In an experiment published by cybersecurity firm Pen Test Partner, tech expert Alex Lomas tested whether it was possible to hack a bluetooth-enabled sex toy after a colleague prodded him about the possibility. The experiment proved simple: Lomas pulled out his phone, launched detection app LightBlue and immediately found a sex toy–proving that hacking a sex toy is not only possible, but remarkably easy. The item Lomas located was a Lovense Hush, the “most powerful buttplug on the market,” which was planted in the rear of someone nearby. It’s important to note that Lomas didn’t do anything with this unfettered access, but the fact of the matter is he could have—and that poses a big problem.  

Teledildonics, a category of sex toys that can be used remotely or over the internet, have surged in popularity over the past two years and because of their digital designs, are now most susceptible to hacking, which Lomas has coined “screwdriving.“ The Lovense Hush was particularly vulnerable to hacks as the device uses Bluetooth to connect with smart objects, meaning its connection can be tampered with by anyone with basic know-how. More concerning, the device can be hacked via mobile phone by anyone within 30 feet of the device.

Of course, Hush’s Bluetooth feature is not intended for strangers, rather a consented partner who is given permission to pilot the toy for the wearer’s pleasure. But when one wanders outside of Hush’s connectivity range, it enters a discovery mode, which readies the device for others to discover, who can intercept and pilot the toy without the wearer’s consent.

A Lovense rep told Gizmodo that such a hack is possible, though unlikely, as the toy has a function that automatically turns it off if the connected device falls out of range. Still, adult companies have been in hot water lately and have been found irresponsibly susceptible to breaches. For instance, We-Vibe, another popular sex toy, was recently hacked and sensitive user data was leaked. The breach led to a number of lawsuits. Gizmodo notes that pretty much any Bluetooth-enabled toy can be probed by hackers, which is concerning when sex toys like the Siime Eye vibrator come equipped with cameras and could therefore offer outsiders a glimpse at your genitalia.

Because everybody has their own set of fetishes and turn-ons, Lomas noted that some may actually be intrigued by the prospect of their toys being taken over by a stranger, but explains the average consumer likely won’t realize they’ve consented to an experience that is not entirely private. He told Gizmodo these people are “essentially walking around with a giant butt plug transmitter broadcasting out of their anuses, or inadvertently offering a telescopic tour inside their vaginas.”

The case for how such hacks should be regarded legally has yet to be determined, but a stranger engaging in non-consentual genital play should definitely register as a violation since legally speaking, sexual assault doesn’t require penetration, only “sexual contact or behavior that occurs without the explicit consent of the recipient.”

To attain a better understanding for future lawsuits (because they will happen), Gizmodo spoke to Shannon Wu, a defense lawyer in Washington, D.C. who argues such a hack is sexual assault. “The typical definition of a felony sexual abuse is unconsented to penetration,” whether it’s with a body part or an object, Wu said. However, he acknowledges some lawyers may argue wearing a teledildonic device serves as blanket consent.

With more options than ever to have sex, what constitutes as consent is evolving as technology grows more sophisticated. Wu offers a compelling analogy. “If I’m entering a boxing match … I’m consenting, obviously, to the contest with my opponent. If he hits me, I can’t be yelling, ‘Oh, he assaulted me, he punched me!’ because we’re consenting to punching each other. But if his corner man, his manager, comes out and clocks me in the head during the match, they can’t argue, ‘You consented to a boxing match, so anybody gets to beat up on you’.”

Stewart Baker, a partner at law firm Steptoe & Johnson, disagreed. Baker told Gizmodo the clearest path forward is prosecuting screwdriving as a cyber crime under the 1986 Computer Fraud and Abuse Act, which encompasses all unauthorized access of a computer as well as the theft of its contents. While the act does not address teledildonics specifically, the CFAA would likely offer a means of translating such consent in a cyber environment. “The difference between being authorized and having consent is vanishingly small,” Baker explained, “and so if you don’t have authority to do something with somebody else’s dildo, then if you’re doing it remotely over the internet, you’ve committed a crime that could turn out to be a felony [under the CFAA].”

Legally, a CFAA violation and a sexual assault both register as felony crimes, though their sentences vary greatly, making the distinction important. Treating the hack as a computer-related crime would minimize the offense as it hinges on non-consensual sexual contact. On the other hand, a lawyer who argues that wearing a device like Hush in public is opening themselves to its unauthorized use. In other words: victim blaming.