Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities.
Smea's attack starts by compromising the Hush's Bluetooth dongle, then using that to send malicious commands or upload malicious code to the insertable sex-toy component. The compromise attacks Lovesense's implementation of the Bluetooth Low Energy protocol, and the vulnerability may also be present in other devices (the chips haven't been manufactured since 2017, and its manufacturer, Nordic Semiconductor, has published a security advisory based on Smea's findings).
Smea's proof of concept code is live on Github, with the injunction "don't be a dick, please don't actually try to use any of this."
In an interview with Gizmodo's Dell Cameron, Smea speculates on whether hijacking a sex-toy should be considered sexual assault and concludes, "Personally, I don’t know if that’s the case or not. I know it would be a really shitty thing to do either way, so people should not do it."
From there you can compromise other [buttplug] apps through the social feature of the app, either through straight-up chats, by sending a message with HTML, or by compromising the dongle of the remote partner [using the feature that allows you to] send messages to control the partner’s toy. And that actually allows you to exploit a vulnerability inside the dongle’s code, which is in the JSON parser.