Root Your Sleep Number Smart Bed, Discover It Phoning Home

A graphic representing the features of a Sleep Number smart bed, showing individually controlled heated zones

Did you know you can get a “smart bed” that tracks your sleep, breathing, heart rate, and even regulates the temperature of the mattress? No? Well, you can get root access to one, too, as [Dillan] shows, and if you’re lucky, find a phone-home backdoor-like connection. The backstory to this hack is pretty interesting, too!

You see, a Sleep Number bed requires a network connection for its smart features, with no local option offered. Not to worry — [Dillan] wrote a Homebridge plugin that’d talk the cloud API, so you could at least meaningfully work with the bed data. However, the plugin got popular, Sleep Number didn’t expect the API to be that popular. When they discovered the plugin, they asked that it be shut down. Tech-inclined customers are not to be discouraged, of course.

Taking a closer look at the hardware, [Dillan] found a UART connection and dumped the flash, then wrote an extensive tutorial on how to tap into your bed’s controller, which runs Linux, and add a service you can use locally to query bed data and control the bed – just like it should have been from the beginning. Aside from that, he’s found a way to connect this hub to a network without using Sleep Number’s tools, enabling fully featured third-party use – something that the company doesn’t seem to like. Another thing he’s found is a reverse SSH tunnel back into the Sleep Number network.

Now, it can be reasonable to have a phone-home tunnel, but that doesn’t mean you want it in your personal network, and it does expose a threat surface that might be exploited in the future, which is why you might want to know about it. Perhaps you’d like to use Bluetooth instead of WiFi. Having this local option is good for several reasons. For example, having your smart devices rely on the manufacturer’s server is a practice that regularly results in perma-bricked smart devices, though we’ve been seeing some examples of dedicated hackers bringing devices back to life. Thanks to this hack, once Sleep Number shutters, is bought out, or just wants to move on, their customers won’t be left with a suddenly dumbed-down bed they can no longer control.

[Header image courtesy of Sleep Number]

63 thoughts on “Root Your Sleep Number Smart Bed, Discover It Phoning Home

  1. Leela: “Didn’t you have ads in the 20th century?”
    Fry: “Well sure, but not in our dreams! Only on tv and radio…and in magazines…and movies. And at ball games, on buses, and milk cartons, and t-shirts, and bananas, and written on the sky. But not in dreams! No sirree.”

    1. At first I thought your comment was impossible to archive but after thinking about it I can see a way to do this Hack into the bed and turn the heat up to 120 celsius thereby forcing the homeowner to open all the doors and windows.

    2. The data collected by the bed and (it seems) streamed to their servers by default would be enough to reasonably diagnose (with some false positives thrown in for fun) a handful of ailments (sleep apnea plus a few cardiac issues) that any company sneaky enough to hide a reverse ssh tunnel to every user’s home network could *easily* be sneaky enough to sell to data aggregators for packaging and resale to life and health insurance companies to use as an input in setting premiums.

      I have used the same outboard ssh to home carrying a reverse port forward enabling inbound SSH to administer the onboard computer for a semi-autonomous robot catamaran via the cell network (pretty much all of Lake Washington has cell coverage, as will most other long narrow glacial lakes in populated regions, like the Finger Lakes in New York) and it’s geat because it cuts through the phone company’s NAT and firewall, is secure, and dead simple to use. However there is a huge difference between giving yourself access to your own device that way vs. selling consumers a device (especially something as personal and intimate as a bed bristling with sensors!) and quietly including such a mechanism.

      My general policy is to periodically examine network traffic at my house and if there’s any outbound connections I can neither account for nor decrypt and audit I block ’em and if that bricks some smart device, based on how much free time I have at my disposal I either hack the device or use it for target practice, though putting a crossbow bolt or bullet through most lithium ion batteries obviously requires keeping some fire extinguishers to hand =;-)

        1. Well, I don’t see how this one spies on you, specifically. Whatever data is being sent out, you already know to be going to their servers, because the product as-sold is cloud-connected. It’s not like a management tunnel results in it suddenly growing a microphone to collect your conversations.

          1. I actually did get a whiff of possible microphone tech in there, but I didn’t dig too deeply. It seems to be tied to an auto partner-snore feature, although I don’t think that is a feature they actually advertise, just the manual partner-snore feature. But there might be more truth to this fear than you think.

          2. You don’t see how it’s spying?
            A ‘normal’ uninformed user assumes that ‘the cloud’ is just a magic place that makes convenient things happen.
            They literally never think about a company taking that data and selling it to an aggregator.
            If this information is told to them, they assume the other person is just some paranoid nut job.
            Even when confronted with solid evidence, they don’t want to think about it.
            “Yes. Both of the other people who’s houses you visit recently had kids. You location data shows you and them sharing a space for hours. THAT is why you are suddenly being shown all those ads for baby stuff despite you not having children.”

            So yes. Collecting and selling your sleeping, heartrate, temperature, and other data IS spying regardless of the user ‘agreeing’ to some 24 page EULA, because no reasonable person is going to expect anyone to actually do it.

          1. Wasn’t it iRobot that did both? Voyeuristic Roomba with pictures shared online by low paid South American contractors iirc. It’s not enough to trust their entire labor supply chain.

          2. The roomba incident involved a development unit sent to homes agreeing to test them. They knew their streams would be sent to teams testing these devices. These beta bots also had a green warning sticker warning them about it.

  2. First, it’s not really surprising that these beds have espionage capability.

    Second, that’s only an additional reason to avoid them.

    I tried these out the last time we were mattress shopping, and in spite of the hype, I find them uncomfortable. I am a big guy, and if it was set too soft, I was bumping into the infrastructure. By the time is was “firm” enough that I didn’t feel the bars underneath, I felt like I was balancing on a beach ball.

    No, thanks.

    1. `espionage` is overselling it. I’ve added such tunnels into devices I’ve made for others, with informed consent ofc; they’re hella useful for maintenance/patching holes/debugging, doubly so given it’s a whole Linux computer in there.

      1. Clear consent changes thing completely. As long as the customer understands there’s a backdoor (and what that means), then (hopefully) fine – though there’s always a risk you’ve got some poor security that lets someone else use your backdoor, putting their entire network at risk. Often fine in a business/remote setting though for administration of remote devices.

        But almost all consumers don’t understand what a reverse SSH tunnel is, or what the risks of that are, and can’t reasonably consent to it.

        1. ngl this leaves me split, because risks are more complicated; specifically, the ways we perceive them aren’t rational, and not to even start about “all data in cloud” and “cloud server only” risks that people are already ignoring because of ultimate convenience. I can see a “let us fix your issues remotely” switch, either physical or in-app, that a customer could flip at will, for instance. Besides, I’m probably biased, because when I see a “cloud server only” product, I just assume it has RCE too, since that’s only a step away, whether intentionally or unintentionally =D

      2. In the HP EULA when setting up a new printer, it says it collects analytics about what devices are on your network, MAC addresses, programs installed on your PC, etc. Ultimately, owning one of their printers and blindly accepting the default settings during setup (like a majority of people) turns you into a data mine for marketers.

        My concern with any tunnel in a networked device is that kind of espionage, because you’re right: spying on conversations and video cameras is explicitly illegal, while logging analytics is capitalism at work. And sending out ARPs to find what brand of smart TV you own, or what other smart home devices you have, that’s too technical for lawmakers to decide “maybe we shouldn’t allow this?”

        I don’t own the device in this article, but I wouldn’t be so quick to dismiss that type of espionage.

        1. Who would be so foolish to do business with HP in 2024?

          Not joking.
          They don’t even make test equipment anymore.
          If their was any doubt, HP bought EDS. EDS is HP enterprise last I looked. Only competence remains marketing/lying to government and fortune 500s.

          HP makes _nothing_ that can’t be bought from a better vendor.
          They are the Renault of computer companies.

          1. Yup +1 for HP. being hot garbage these days.
            Their printers have sucked for the last 15+ years.
            I’ve got a Laserjet 1100 from 2000 that I bought from a yard sale with two toner carts over 10 years ago and it still works brilliantly. Sure, it doesn’t have a big page per minute rate but it works AND I am amazed that the toner carts are still available for it!
            HP used to be good back then but now their printers run Windows CE (yes, that’s right, folks, these printers run embedded Windows!), probably so they can show pretty pictures of where the latest paper jam is, or tell you the printer cartridge isn’t a genuine HP one. I took one apart once that was going to be skipped and found they (the slightly older ones) even have a 4Gb SATA SSD with the WinCE stuff on it.
            I remember HP Deskjets at school in the 90s, which may not have been fast either but had no DRM and the ink cartridges weren’t ridiculously expensive (at least not by today’s standards).
            Bill and Dave would be ashamed to see what their company has become.

        2. Does it say how they handle the analytics? If it’s de-anonymized they might simply be using it to do things like determine development priorities (ie “40% of our customers have Apple devices, we should put more money into supporting MacOS.”) Collecting what programs are installed could help them figure out what programs to test with their drivers in QA.

          Or they could be selling the info to Palantir, sure. But we don’t really know, which is also a problem in and of itself.

      3. The NSA for almost its entire history has run projects that pay companies (and often employees at those companies, secretly) to put backdoors in equipment. Espionage could be right on the money. What possible legitimate reason do they have for this backdoor?

        Everyone always attributes these things to stupid/lazy developers, and not that it was 100% intentional.

        1. I mean, this is clearly intentional. They explicitly have the reverse port included in the SSH config and have a pre-shared public key stored so they can log in easily. What isn’t clear is the purpose. It is likely for maintenance, and maybe they use it for sending commands from the app/cloud to the device. But it could be used by anybody with the right access to have a backdoor into my personal network.

    2. +1 on the uncomfortable thing. I’m also a big guy and I tried basically every number. I had no comfortable number. Fortunately they honored their satisfaction guarantee and let me return it.

      I find the crappy air mattresses you can buy for $100 at Walmart or Amazon way more comfortable IMO.

    1. These are cool things for a certain slice of population – zoned bed heating, esp for couples, sleep tracking, these alone are good features. Sleep quality affects a fair bit of day-to-day life for many, so if you’re dealing with subpar sleep, this can absolutely help.

      1. I have no problem with features that might be useful to someone. but NOT internet connected or require an internet connection. That is just ‘wrong’. Frigs, beds, washing machines, garage doors, etc. Should have no internet connection to work.

    2. i prefer dumb tech to smart tech. like i got a smart washing machine that dumps gallons of unused hot water down the drain every time a sensor sees something it doesn’t like, or if its paused too long (but not long enough for the water to get cold). somehow it still gets an energy star rating (what they really have done is bucked the job of efficiency to the water heater, a hive of inefficiency). trying to find a replacement with an old skool mechanical sequencer is damn near impossible. its not so smart it needs to connect to the internet but i bet i would have a hard time finding one that doesnt.

      same goes for everything else. just let a thing be a thing, leave the smarts in the computer where it belongs. they are not adding these features for our convenience, but theirs.

      1. You also have an LG washer? What a piece of crap. Any tiny imbalance triggers filling the whole bucket with water in a futile attempt to balance things. 3 times. Per spin. I miss my all washing machine.

    1. I worked on this project a dozen years ago or so.

      Marketing asked us to implement a two button remote control process to mute the bed’s telemetry for six hours.

      In the firmware it’s called sexy_time();

      😀

    1. The official reason appears to be because the long-term sleep data is tracked and processed on their servers. The hub doesn’t have the memory or processing power needed to do that kind of number crunching. And you can control most of the bed over Bluetooth anyway so you aren’t missing out on much by not using WiFi.

      The one data point I cared about that wasn’t available over Bluetooth was the bed occupancy signal, because that is useful for automations around the home. There is no reason they can’t expose it over Bluetooth of course, but with the local network enabled it is easy to get.

  3. If you connect a product to a network its going to try to call home. Thats pretty much standard operating procedure for corporate programming nowadays. WTH is anyone connecting their bed to their router anyway, thats just ridiculous.

    1. When they deliver it – they ask the wife for the wifi password. she says as husband. He says we have no home internet, and the installer says they have to take it back as it will not work…
      2 hour phone call ensues, now we have “remotes” and it is not connected.

      No AI features though…. With above I can play!

      1. I think, while the risk does exist, it is low (as long as you have some basic hardware competence). The only modification to their code is the removal of the encrypted key check, and everything else is supplemental. And because that file is loaded from ROM on each boot, all you have to do is remove the modification from the bootcmd and you should be back to the original system.

  4. Advice requested.

    This post has made me think… thank you for that!

    Im part of the technical department of an IoT company that makes wireless sensors.
    Our gateway receives via radio and then uploads using MQTT protocol on top of LTE-M.
    Everything is coded in baremetal on STM32F0 (ARM-M0+)

    In case the company goes belly up, to avoid leaving behind a lot of trash … What would be the less friction possible way to enable local MQTT and RS485 for controls?

    The current gateways deployed only have serial ports (UART) and that’s basically it, no wifi, nor ethernet. Memory is tight.

    Would you make an open-source addon to expand the existing fleet with local capabilities that parses via serial?

    1. Corrupt the backups for a year or so, then nuke the data in all locations w chronjob.

      ‘Open source’ the gateway/snooping device protocol. That’s the only way.

      Be at your new job when this happens.

    1. future retrotech enthusiasts will refer to this period of server dependent gadgets and software as the dark ages. id rather see another capacitor plague than this… abomination.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.