I found a backdoor into my bed

I got one of those indoor gardening systems. We thought we had an issue with them. Contacted support.<p>Support checked and it was fine. Just needed time to adjust. They mentioned they checked the cameras (!).<p>Later on I got a second used one and while cleaning it, noticed that the internals are just a raspberry pi. Took my micro HDMI and keyboard, and... this thing just runs Raspberry Pi OS.<p>No updates. And ... VNC. People from that company can just remote into my device, look at what the cameras are seeing, and do stuff on my network. These things are a security nightmare.

&gt; For someone who suffers from insomnia this seemed worth a shot.<p>I can relate, having suffered the same for most of my life. One thing that really helped me was a simple white noise machine, typically used to help babies sleep. Good: I sleep great with it. Also, it&#x27;s not connected to the internet and doesn&#x27;t require an app. Bad: I basically can&#x27;t sleep without it. I have to travel with it (camping!). I even purchased a backup in case the primary fails, which has happened.<p>The other major sleep improvement was putting effort into accepting that life is pretty great; all of my worries that kept me awake at night were overblown. This took actual work, but it paid off.<p>Anyway, just thought I&#x27;d pass that along, hoping it might help someone else that struggles with sleep.<p><a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;Yogasleep-Portable-Soothing-Rechargeable-Baby-Safe&#x2F;dp&#x2F;B01D50RYSC" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;Yogasleep-Portable-Soothing-Rechargea...</a>

&quot;When I say backdoor, what am I referring to? Sure, Eight Sleep needs a way to push updates, provide service, and offer support. That’s expected.<p>What goes too far in my opinion, is allowing all of Eight Sleep’s engineers to remotely SSH into every customer’s bed and run arbitrary code that bypasses all forms of formal code review process.<p>And yes, I found evidence that this is exactly what’s happening.&quot;<p>^ wow, this is pretty wild. &lt;insert joke about being careful about who you share a bed with&gt;

The state of the product&#x27;s security wasn&#x27;t unexpected. I was, however, shocked by this part:<p><pre><code> &gt; I was willing to overlook: &gt; The bed costs $2,000 &gt; It won’t function if the internet goes down &gt; Basic features are behind an additional $19&#x2F;mo subscription &gt; The bed’s only controls are via mobile app </code></pre> Nothing about this bed should depend on off-site servers. Nothing about the product should necessitate a subscription fee.<p>The market is clearly too stupid to vote against the rent seeking tech industry. It makes me so sad.

&gt; In the end, I got enough of the cyber ick, I decided to seek a simpler, less internet-connected solution to my temperature-controlled bed needs.<p>Great line. And my eyes bugged out a little at this part as I also realized what the implications were:<p>&gt; - They can know when you sleep<p>&gt; - They can detect when there are 2 people sleeping in the bed instead of 1<p>&gt; - They can know when it’s night, and no people are in the bed<p>I have a more pragmatic question. Do any consumer publications do security reviews for products? I&#x27;m thinking like consumer reports and how they should probably publish if a product is a security nightmare or not. At the end of the day you still need people publish this stuff out and for social media to spread to consumers to beware, but maybe a magazine type of publication could take on part of that responsibility.

Love the part about the CEO being a Musk sycophant. Right down to the similar language in tweets: &quot;Some of SF got poor sleep. We must fix this.&quot;

A $20&#x2F;month bed subscription is objectively hilarious. I cant imagine how this company attracts a non-zero number of clients.

My wife uses a Bedjet which has both a remote and app. Thankfully it works without an active Internet connection.<p>It uses a bag-like sheet that it blows air into, to adjust temperature. For women suffering* through menopause, being able to adjust around hot&#x2F;cold flushes is sanity-preserving!<p>* Some women don&#x27;t suffer much during perimenopause or menopause, but it&#x27;s a process that seriously fucks with one&#x27;s hormones. A word of advice to any partner of a woman going through perimenopause: believe them when they tell you what they&#x27;re going through! So many partners don&#x27;t realize just how much this can mess up someone, they deserve every sympathy possible.

&gt; but the eight sleep sure does harvest people’s bed data, and occasionally tweet about how they’re watching you sleep<p>[Followed by a screenshot of the EightSleep CEO publicly tweeting about SF sleep data in Nov 2023.]<p>This is reason enough to not patronize this business. What a creep.

Total aside: it’s illegal for any company to provide goods or services for free to the government, so the Pod CEO would be breaking the law sending DOGE employees bed pods. It’s basically seen as a bribe - which is true! These beds are $2000 each but it’s pretty cheap for favorable regulatory treatment after a small donation. :&#x2F;

I’m missing a step here. I see a var called ssh, and an authorized key, but I don’t see where they’re seeing any method for the device to expose itself outside the NAT that’s in place on basically every consumer LAN.<p>This looks a lot more like the device fetches updates via SSH to a remote update server, and the authorized_keys entry is vestigial.

&gt; While the Eight Sleep CEO Matteo seems focused on providing DOGE with great sleep<p>More sycophants coming out of the woodwork.

Interesting article; clickbait title. There&#x27;s very little about Amazon in here, never mind its chairman.

Can&#x27;t but think of<p><pre><code> He knows when you are sleeping, He knows when you&#x27;re awake, He knows when you&#x27;ve been bad or good...</code></pre>

I have a chilipad - <a href="https:&#x2F;&#x2F;sleep.me&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sleep.me&#x2F;</a><p>It&#x27;s good for temperature control, you can set a profile that changes over night. The cooling is a complete fix for night sweats. It heats too, but I don&#x27;t use it. I don&#x27;t use the sleep tracking features.<p>My only semi-major complaint is that the pump is kind of loud. Only annoyance is that you need to have it connected to wifi w&#x2F; internet to set the temperature profile w&#x2F; the app, but it keeps working afterwards w&#x2F;o internet.

I&#x27;ve bought several internet radio streaming devices over the years, and they all eventually brick when the server goes out of business.

While we&#x27;re all here, what are some good alternatives to Eight Sleep? The idea seems to have merit but the required IoT subscription is a dealbraker.

I have one of these bed covers. I bought it before the subscription crap started and I am very satisfied with the product. The dual-zone cooling&#x2F;heating is super good and has been a big improvement to my quality of life&#x2F;sleep. Especially considering that my wife has different ideas than me about temperature and what constitutes hot&#x2F;cold. Yes, it would be nice if I had local control but I am willing to ignore that as long as I don&#x27;t have to pay more.<p>But I wouldn&#x27;t recommend anyone buy it now because of the subscription.<p>It is good to know that there is an option to continue using it if the company decided to no longer grandfather in people who bought before the subscription crap started.

I have an esp32 next to my bed. I log the rssi strength and with that i know when i was in the bed and when i changed position. It also has a pir which detects movement, but tracking the rssi is good enough. A phone would be just as good, and I wouldn&#x27;t be surprised if some sdk tracks the rssi of the phone to check if something changes around the phone. It&#x27;s very telling.

Title is bad, but the piece is good

If I&#x27;m reading this correctly, the product is just a temperature-controlled mattress?<p><i>Well, each bed contains a full Linux-based computer. If my estimations above are correct, all of Eight Sleep engineering can take full control of that computer any time they want.</i><p>I think that was already a given once you agree to silent automatic updates.

Cat food dispensers are an interesting product where this trend hasn&#x27;t quite landed - it&#x27;s still easy to get a new model without WiFi for roughly the same price. I wonder if the possibility of your pet not getting fed is a line consumers won&#x27;t cross for convenience features.

I looked really hard at buying an 8 Sleep. I have techie friends who swear by them. But one of the big reasons I didn&#x27;t go forward I don&#x27;t see mentioned here and that is noise. I need a dark and quiet room to sleep.<p>Someone told me they returned their 8 sleep because of the constant fan noise of the computer running the thing. He told me it was like having a server in your bedroom.<p>I am also not keen at all needing to have my phone in my bedroom either. At the end of his life my father had some health challenges and it wasn&#x27;t uncommon for a nurse to call me in the middle of the night. It was all the other calls, people tweeting or slacking at me that made it really challenging to get any sleep.<p>Still looking for something where I can collect sleep data if any entrepreneurs can solve these problems.

<p><pre><code> - They can know when you sleep - They can detect when there are 2 people sleeping in the bed instead of 1 - They can know when it’s night, and no people are in the bed </code></pre> I&#x27;m probably naive, but I&#x27;m failing to see how any of this is exclusive to having remote SSH access to the bed. Who&#x27;s to say this isn&#x27;t already happening with other binaries in the firmware? Maybe they&#x27;re already phoning home?<p><pre><code> [...]that bypasses all forms of formal code review process. </code></pre> How does the author know if anything else in the firmware goes under any kind of code review process?<p>It&#x27;s not a bad article, but it does seem to make a lot of assumptions, and you already agreed to let arbitrary code run on your network when you added an IoT device to it.

I have an EightSleep from before their enshittification into a subscription model. It is a good piece of hardware, but I can no longer recommend it because the software is so crappy. I checked the logs on my router and found that it was streaming tons of data to servers even when I wasn&#x27;t using it. I have no idea why it would stream that much data since the trivial sensors it has shouldn&#x27;t be producing that much data even if it had multi Hz sampling. I can&#x27;t tell if this is incompetence or some sort of malfeasance where they are secretly recording audio data via motion sensors and streaming that.

Using the aquarium chillers is really smart! Just need someone to mfg the mattress membrane covers.

In case anyone is wondering why someone would pay so much to control their bed temp - I have a similar product the &quot;Chillipad&quot;. Essentially I&#x27;m a furnace when I sleep and wake up covered in sweet. This thing keeping my bed cool was the biggest single thing I&#x27;ve done to improve sleep quality. Its not quite as stupid as Eight Sleep in terms of initial cost and there&#x27;s no ongoing subscription but it was still expensive. I&#x27;ve also had to open it up and replace a faulty check valve, and it occasionally floods so I have it sitting in a tray. But damn... it works.<p>However now I want to try this aquarium chiller...

A night mare I have is that alot of these products like 8 Sleep are actually scams.<p>Not scams in the sense of swindling money, but that they are appendages of a private or government intelligence network.<p>If you genuinely care about your customers, can&#x27;t you simply feel guilty of doxing such sensitive data about them?<p>Some evil entities what to know when you sleep, wake up or if there is someone else in the bed.<p>I am not against technology, this can be done responsibly via offline support, self hosting options, E2E Encryption, Homomorphic computing, differential privacy etc.<p>But I guess implementing those would interfere with the scam i.e the main objective, which is spying on you.

&gt; Imagine your ex works for Eight Sleep. Or imagine they want to know when you’re not home.<p>I think what is often missed in &quot;company gathers data it doesn&#x27;t need&quot; scenarios is not that someone inside Eight Sleep abuses the data, or the company itself does it, but them gathering this data for years and then losing it to some 14yo hacker who promptly posts it and suddenly all your data is public.<p>The inside job may sound a little far fetched, but the latter is only a matter of time.<p>Once it happens multiple times with different services, everyone gets access to everything about you.

Nothing here is particularly surprising. The worries about engineers ssh&#x27;ing into the machine to see if anyone is sleeping seems rather overblown though. The product itself doubles as a sleep tracker and all data goes through their servers (as is sadly the norm for smart home appliances these days) so they have that data anyway. I have to take it on faith that they anonymize and aggregate the data before doing any analysis on it, but the very nature of the product means they have the data.

Interesting article but have to raise the issue of calling just any dog a doge. While I can understand the difficulty of resisting a joke, doges deserve better.<p>(Not talking about DOGE btw).

This is so cringe, i am getting motivated to only use dumb devices.<p>I no longer can trust that someone is looking at my TV data, Oven data, thermostat data, etc and tweeting about it.

Bed as a service? Hell no. What an awful idea.

Yuggh. There is also a bed chilling thing from sleep.me that is around $600. I haven&#x27;t looked into it enough to tell whether it is internet connected. But I&#x27;ve been aware of it because my mom is very fussy about her sleeping temperature and it might be something I should look into when it gets warmer.

After skimming most comments here I still wonder what people want from a temperature-controlled mattress? Is it to have a warmer bed or a cooler one? Or does it depend on each person, some like it hot and some don&#x27;t?<p>And for those who prefer a warm bed, isn&#x27;t it simpler and cheaper to warm the room?

As a creative writer I love detailed explanations like this because it helps me recall prior fictional scenarios - in particular, Mom’s Friendly Robot Co. from Futurama. Exploits are innocuous until a use case arises, and the IoT devices in the wild make for a thrilling garden for “what if” contemplation.

I bought an Eight Sleep Pod 3, as I&#x27;m light sleeper who wakes up often at 3 or 4am, and struggles to get the final hours of sleep.<p>I have to say it made my sleep significantly worse - I was shocked at how bad the temperature setting was - shifting 1 degree warmer or colder was often too much. I also noticed quite a bit of manipulation of reviews &amp; comments on Reddit &#x2F; subtle sponsorship on YouTube. (=&gt; fake comments, upvoting&#x2F;downvoting, and unofficial sponsorship).<p>Maybe it really does improve some people&#x27;s sleep, but just the noise itself from the Pod meant I needed earplugs to not be disturbed by it. My suggestion is to avoid buying at all costs...

I knew there was some shady shit going on with eight sleep! Back last year I posted a comment on Veritasium&#x27;s YouTube channel because he had eight sleep as a sponsor. I commented that eight sleep is a privacy nightmare.<p>Anyways, feels good to be vindicated.

here a related discussion about a guy who did a similar thing with an aquarium cooler to cool his bed <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41824138">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41824138</a>

Are there any consumer products offered that provide similar functions (heating, controlling with an app etc.), but which never try to connect to a remote server, other than looking for the control app in the local LAN?

I&#x27;m not sure about the latest models, but my early-revision BedJet has no smart features at all: it was all bluetooth. It solves much the same problem as the product here: warm&#x2F;cool the bed, not the house.

Happens when you buy expensive garbage with a subscription attached.

How did the author find the backdoor URL in the first place?

Anyone here tried those aquarium chillers? Sounds like a great alternative, I would love to read more about using them in practice.

If you suffer from insomnia, there are so many other things you can do. Check your Vitamin D and B levels. Meditate. Don&#x27;t get a bed that emits more EMF. That definitely won&#x27;t help you.<p>before anyone tries to mock me for mentioning EMF: <a href="https:&#x2F;&#x2F;pmc.ncbi.nlm.nih.gov&#x2F;articles&#x2F;PMC5247706&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pmc.ncbi.nlm.nih.gov&#x2F;articles&#x2F;PMC5247706&#x2F;</a>

If the OP sees this, I&#x27;d be very curious if they used the 70 watt or the 100 watt aquarium chiller.

Great article, two typos:<p>1. Kenises should be Kinesis<p>2. The URL template contains {anynumber}, the text refers to anynumbers (plural)

&gt; exceeding $300 million dollars in annual revenue<p>I would be interested in knowing who the buyers for this stuff are ..

Can recommend hot water bottles and a hairdryer for occasional on demand bed warming.

&gt; (the bed...) won’t function if the internet goes down<p>Who in the sane mind buys that.

I always knew that internet-connected thermostat was a bad idea.

Actual title: &quot;Removing Jeff Bezos from my bed&quot;

re: the kinesis key - curious, what is the right way to configure log delivery for remotely deployed appliances?

&gt; Beyond the basics, what does access to a device on your home network grant them? Any other device connected to that home network - smart fridges, smart stoves, smart washing machines, laptops - is typically routable via your bed. The (in)security of those devices is now entrusted to random Eight Sleep engineers.<p>And this is why I have any device that needs connectivity to the Internet to function in its own vlan with very specific and oppressive rules about what can talk with what. If you don&#x27;t have a fancy router, use your guest network for these things.<p>I hate this future.

I honestly cannot understand why pay 19 USD&#x2F;month for something you paid 2000. It is not like they are providing you stellar quality software nor that it needs to be done remotely

isn&#x27;t it safe if your home network is not exposing port 22?

Um, is that Bezos or the AWS account of the company?<p>Alas, our hope to recover whatever social benefit was in SpaceX and Tesla is with Bezos&#x27;s companies, although at least the EV space is more diverse. SpaceX cannot be wrested from Musk and TSLA and its board is preferred-stock controlled by Musk.

&gt; There’s some zip ties securing the tubes you have to cut, but other than that, it’s a totally reversible, non-destructive process that takes 30 seconds.<p>Wait until Eight Sleep &quot;upgrades&quot; the connectors to be &quot;incompatible&quot; with Aquarium chillers.

Clickbait title.

honey, that is only for special occasions

&gt; the Eight Sleep cover, which is available on eBay for a few hundred<p>Uh, I don&#x27;t think I want to buy a used mattress cover on eBay, thanks.

We give these companies hard earned fucking cash and they want _more_. Rapacious neoliberal capitalists will be the end of capitalism itself.

That CEO tweet to Elon is peak cringe.

You would have to be insane to buy a computer that remains someone else&#x27;s computer...

I&#x27;m a two-time Eight Sleep customer and the CEO could post my sleep history specifically with my full name and I&#x27;d still use it. It&#x27;s really comfortable. I think most of the detractors were never remotely in the market for such a product. Everything negative said about the product and the company is true, and they should do better, but it&#x27;s not enough to scare me away thanks to how good the base product is.

This is a bunch of nonsense, assumption and leaping to conclusions without evidence.<p>&quot;In the second screenshot, we have the public key that’s authorized to access the device. The email address attached to the public key, eng@eightsleep.com, to me suggests the private key is likely accessible to the entire engineering team.&quot;<p>He has no evidence for this whatsoever and not really any good reason to assume it either.<p>&quot;In the first image, we see evidence SSH is being exposed remotely, to a far away host, remote-connectivity-api.8slp.net. Typically SSH would only be accessible to the local area network, but the variables in production.json would seem to imply this access was opened up to a remote host.&quot;<p>This isn&#x27;t how SSH works and he doesn&#x27;t seem to have enough information, or enough knowledge of SSH, to understand what&#x27;s being done with the &quot;far away&quot; hostname.<p>This article is just clickbait nonsense, which should have been obvious from the title. It is clearly intended to draw traffic to their company website, which is some kind of venture-backed security startup. Based on the fact that the founders seem to have a superficial understanding of technology but a well-developed understanding of hype and bullshit, I am not interested in exploring their business further.