on desktop, suddenly their shows are more streamlined and they can concentrate on using their toy and gettin' them tokens instead of trying to get it to work.
That's why this USB key exists.
#meltbutt
That's why this USB key exists.
#meltbutt
Ok, so now we know what bluetooth buttplug and why USB Key to talk to bluetooth buttplug.
Now why are we building an app based on a whole ass god damn browser for this?
#meltbutt
Now why are we building an app based on a whole ass god damn browser for this?
#meltbutt
You might notice I say "we" there.
Lovense aren't the only one that do this.
Intiface, my "user facing" application that embeds Buttplug (the library), is based on Electron.
#meltbutt
Lovense aren't the only one that do this.
Intiface, my "user facing" application that embeds Buttplug (the library), is based on Electron.
#meltbutt
There's reasons Intiface uses Electron, and being an ex-browser engineer I can get away with some super neat complicated excuses that will be in another thread if people want it.
But, I've got skin (or, well, being a buttplug, body safe silicone) in the game here too.
#meltbutt
But, I've got skin (or, well, being a buttplug, body safe silicone) in the game here too.
#meltbutt
But let's get back to why Lovense is using electron.
It's pretty simple, but requires some knowledge of web tech history.
Before Electron, and before the modern WebAPI push, there were Chrome APIs.
#meltdown
It's pretty simple, but requires some knowledge of web tech history.
Before Electron, and before the modern WebAPI push, there were Chrome APIs.
#meltdown
Lovense's USB key has been around for at least, like... 5? 6? years?
Back when they first released it, the Google Chrome Browser had APIs (hung off the "chrome" object that existed at global scope) that would allow you to access things Javascript wouldn't let you.
#meltbutt
Back when they first released it, the Google Chrome Browser had APIs (hung off the "chrome" object that existed at global scope) that would allow you to access things Javascript wouldn't let you.
#meltbutt
This included access to the file system, HID devices, serial devices, etc... These were brought up as part of the ChromeOS project.
However, non-standardized web APIs are always looked down upon.
So they starting removing those APIs and porting them to the web.
#meltbutt
However, non-standardized web APIs are always looked down upon.
So they starting removing those APIs and porting them to the web.
#meltbutt
Introducing new APIs to the Web is a process that I'm going to skip, but now the Blink Engine (which backs Chrome, Brave, the new MS Edge, Opera, etc) has things like WebUSB and WebBluetooth to access HW from webpages, with standards w3c proposed (but not ratified).
#meltbutt
#meltbutt
Lovense originally built their desktop USB key accessing app as a Chrome extension using the original Chrome APIs.
When those APIs disappeared, with no replacements for HID or Serial, they needed another way to access their hardware.
#meltbutt
When those APIs disappeared, with no replacements for HID or Serial, they needed another way to access their hardware.
#meltbutt
Thus, Lovense moved their toy control to Electron, in order to preserve the UI while being able to add the HW access in the parent process portion of Electron, using node libraries for the native hardware access.
#meltbutt
#meltbutt
There is a CHANCE Lovense could port their app back to the web using WebSerial/WebHID once those come out of origin trials.
I am not getting into a discussion about the efficacy/security of web hardware APIs.
BECAUSE REASONS, OK?
#meltbutt
I am not getting into a discussion about the efficacy/security of web hardware APIs.
BECAUSE REASONS, OK?
#meltbutt
The radio exploits will have a much larger impact than just this niche segment of hardware, but this niche segment of hardware is what I concentrate on, so I figured I'd at least fill everyone in on this, 'cause I have fuck all better to do with this knowledge anyways.
#meltbutt
#meltbutt
If you have any questions, please feel free to comment and ask. My DMs are open if you're not comfortable asking on public timeline.
I'm also happy to talk to media, though for anything specifically security related I'll usually just say "talk to @internetofdongs".
#meltbutt
I'm also happy to talk to media, though for anything specifically security related I'll usually just say "talk to @internetofdongs".
#meltbutt
*commercial break*
IT SLICES.
IT DICES.
IT GIVES ME MONEY TO MAKE LONG ASS TWITTER THREADS LIKE THIS.
Donate to my patreon, if the lord moves you to do so.
At $3, you'll get stickers.
patreon.com/qdot
IT SLICES.
IT DICES.
IT GIVES ME MONEY TO MAKE LONG ASS TWITTER THREADS LIKE THIS.
Donate to my patreon, if the lord moves you to do so.
At $3, you'll get stickers.
patreon.com/qdot
And because someone is gonna do this at some point anyways (though also impress on whoever you give this link to that they should smash the fuck out of that like/subscribe button):
threadreaderapp.com/thread/1160624…
threadreaderapp.com/thread/1160624…
