Smart home products can easily become a problem when security isn’t taken into account. This is why a newly discovered backdoor in a product from the smart bed company Eight Sleep is so concerning.
As reported by Cybernews, security researchers have identified an issue with the company’s firmware which reportedly contains backdoors that could allow for remote access, permit unauthorized users to run arbitrary code and beam user data back to Amazon Web Services (AWS).
Researchers and cofounders of Truffle Security, Dylan Ayrey and Jake King, recently covered the issue in a blog post. They explain that the ability to access their Eight Sleep device using a secure shell (SSH) connection could potentially allow any of the company’s engineers to remotely SSH into every customer’s bed and run code that bypasses all forms of the formal code review process.
Since every Eight Sleep bed is, in essence, a fully functional Linux computer, it grants outsiders access to a home network and any device connected to it – from smart fridges and the best laptops to anything in between.
The researchers say that in addition to controlling features of their Eight Sleep bed remotely, like changing the temperature, turning on the vibrating feature, and any of the normal controls, this also provides random Eight Sleep engineers with a multitude of personal data about its customers. For example, they know when you’re sleeping or can detect how many people are asleep in a bed.
Indeed, Eight Sleep has occasionally posted indications online confirming that they do in fact review this data. For instance, CEO of Eight Sleep, Matteo Franceschetti, explained in a post on X that drama a few years ago at OpenAI led to an increase in people who slept under 5 hours in San Francisco.
The $2,000 temperature-controlled bed won’t function without a connection to the internet as its basic features are behind a $19 per month subscription and the only controls are available via a mobile app. Truffle Security’s CEO states “We want the features of the future without sacrificing our data privacy, cybersecurity, reliability and integrity.”
The Truffle Security researchers additionally found hardcoded AWS keys in the firmware which suggests that user data is being streamed directly to Amazon; though they did not check to see if the data was accessible, they did report their findings to Eight Sleep and the key was revoked.
By dismantling an Eight Sleep hub and connecting a $150 aquarium chiller to the cover tubing, the Truffle Security team was able to create a DIY fix to the Eight Sleep hub that uses the same thermoelectric modules to regulate temperatures – without the security risks.
“This process was a lot simpler than I originally imagined,” said the researchers, “And now you have all the temperature control of an Eight Sleep with none of the apps, subscriptions, internet connectivity, backdoors, and security liabilities of an Eight Sleep.”
While the experiment may have been successful for the researchers, it’s unlikely that the average user will go out of their way to rig their own $2,000 smart bed in this manner though they will still be affected by Eight Sleep’s security practices.
We’ve reached out to Eight Sleep about Truffle Security’s findings and we’ll update this story if and when we hear back from them. In the meantime, you always want to consider the potential security implications of any of the best smart home devices before adding them to your home.
