Some smart home products are extra icky cybersecurity-wise. Security researchers found that a smart bed from Eight Sleep allows remote access and can run arbitrary code while also beaming data to storage on Amazon Web Services (AWS).
“They can know when you sleep. They can detect when there are two people sleeping in the bed instead of one. They can know when it’s night and nobody is in the bed. Imagine your ex works for Eight Sleep,” Dylan Ayrey and Jake King, co-founders at Truffle Security, write in a blog.
The firmware for a $2,000 smart temperature-controlled bed contains backdoors and questionable choices.
One of them is the ability to access the device remotely using a secure shell (SSH) connection.
This allows “all of Eight Sleep’s engineers to remotely SSH into every customer’s bed and run arbitrary code that bypasses all forms of formal code review process,” the researchers said.
They provided snippets of code proving that the SSH is exposed to a remote host. The public key authorized to access the device includes an email address eng[@]eightsleep.com attached. The username suggests that the email is used by the engineering team.
Every Eight Sleep bed is a fully-functional Linux computer. This means that it grants outsiders access to the home network and any device connected to it, from laptops, to smart fridges.
“Of course, they can also change the bed’s temperature, turn on the vibrating feature, turn off your alarm clock, and any of the other normal controls they have power over,” researchers said.
“The (in)security of those devices is now entrusted to random Eight Sleep engineers.”
Eight Sleep is occasionally tweeting the observations confirming that “they’re watching you sleep.” For example, Matteo Franceschetti, CEO of Eight Sleep, tweeted previously about an increase in people who sleep under 5 hours.
Truffle Security researchers found hardcoded AWS keys in the firmware, which suggests that the user data is streamed directly to Amazon. They jokingly called their post “Removing Jeff Bezos from my bed.”
Researchers did not check if the data was accessible, but they reported the findings to Eight Sleep, and the key was revoked.
“The key could be the most dangerous thing described so far, or it could be useful for just a bit of mischief (if nothing else, someone could use it to rack up a huge AWS bill for Eight Sleep).”
Security professionals also question the practice of requiring an internet connection. They noted that the expensive bed won’t function without the internet, its basic features are behind an additional $19/month subscription, and the only controls are via mobile app.
“We want the features of the future without sacrificing our data privacy, cybersecurity, reliability, and integrity.”
Truffle Security went as far as making a DIY fix. They dismantled the Eight Sleep hub and connected a $150 aquarium chiller to the tubing of the cover to achieve the same functionality without security risks. They found that both devices use thermoelectric modules to regulate temperature, and the Eight Sleep covers could be found on eBay for a few hundred dollars.
“This process was a lot simpler than I originally imagined,” the researcher said.
“And now you have all the temperature control of an Eight Sleep with none of the apps, subscriptions, internet connectivity, backdoors, and security liabilities of an Eight Sleep.”
Cybernews has reached out to Eight Sleep for comment and will include its response.
Meanwhile, the story is trending in cybersecurity circles and now is the most popular among lobse.rs users.
Your email address will not be published. Required fields are markedmarked