Qiui Cellmate Chastity Devices Locked Remotely by Attacker

After security researchers identified a vulnerability in Qiui Cellmate, a Chinese-built chastity device controlled via a mobile app, someone figured out how to weaponize it and use it in the real world, locking up devices to then demand a ransom.

The idea of a chastity device controlled via a mobile app is terrifying, given today’s terrible IoT security standards. Much larger companies than Qiui have problems securing their devices, so it wasn’t a surprise that the Cellmate has at least one major vulnerability.

Just a few months ago, security researchers from Pen Test Partners discovered a bug in the API that controls communication between the device and the smartphone. The lack of API security permitted anyone to take over a chastity device and lock it. At that time, it was only a curiosity, but the company issued a fix that would only work for people who downloaded the update.

Now, it turns out that an attacker started to lock Qiui Cellmate devices from all over the world, asking for 0.02 bitcoins (around $270 at that time) to unlock them, according to a Bleeping Computer report.

The situation took an interesting turn when the source code for the Cellmate malware was discovered online. Now, it turns out, many more attackers will have direct access to it. This complicates the situation for the Qiui Cellmate as more and more customers experience problems.

The company advised users to contact support if attackers remotely lock their devices. The alternative is to use a screwdriver to release the lock, but that will void the warranty, such as it is.

According to Bleeping Computer, the attacker confirmed that no one actually paid the ransom, which is likely the only good news in this situation.

Image credit: Qiui