Log in
Defence Minister Richard Marles said China must explain its failure to provide sufficient notice for the live-fire training exercise in the waters between Australia and New Zealand on Friday.
A little while ago I asked my infosec Twitter followers what IoT device in my house they thought I found a live AWS key in.
(For those that don’t know, Amazon keys can be incredibly dangerous if exposed)
Guesses ranged from a refrigerator to a bidet, but no one got it right.
The right answer was my bed.
I also found a backdoor into my bed, but more on that later.
Security professionals are, in my experience, exhausted of things being connected to the internet that don’t need to be. Tired of their stove, car, washing machine, and bed all being internet connected.
We want the features of the future, without sacrificing our data privacy, cybersecurity, reliability and integrity.
I want the features of a temperature controlled bed, without having to worry about random engineers and hackers giving themselves access to my bed 24/7.
Eight Sleep offered the features of temperature control: set the bed to any temperature hot or cold. For someone who suffers from insomnia this seemed worth a shot.
I was willing to overlook:
The bed costs $2,000
It won’t function if the internet goes down
Basic features are behind an additional $19/mo subscription
The bed’s only controls are via mobile app
I will say, being able to control the temperature of your bed is actually a magical thing, but after a few months, curiosity got the better of me and I took a look at the firmware.
In the end, I got enough of the cyber ick, I decided to seek a simpler, less internet-connected solution to my temperature-controlled bed needs.
It turns out inexpensive Aquarium Chillers provide a similar functionality as the Eight Sleep pod, without the existential dread of being hacked, and having my sleep preferences shared with a bunch of developers.
While the Eight Sleep CEO Matteo seems focused on providing DOGE with great sleep, the real doge (pictured above), whose name is Latte, is sleeping great tonight.
Stick around until the bottom of the post for how to set this up (it’s easier than you think)
So let’s talk about that backdoor
First of all, how did I get the bed’s firmware? Easy. You can download it. Eight Sleep provides access to the firmware through their update URL:
https://update-api.8slp.net/v1/updates/p1/1?deviceId={anynumber}¤tRev=1
(Just replace {anynumbers} with any number)
When I say backdoor, what am I referring to? Sure, Eight Sleep needs a way to push updates, provide service, and offer support. That’s expected.
What goes too far in my opinion, is allowing all of Eight Sleep’s engineers to remotely SSH into every customer’s bed and run arbitrary code that bypasses all forms of formal code review process.
And yes, I found evidence that this is exactly what’s happening.
Let’s break down what’s shown above. In the first image, we see evidence SSH is being exposed remotely, to a far away host, <a href="http://remote-connectivity-api.8slp.net" rel="nofollow">remote-connectivity-api.8slp.net</a>. Typically SSH would only be accessible to the local area network, but the variables in production.json would seem to imply this access was opened up to a remote host.
In the second screenshot, we have the public key that’s authorized to access the device. The email address attached to the public key, [email protected], to me suggests the private key is likely accessible to the entire engineering team.
What does this mean, exactly? Well, each bed contains a full Linux-based computer. If my estimations above are correct, all of Eight Sleep engineering can take full control of that computer any time they want.
What Can They Do with This Access?
Let’s start with the basics:
They can know when you sleep
They can detect when there are 2 people sleeping in the bed instead of 1
They can know when it’s night, and no people are in the bed
Imagine your ex works for Eight Sleep. Or imagine they want to know when you’re not home.
(Of course, they can also change the bed’s temperature, turn on the vibrating feature, turn off your alarm clock, and any of the other normal controls they have power over.)
Beyond the basics, what does access to a device on your home network grant them? Any other device connected to that home network - smart fridges, smart stoves, smart washing machines, laptops - is typically routable via your bed. The (in)security of those devices is now entrusted to random Eight Sleep engineers.
Remember when Uber got in trouble for that God Mode app a few years ago? If my assumptions are correct about SSH remote access, this is in that ballpark.
The devices don’t contain logs or notifications we can access to find when this is occurring.
It’s possible Eight Sleep borrowed a page from Tesla.
But it should go without saying, giving engineers arbitrary SSH access on all customer devices is not best practice.
Personally, I don’t want my bed data accessible to anyone, but the eight sleep sure does harvest people’s bed data, and occasionally tweet about how they’re watching you sleep
The key to a bad night sleep was AWS.
Well the AWS key seemed to be streaming data directly into Amazon. Of course the million dollar question is what’s the policy on that key? The key could be the most dangerous thing described so far, or it could be useful for just a bit of mischief (if nothing else someone could use it to rack up a huge AWS bill for Eight Sleep)
Unfortunately, we’ll never know, because as soon as I reported it, Eight Sleep revoked the key. We can tell from the surrounding context that the key had write access to Kenises, but beyond that, it’s unclear.
What we do know though, is an attacker could have used that key to send 5,000 `PUT` requests per second into Kinesis and racked up a $100,000 per month bill for Eight Sleep.
Unexpected monthly bills cost us all some lost sleep.
So what was that about an aquarium chiller?
This process was a lot simpler than I originally imagined. Essentially all you need to do is unplug the rubber tubing from the Eight Sleep cover, which is available on eBay for a few hundred bucks, and plug it into a $150 aquarium chiller.
There’s some zip ties securing the tubes you have to cut, but other than that, it’s a totally reversible, non-destructive process that takes 30 seconds.
That’s it. Aquarium chillers are somewhat of a misnomer, as they can also provide heat. They use thermoelectric devices to regulate temperature, either cooling or warming the liquid that flows through them, which is the same technology found in eight sleep.
Here’s a short clip of the entire process:
And now you have all the temperature control of an Eight Sleep with none of the apps, subscriptions, internet connectivity, backdoors, and security liabilities of an Eight Sleep.
There are other projects that remove the internet connectivity of the Eight Sleep, such as the Free Sleep project, but for me, I prefer the less sophisticated, physical tactile buttons of the aquarium chiller.
So what have we learned from all this?
Honestly, Eight Sleep is clearly onto something, having raised $110 million dollars in venture capital, exceeding $300 million dollars in annual revenue, ̶f̶o̶r̶c̶i̶n̶g̶ welcoming users into a subscription ̶h̶e̶l̶l̶ model, and adding to the ever growing list of devices that will one day stop working when the parent company turns their servers off.
I for one, am going to be sleeping well tonight to the warm silent circulation of an aquarium chiller, as will the Doge, Latte.
reply
Click here to go see the bonus panel!
Hovertext:
The doctor is put in jail and then 20 years later it turns out the findings don't replicate.
Today's News:
Interior of a low-rise office park. A nameless DEPARTMENT HEAD is sitting by himself in a small, sterile conference room. On the whiteboard behind him, a diagram of a nondescript computer system is scribbled across.
The door opens.
DEPARTMENT HEAD: Ah, Johnson, isn’t it? Have a seat. How’s… (shuffles notes)… how’s the family?
JOHNSON: Thank you, sir. My wife’s pregnant with our second. Due in May.
DEPARTMENT HEAD: (nods curtly) Right… well, Johnson…
JOHNSON: Yes?
DEPARTMENT: There is no easy way to say this. Johnson… this meeting… (clears throat) this meeting is not happening.
JOHNSON: I beg your pardon?
DEPARTMENT HEAD: Think about the cosmos. Order to chaos. Big Bang to heat death. The march of entropy. The thermodynamic arrow of time.
JOHNSON: I’m still not quite following.
DEPARTMENT HEAD: (gestures wildly) Yet, even amidst decay, random fluctuations happen! Particles pop into existence, stars form, planets! Give it enough time, Johnson, and something as improbable as us comes to be!
JOHNSON: The meeting, sir?
DEPARTMENT HEAD: Consider the odds! What’s more likely from chaos — a planet of eight billion people hurling through space, or a single brain hallucinating a world that doesn’t exist?
JOHNSON: That sounds absurd! Wouldn’t such a brain quickly shut down?
DEPARTMENT HEAD: Oh, it would. But what is time? A collection of memories, indistinguishable from hallucinations of a solitary mind. Think of the probabilities, Johnson! A universe or a dream? You were never here. I never spoke these words.
JOHNSON: (stammering) I don’t know… I don’t know what to say.
DEPARTMENT HEAD: Looks like we’re at time. That’ll be all for today. Please give my regards to your wife.
Click here to go see the bonus panel!
Hovertext:
Ten years from now, during my Unreadable Mystery Author phase, this will be the first thing I work on.
Today's News:
Way back around 2009, Google did something stupid internally where people with names like "Nishit" were flagged as being "fake" or similar. I probably found out about this because I had worked on the accounts system at one point.
On the surface, it seemed simple enough: someone coded up a check to pick up an "four letter word" (in English...) and it matched it. Even though it's totally a name used by a lot of people, their systems told those people that they were invalid and unwelcome. Never mind they have employees that are directly affected by this.
Ten years later, nearly the same thing happened at Lyft. It happened late in 2019 as it rolled into 2020. The timing always made me think that someone particularly clueless was trying to make one final push to meet their so-called "quarterly goals" before the year ended.
These events, and others like it, have touched off a series of posts like "falsehoods that programmers assume about names", and then its own series of posts about whole other realms which are full of trouble.
I, too, have written about this. I mentioned how the Intel museum only allowed the ASCII characters A-Z as letters in your name, and anyone else was out of luck.
All along, I have been treating this as a case of "those fucking stupid programmers", and it's an easy groove to fall into, because believe me, there are quite a few really incompetent people out there doing this kind of work.
However, I've been starting to realize that this is overly simplistic and is missing a large possibility. Can you see it yet? I sure didn't for a very long time, and that time is immortalized in my older posts.
The thing that finally got me thinking about another side to this problem was when I went to get my hair done recently. The scheduling form on my salon's web site had a list of stylists with their names given. One stylist had a name that had a rather unusual consonant pair that you don't normally see in English. I wasn't really sure how to pronounce it.
Let's say her name was shown as "RJAY", even though that's not even remotely close to the real thing for both her sake and mine. I thought that was her name, and went with that, until finally I saw how she wrote it out: "R'Jay". That's when I finally understood.
The booking system had decided that an apostrophe was a bridge too far and had just dropped it, thus reducing a fairly easy-to-pronounce name to a blob of characters that isn't her damn name! That it also forced everything into capitals didn't help things.
As she worked on my hair, we got to talking about things and that in particular, and I admitted that I had worked at places that had also screwed people's names up badly. I told her about asking the person at Lyft to "if nothing else, promise you won't do it again" and only getting a blank look in response. Then, perhaps because of recent goings-on in the world, I finally saw another possibility for why it might be happening. It's not necessarily clueless programmers, much as I'd like to bag on them for being that way.
We owe it to ourselves and to those around us to admit the possibility that some of these people are doing it on purpose. They're being unmitigated assholes because they realize they can use their position to make someone else's life a little crappier.
Get it? "Assuming best intent" is probably a mistake. When there are enough people being hateful around you, that is no longer an option.
Hanlon's Razor falls down in this kind of environment. It's lazy.
I have definitely made this mistake. You need not go particularly far back in my posts to find that I wrote my "honest troubleshooting code of conduct" which incorporates exactly that. Actual life experience now says that leaning on that is the lazy way out, and that you actually have to do some damn work to figure out exactly what's going on.
It's stuff like this that makes me realize just how much I still do not know, even though some people *have* to know this, and have no choice in the matter. I'm finding it out much later, and while it bothers me that it's taken this long to even get started, it's not going to stop me from admitting my ignorance while pushing to understand more.
While I may never truly understand some of the things that are not daily lived truths for me (and are for others), I can always work towards realizing that it exists, it's valid, and it needs to be appreciated.
Oh, and finally, it's not the responsibility of folks like my stylist to explain it to me. They have enough work to do as it is.
Next Page of Stories