Cybersecurity researcher Dylan Ayrey of Truffle Security has shared a detailed blog post highlighting his experience with Eight Sleep smart beds since his discovery of an exposed AWS key inside of its firmware, prompting him to deeply investigate its security issues and find ways to alleviate them. Besides the AWS key problem, he also discovered a backdoor allowing SSH (Secure Shell) backdoor access and full arbitrary code execution capabilities, making Eight Sleep beds a disastrously unsafe device to keep on a home network for not just bed surveillance concerns, but the security of all devices involved.
Back in December, Ayrey made a Tweet from his @InsecureNature account encouraging his followers to guess what appliance of his had the major AWS key security issue, and this was before he even started talking about the SSH backdoor allowing arbitrary code execution on the bed.
Fast forward to now, and Dylan Ayrey has released an extended blog with the help of Jake King highlighting the security flaws of the Eight Sleep and the steps he ended up taking to make them no longer an issue, particularly in the face of features that wounded up locked behind a subscription paywall and Internet access for a bed that had already cost $2,000 to start.
According to Dylan, he was perfectly happy to deal with most of these downsides but still wound up curious about what might be hiding inside the firmware of Eight Sleep’s temperature-controlled smart bed. His discovery gave him a serious case of “cyber ick” and prompted him to substitute the Eight Sleep pod otherwise used to regulate temperature with a regular aquarium chiller instead, which seemingly heats and cools the bed in the exact same way while only costing about $150. This involved cutting one of the tubes routed to the Eight Sleep pod and connecting it to an aquarium cooler instead, but proved a remarkably simple solution, providing “all the temperature control of an Eight Sleep with none of the apps, subscriptions, Internet connectivity, backdoors, and security liabilities of an Eight Sleep”.
But what exactly are those security liabilities? Besides the exposed AWS key, which is mainly bad for reasons related to account security (though likely not the user’s own, in this case), the biggest issue is backdoor SSH (Secure Shell) access. It seems that any of Eight Sleep’s engineers can use SSH to access a customer’s bed, detect when it’s in or out of use, and execute whatever arbitrary code they please. While this mostly just means bed control and bed monitoring functionality when you limit your view to the bed itself, it gets much spookier when you consider that the smart bed is connected to the rest of your home network and thus jeopardizes those devices, too.
