Quite rightly, people have asked about security in connection with the E-Stim Connect system. Previous internet connected sex toys have attracted attention for having poor security which could, for example, allow anyone with the associated app to take control of a toy, without the user being able to stop them as well as storing reams of personal and sometimes intimate information.
Security by design, Safety first.
In designing E-Stim Connect, we put a lot of thought into making this sort of scenario as unlikely as possible - we're not going to say impossible, because we don't believe in tempting fate. However, we did start from the beginning very much with security and safety in mind. This post sets out some of the steps we took, and explains how we aim to fulfil the draft guidelines in the UK Government's "Secure By Design" report on the "Internet of Things" (IoT). You can read the report yourself at https://www.gov.uk/government/publications/secure-by-design
Not quite IoT
Firstly, it's important to realise that in some senses, the E-Stim Connect service isn't the same as an IoT (Internet of Things) device. A typical IoT device - say a smart thermostat, or a security camera - relies upon its connection to the internet, and in some cases is useless without it. These devices are designed to be connected to the internet 24 hours a day, and that means that, potentially, they are vulnerable to attack 24 hours a day.
Although the 2B power box has its digital link interface, which allows it to be linked to a PC, it's not a true IoT device. Most users use the 2B without connecting it to a computer at all, and in that case it's completely isolated - there is no wifi or other sort of active connection built into the 2B at all.
When you use the E-Stim Connect system for remote play, you connect your 2B to the computer, the computer runs the Connect app, and that app then links over the internet to the Connect server. Another user links to the server via a secure webpage, and the server passes messages between the remote user and your power box.
No incoming connections
It's important to remember that at no point does anything connect from the internet to your computer or your 2B power box. The connection goes in the other direction, and there is no code in the Connect app that listens for connections from the internet - so there's also no need to allow any connections to come in through your computer or router's firewall. And, of course, when you quit the app, or click the Disconnect button, your 2B is no longer linked to the internet.
Rather than use user names and passwords, or a simple unchanging name for your powerbox to facilitate connections, the Connect system relies on a "key" which is created each time you link your powerbox to the server. The key is created using three different and unrelated elements, to ensure a unique value each time. It is extremely unlikely that you could randomly create a key that would allow you to make a connection to another user's power box.
Keys Expire after 4 hrs
Keys expire four hours after they've been created, and you can create a new one at any time. So, even if you allowed someone access to your powerbox before, if you disconnect them and reconnect to the server, the key they have will no longer allow them to connect to you. If they try to use a key they used earlier, it will no longer connect to you.
As well as disconnecting a remote user with one click, there are some other additional safety features included. A Stop button is always available, and will set all the outputs of your 2B to zero right away. You can restrict what the remote user can do, including preventing them from changing the power setting of your box from low to high or vice versa, preventing them from changing the program mode (e.g. from pulse to milk) and you can also set a maximum level for each channel. If they attempt to increase the level past that point, it won't be allowed.
Additionally, you can set a timeout, so that if the remote user has not changed any settings within a specific period, your box turns off. And, of course, you can at any time use the controls on the box itself to alter settings.
Secure by Design
Although the 2B powerbox itself is not really an IoT device, when you use it with the E-Stim Connect system, and it is linked to the internet, it can be considered to be one. So, this is how we align with the UK government draft guidelines on the Internet of Things, point by point.
- No default passwords
The E-Stim Connect system does not rely on stored passwords, so there are no default passwords; the keys used are randomly generated.
- Implement a vulnerability disclosure policy
Details of our vulnerability policy can be found on our security page
- Keep software updated
E-Stim Systems regularly updates the firmware for its devices and apps. The E-Stim Connect downloads page lists the current latest versions of all the E-Stim Connect apps, and https://e-stim.info/downloads/firmware lists the details on the latest versions of the 2B firmware.
- Securely store credentials and security-sensitive data
User credentials are not stored.
- Communicate securely
All data transmitted across the internet is encrypted using TLS. (Transport Layer Security)
- Minimise exposed attack surfaces
The Connect system does not require any adjustments to an end user's firewall. The Connect Server has the minimum number of ports open to allow the service to function. The system was specifically designed to avoid using a database, to further diminish the possibility of attacks via methods such as SQL injection. Security headers on the server are used to help ensure the integrity of the system.
- Ensure software integrity
The Connect app is provided as a signed application for Windows and Macintosh. The 2B firmware is encrypted and provided with MD5 checksums to allow verification of downloads.
- Ensure that personal data is protected
- Make systems resilient to outages
The 2B powerbox works as normal, regardless of the status of the Connect service.
- Monitor system telemetry data
Aggregate data is monitored to check for anomalous behaviour.
- Make it easy for consumers to delete personal data
No personal data is stored. System logs expire after a short time, and record the minimum data necessary to manage and support the Connect service.
- Make installation and maintenance of devices easy
We believe we have made the installation and setup of the Connect system as easy as possible.
- Validate input data
The Connect server only passes valid commands between the remote user and the 2B power box. The maximum size of data is also checked. Invalid or over length commands are discarded, and not transmitted to the 2B. Additionally, the 2B itself does not respond to invalid commands.
Overall we hope we have managed to create a service that is easy to use, robust and secure. We are always open to discussion on how to improve our products, so if you have any comments, ideas or concerns, then please feel free to contact us.