[Dylan] has a fancy bed that can be set to any temperature. Apparently this set him back about $2,000, it only works if it has Internet, and the bed wants $19 a month for anything beyond basic features. Unsurprisingly, [Dylan] decided to try to hack the mattress firmware and share what he learned with us.
Oddly enough, it was easy to just ask the update URL for the firmware and download it. Inside, it turned out there was a mechanism for “eng@eightsleep.com” to remotely SSH into any bed and — well — do just about anything. You may wonder why anyone wants to gain control of your bed. But if you are on the network, this could be a perfect place to launch an attack on the network and beyond.
Of course, they can also figure out when you sleep, if you sleep alone or not, and, of course, when no one is in the bed. But if those things bother you, maybe don’t get an Internet-connected bed.
Oddly enough, the last time we saw a bed hack, it was from [Dillan], not [Dylan]. Just because you don’t want Big Sleep to know when you are in bed doesn’t mean it isn’t useful for your private purposes.
as long as people buy these things, people will make them. apparently consumers don’t care
How can someone care about something that requires an engineering degree they don’t have to know about?
good point. Ohh. something controlled by an app! Magic!
Jep. that’s the crux.
Requiring an app should be a big red flag that says DO NOT BUY.
That’s why many of them don’t mention it now. “Surprise”.
I take your point, but I think regular folks could be expected to understand why a mattress doesn’t need – and therefore shouldn’t have – an internet connection.
I’m not sure how many DO understand that though, thanks to relentless marketing that tells us technology is a service you rent and not a thing you own.
The cloud enabled model is so pervasive, I have to wonder if the typical consumer would even realize that they could even connect to such a device without going through the internet.
At least for my thermostats, I can make some argument for cloud connectivity.
For my pool, the argument in favor is considerably weaker.
For my bed, there’s just not an argument I’m willing to make.
Well…maybe if that pesky little blonde haired girl keeps breaking in, testing out the beds and eating our porridge I could argue for cloud connectivity to detect that. Otherwise I’m good with my classic Sleep Number bed having up and down buttons for each side and an LCD.
Never once have I wished to adjust it from farther away than the wired remote would reach. I’ve thought of putting the pump into a sound insulated box, but never even considered making it wireless.
“It’s for updates I guess.”
This is usually how it goes, and it’s not the fault of the layman being sold spyware. The solution is to pass laws against this sort of thing and make it illegal.
Yet another post ruined by accidental formatting that doesn’t even render correctly. So it goes.
I have a bit of Déjà vu from the article, not that I’ve read it earlier, but I believe these exact findings were already published last year by someone else. It may not have shared the AWS keys, but it certainly included the part about the company’s ability to watch you sleep. Quick search didn’t find much, except people actively jailbreaking these devices on Reddit.
As for the technology, I’ve looked at it before, mainly a more advanced system with air-conditioning inside the bed. While it’s still unaffordable, it gets closer. These systems from Eight Sleep seem to be only for double beds, even though they just supply it with two separate systems. Looking through options, it’s certainly possible to DIY something here.
Yeah I think you are right. I seem to remember thinking why would someone buy that and not being shocked it was so easy to get into.
Why the heck would you ever accept a subscription service rent-seeking your sleep
Because if the subscription fee is sufficiently low, it will feel more affordable than a one-time purchase price, even if it will be net many times more over the lifetime of the thing. What’s worse, is, with the subscription, you have to justify it by offering, “features”, that can, “only”, be offered via a service. So not only are you being financially held hostage, you are also giving up your privacy. The trick, these days, is to find providers who offer the things as a simple purchase. I blame cell phones as the thing that got us used to this though, arguments could be made for safety razors and credit cards as the source.
This link goes to a write-up! NOT a YouTube video! Hoorayyyyy!!! Please HaD- pretty please support this!
Also
.
TLDR he recognized the downsides but has insomnia so was willing to put up with about anything- then cut the guts out of the mattress and replaced it with an aquarium chiller (that does heat/and cool- presumably Peltier..).
I put this in the same category as mattresses with non-magnetic springs (so as to not alter the earth’s magnetic field) and AC sockets with oxygen-free copper contact blades for audiophiles. It’s economic Darwinism.
I know the oxygen free copper scam. The non-magnetic springs is a new one for me. I really dont understand who buys this junk. Mattress salesman maybe worse the used car salesman.
I guess the magnetism of the springs could interfere with your magnetic mattress topper, makes sense.
Sigh.
You can’t imaginethe actual physical effect of a temperature controlled blanket for people who have night sweats or other sleeping conditions? While this system is ridiculously expensive for what it really is, it’s not pseudo-science, it’s just a combination electric blanket/cooling blanket.
They know when you are sleeping,
They know when you’re awake,
They know if you’ve bad or good,
So you’d better be good for goodness sake.
Maybe Philadelphia Eagles fans had the right idea?
Jeez. The Tweets from the Eight Sleep CEO come across as some kind of Orwellian Nightmare! I have absolutely no interest in a Internet Connected bed but cripes, the tracking and insecurity in this product is enough to give me the creeps!
I would definitely lose sleep over that!
The reporting of usage via that AWS key is likely covered by the EULA, and while gross, isn’t unexpected. Leaving the keys in the open is pretty bad practice, of course.
The ssh config and keys are probably leftover from testing, and while it’s lazy that they were left in, I’m not sure they’re the security threat that was implied in the write up. No one from Eight Sleep, or anywhere, would be able to ssh into my mattress (if I had one) because port 22 (or any other port) on that device is not exposed to the world. Did the author try to connect to ssh from outside the LAN? If that worked (How? Did they open the port? Is UPnP involved?) Did they try adding a key to authorized_keys and see if they actually got full control?
While I appreciate the investigation and despise the invasiveness of products & services like this, there is a lot of speculation in this write-up in order to justify some pretty strong fear-mongering.
When it is clear from the tweets (assuming that data is real, and not just mind games creepy) it phones home really isn’t that unlikely the average Joe’s bed will get to accept incoming SSH whenever the engineers want (as any semblance of privacy or client ownership of your mattress clearly isn’t part of the design).
Also how many cheap crappy ISP routers ship with sane defaults that actively ban everything odd in or out? etc etc. The Tech savy HAD reader probably set their network up with at least some elements of security their Gran/Aunt/Cousin/Siblings that make up 80%? 90% of the population on the other hand…
This isn’t how networking works. Just because the bed is capable of accepting ssh connections, just putting it on your home network doesn’t mean it can. Either port forwarding or a DMZ would have to be configured, both beyond the average user.
It’s also how NAT provides bidirectional communication, no unusual open ports necessary. So yes, phoning home can provide entry, and a web UI would allow for it to simply ingest waiting commands while performing them even without NAT.
That’s true with IPv4, but we have IPv6 now sometimes, and sometimes the configuration on that is looser than you’d think – I’m not sure if it worked with vpn turned on, but what I found with a t-mobile data sim on android is that I could connect the phone to home wifi and share something over the local network and it would actually also be available over ipv6 on my phone’s public ip. Now, if I either extended a hotspot from that phone or put the same sim in a hotspot device like many people do if they can’t get cheap fiber, I wonder what all would default to being open?
That’s a fair criticism but you seem to be glossing over the fact that they found a config file called production.json wherein ssh.endpoint = remote-connectivity-api.8slp.net. To me this suggests there might be a bit more going on here. Should we see more proof before calling this a real vulnerability? I certainly agree. However I think we’ve seen enough to be pretty concerned I’d say. Hard coding API keys and SSH public keys are not how you do you should product security in 2025.
I do know how you feel about your sleeping problems and how important it is to find a solution for that. For me it was switching to a water bed. No internet required, but I pay for the extra electric power about as much as Eight Sleep users for their subscription only.
But that Eight Sleep Pod Cover is just evil by design.
I quote from a test by PCMag (U.K.):
“The Home tab offers an overview of your sleep and health metrics, as well as lifestyle tags that you can add for the previous day with a tap, including Before Bed Stretch, Caffeine, Carbs, CBD, Drank Alcohol, Exercise, Jet Lag, Meditation, Recreational Cannabis, Sex, Stressful Day, Watching TV Late, and more. ”
So apart from everything else, I am supposed to tell ‘them’ when I drank alcohol, had sex or used cannabis?
Pull the other leg, it’s got bells on it.
And this is why all things IoT in my house are on a dedicated vlan with tightly controlled internet access and a firewall between it and my normal stuff vlans.