Eight Sleep smart bed found to contain an exposed AWS key and a likely backdoor that allowed engineers to remotely access users' beds
  • Alphane MoonOPM
    156 hours ago

    I was willing to overlook:

    • The bed costs $2,000

    • It won’t function if the internet goes down

    • Basic features are behind an additional $19/mo subscription

    • The bed’s only controls are via mobile app

    You have to be crazy to pay for a product like this. You don’t need to be a security researcher to make an educated guess that the company behind this “bed” is going to spy on you.

    Eight Sleep is clearly onto something, having raised $110 million dollars in venture capital, exceeding $300 million dollars in annual revenue.

    I would have never thought this Eight Sleep outfit had hundreds of millions of dollars in revenue.

    • nickwitha_k (he/him)
      75 hours ago

      I just looked at their Privacy Policy/ToS.

      EDIT: Accidentally hit post.

      Anyway, based on their terms, the customer data is definitely the actual product. In addition, the wording makes it seem likely that the de-identification is pretty weak.

      Further details that should give anyone pause.

      Admitting to not respecting “Do Not Track” signals, because they are not legally required to:

      Mention of collecting data about gender at birth, whether one regularly sleeps with a partner, and menstrual cycle regularity:

      These guys are creepy as fuck, without even getting to the possible backdoor. They are selling customer data with a contractual pinky-swear to not re-identify the data (this being mentioned, to me, means that there is a plausible means to do so). So.

      What kind of creepiness could this data be used for?

      • Potential for blackmail/kompromat. (using sensors to detect patterns of sexual activity that could be infidelity or “sexual deviancy”)

      • Targeting people who may have had abortions.

      • Signs of not following religious doctrine (premarital sex, sex for purpose other than procreation, etc)

      • Checking whether the person is home and likely sleeping.

      • Spying on employees during their off-work hours (not that it’s ok during work hours) and/or scrutinizing sick leave.

      There are a lot more possibilities. Way too dystopian and creepy.

      • Alphane MoonOPM
        34 hours ago

        Trash company with a trash CEO. Until we start treating digital privacy on the same level as physical privacy, this sort of stuff will continue.

  • @[email protected]
    16 hours ago

    Does that mean if your laptop is on your network, they can control and access that?

    Beyond the basics, what does access to a device on your home network grant them? Any other device connected to that home network - smart fridges, smart stoves, smart washing machines, laptops - is typically routable via your bed. The (in)security of those devices is now entrusted to random Eight Sleep engineers.

    • nickwitha_k (he/him)
      25 hours ago

      It means that they can effectively use it as a VPN to access your private network, if like most, it is on the same network as other devices.

      Really though, that’s of little concern compared to their sale of sensitive customer data

    • @[email protected]English
      35 hours ago

      What the article is saying is that they can use the bed as a back door into your home network. From there they operate at the same trust level as anything else on your local network, and anything on your lpcal network that would be vulnerable to an attacker on your local network would be vulnerable to them.