A smart sex toy-maker has acknowledged that a bug with its app caused handsets to record and store sounds made while its vibrators were in use.
Lovense was alerted to the issue by a Reddit user who had discovered a lengthy recording on their phone.
The Hong Kong-based firm said that the audio file was not transmitted off the device and has now issued a fix.
But one expert said the case highlighted the risks of using internet-connected gadgets.
The matter gained attention after being reported by The Verge news site.
Audio-activated
Lovense's Remote app allows its sex toys to be controlled via Bluetooth. It uses a smartphone's microphones to listen to nearby sounds so that noises can be used as a trigger if desired.
What was not clear was that the audio was being stored – the company's privacy site states that it "designed our system to record as little information about our users as possible".
However, last Thursday one owner flagged the issue.
"I was going through my phone media to prepare it for a factory reset and came across a… file named "tempSoundPlay.3gp," wrote the user nicknamed tydoctor.
"The file was a full audio recording six minutes long of the last time I had used the app to control my… vibrator. (We used it at a bar while playing pool).
"At no time had I wanted the app to record entire sessions using the vibrator."
The company responded the next day describing the issue as being "a minor bug" that was limited to Android devices, and added that "no information or data is sent to our servers".
It subsequently reported that it had released an update that addressed the problem. Lovense explained that it still needed to make recordings to provide sound-activated vibrations, but the files would now be much shorter-lived.
"The fix deletes the temporary audio file… after exiting the Sound Control feature and the app will do an additional check and delete each time the app is started," it explained.
Theft risk
Earlier this year, another internet-connected sex toy manufacturer – Standard Innovation – was forced to pay more than £2m to its customers after its app was discovered to be sending back data about owners to the company.
One researcher said Lovense's mistake appeared to be mild in comparison.
"It was an unwise thing to record but the actual risk to users was relatively low unless someone stole their phone," commented Ken Munro from Pen Test Partners.
A second expert added that making a temporary recording was not, in itself, too concerning.
"While this file could be stored in RAM [random-access memory], it is much easier and more efficient to stream it to disk for temporary storage," blogged a researcher known as RenderMan.
"This makes sense, especially when it was clear that the file was meant to be purged once it was no longer needed."
However, this is not the first time that vulnerabilities have been discovered in Lovense's software.
Last December, the company had to tackle a variety of flaws that made it possible to discover users' email addresses.
Mr Munro advised that owners of smart sex toys and other "internet of things" kit needed to accept there were risks involved.
"Anything that uses a camera and a microphone potentially has the opportunity to cause a privacy invasion," he said.
"At present, there's a complete lack of standards, so it's a Wild West right now."
A smart sex toy-maker has acknowledged that a bug with its app caused handsets to record and store sounds made while its vibrators were in use.
Lovense was alerted to the issue by a Reddit user who had discovered a lengthy recording on their phone.
The Hong Kong-based firm said that the audio file was not transmitted off the device and has now issued a fix.
But one expert said the case highlighted the risks of using internet-connected gadgets.
The matter gained attention after being reported by The Verge news site.
Audio-activated
Lovense's Remote app allows its sex toys to be controlled via Bluetooth. It uses a smartphone's microphones to listen to nearby sounds so that noises can be used as a trigger if desired.
What was not clear was that the audio was being stored – the company's privacy site states that it "designed our system to record as little information about our users as possible".
However, last Thursday one owner flagged the issue.
"I was going through my phone media to prepare it for a factory reset and came across a… file named "tempSoundPlay.3gp," wrote the user nicknamed tydoctor.
"The file was a full audio recording six minutes long of the last time I had used the app to control my… vibrator. (We used it at a bar while playing pool).
"At no time had I wanted the app to record entire sessions using the vibrator."
The company responded the next day describing the issue as being "a minor bug" that was limited to Android devices, and added that "no information or data is sent to our servers".
It subsequently reported that it had released an update that addressed the problem. Lovense explained that it still needed to make recordings to provide sound-activated vibrations, but the files would now be much shorter-lived.
"The fix deletes the temporary audio file… after exiting the Sound Control feature and the app will do an additional check and delete each time the app is started," it explained.
Theft risk
Earlier this year, another internet-connected sex toy manufacturer – Standard Innovation – was forced to pay more than £2m to its customers after its app was discovered to be sending back data about owners to the company.
One researcher said Lovense's mistake appeared to be mild in comparison.
"It was an unwise thing to record but the actual risk to users was relatively low unless someone stole their phone," commented Ken Munro from Pen Test Partners.
A second expert added that making a temporary recording was not, in itself, too concerning.
"While this file could be stored in RAM [random-access memory], it is much easier and more efficient to stream it to disk for temporary storage," blogged a researcher known as RenderMan.
"This makes sense, especially when it was clear that the file was meant to be purged once it was no longer needed."
However, this is not the first time that vulnerabilities have been discovered in Lovense's software.
Last December, the company had to tackle a variety of flaws that made it possible to discover users' email addresses.
Mr Munro advised that owners of smart sex toys and other "internet of things" kit needed to accept there were risks involved.
"Anything that uses a camera and a microphone potentially has the opportunity to cause a privacy invasion," he said.
"At present, there's a complete lack of standards, so it's a Wild West right now."
