{"id":23948,"date":"2025-03-26T19:22:58","date_gmt":"2025-03-26T15:22:58","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23948"},"modified":"2025-03-26T19:22:58","modified_gmt":"2025-03-26T15:22:58","slug":"how-to-hack-a-smart-mattress","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/how-to-hack-a-smart-mattress\/23948\/","title":{"rendered":"Three ways to hack\u2026 a mattress!"},"content":{"rendered":"

For a while after we wrote about hacking a bicycle<\/a>, it seemed it couldn\u2019t be beat as the most unlikely hack target ever. However, developers\u2019 imagination seems to know no bounds \u2014 and hackers aren\u2019t far behind in their ingenuity\u2026<\/p>\n

And so, here\u2019s introducing the internet-connected mattress system \u2014 or \u201cPod\u201d as it\u2019s called \u2014 made by the company Eight Sleep, along with several ways it can be hacked as discovered<\/a> by security researcher Dylan Ayrey.<\/p>\n

Smart mattress Pod? What\u2019s that?<\/h2>\n

Perhaps we should start by explaining what an Eight Sleep Pod is and why someone might want to buy this futuristic piece of tech. The Eight Sleep designers position their product as an \u201cIntelligent Bed Cooling System\u201d. The primary target audience is people with various sleep problems: insomnia, poor sleep quality, snoring, and similar issues that can significantly impact quality of life.<\/p>\n

The Pod is made up of a sheet-like \u201chigh-tech layer\u201d (\u201cCover\u201d), and an external unit (\u201cHub\u201d); optionally there\u2019s also a motorized \u201cBase\u201d. It allows users to adjust the temperature of the bed \u2014 heating it up or cooling it down as instructed by the owner. It can do it automatically too \u2014 more on this later. There\u2019s a network of tubes with water circulating through them built into it. The external unit connected to this system handles the heating and cooling. The Eight Sleep Pod is divided into two independent zones of a double-bed \u2014 each with its own settings. The temperature range is fairly broad: from 12 to 43\u00b0C.<\/p>\n

\"Eight<\/a>

At $4699, the Eight Sleep Pod\u00a04 Ultra package is the most expensive version of the system made by the company Source<\/a><\/p><\/div>\n

But wait: there\u2019s more to it! The Pod has several dozen \u201cclinical-grade sensors\u201d that track users\u2019 sleep quality. It also has vibration motors to wake you up, and sensors for ambient temperature and humidity. The ultimate version \u2014 the Pod\u00a04 Ultra \u2014 comes with a transformable, electronically-controlled bed base.<\/p>\n

It goes without saying that the system connects to the internet. It does this via a Wi-Fi receiver in the Hub. Eight Sleep Pods are configured and controlled almost exclusively via an app. We say \u201calmost\u201d, because the latest (and most expensive) generation \u2014 Pod\u00a04 \u2014 has pressure-sensitive areas on the sides that you can tap to control certain functions.<\/p>\n

Autopilot and sleep by subscription<\/h2>\n

The main software component of an Eight Sleep Pod is the \u201cAutopilot\u201d system, which uses sensors built into the Cover to collect lots of statistics about the quality and quantity of users\u2019 sleep, and generate detailed reports for them. In addition, Autopilot has a number of other interesting options. For example, the system can detect when the user starts snoring and change the geometry of the Base to fix the problem.<\/p>\n

\"Eight<\/a>

Autopilot uses vibration sensors to track snoring, and combats it by adjusting the geometry of the bed base Source<\/a><\/p><\/div>\n

The Pod also has a physical alarm clock that wakes the user by changing the temperature of the bed and turning on vibration. However, the key Autopilot feature (and the one Eight Sleep touts the most) is, well, autopilot mode. What this does is continuously monitor the users\u2019 sleep quality \u2014 automatically adjusting the temperature to ensure the deepest and most comfortable sleep possible.<\/p>\n

In case you thought this was an Eight Sleep Pod ad, let\u2019s look at this product\u2019s numerous flaws\u2026<\/p>\n

To start with, these things are eye-wateringly expensive: retail prices start at $3000, and the top-of-the-line Pod\u00a04 Ultra costs a whopping $4700.<\/p>\n

\"Eight<\/a>

An Autopilot subscription would set you back at least $200 per year \u2014 without it, the most exciting features simply won\u2019t work Source<\/a><\/p><\/div>\n

But the outlay doesn\u2019t end there: the user will almost certainly have to pay for a subscription that costs between $200 and $300 per year. In theory, you could choose not to pay it, but without the subscription most of the smart features remain inactive.<\/p>\n

Also, like any modern tech company, Eight Sleep constantly collects data about its users. CEO Matteo Franceschetti talks quite openly about this on X:<\/p>\n

\"Eight<\/a>

Eight Sleep has accumulated data on almost a billion hours of their users\u2019 sleep Source<\/a><\/p><\/div>\n

Smart mattress hack No. 1: developer backdoor<\/h2>\n

Now let\u2019s shift the focus to why this post was written: hacking this smart-mattress system. Dylan Ayrey, a security researcher, decided to look into Eight Sleep\u2019s security \u2014 simply out of curiosity, he said, as Dylan is the happy owner of an Eight Sleep Pod, which helps him with his insomnia.<\/p>\n

You might remember Dylan for his other notable investigations, such as the possibility of using phantom corporate accounts<\/a> uncontrollable by workspace admins, or attacking Google OAuth via abandoned domains<\/a>.<\/p>\n

To begin analyzing the Pod\u2019s security, Ayrey needed a copy of its firmware. Security-conscious vendors don\u2019t just give their firmware away, so trying to find a copy often becomes a quest unto itself. Not so with Eight Sleep. The update server lets anyone who follows the link download the firmware for any of the company\u2019s Pod models, no questions asked.<\/p>\n

While examining the code, Dylan found a number of noteworthy things, including an API for remote connection via SSH. Given that an Eight Sleep Pod is essentially a computer running Linux (as many other modern devices are), a connection like this allows running arbitrary code remotely on the mattress pad Hub.<\/p>\n

\"Remote<\/a>

The Eight Sleep Pod firmware was found to contain an API for remote access to the smart mattress Source<\/a><\/p><\/div>\n

Judging by the email address associated with the SSH public key found in the firmware code, all (or at least many) Eight Sleep engineers could have remote access to any Pod.<\/p>\n

\"SSH<\/a>

Judging by the email address associated with the SSH public key, every Eight Sleep engineer has remote access to any Pod Source<\/a><\/p><\/div>\n

One could use an SSH connection like this to spy on the Pod\u2019s owner \u2014 to find out when they\u2019re sleeping or when they spend the night away from home. It would even be possible to check if there\u2019s one person in bed or two. Having this type of control could also let someone play pranks on the owner by changing the temperature of the Pod, turning the alarm clock on or off, adjusting the geometry of the bed base, and so on.<\/p>\n

Nothing like that seems to have happened to Eight Sleep Pod owners yet, but something like it could; theoretical possibilities like this sometimes do materialize. This is what recently happened with Ecovacs robot vacuums: pranksters used vulnerabilities in these devices to harass their owners<\/a>.<\/p>\n

Smart mattress hack No. 2: an AWS key in the firmware<\/h2>\n

While still looking at the Eight Sleep Pod firmware, Dylan discovered a valid AWS (Amazon Web Services) key in its code \u2014 used to continuously upload telemetry to the cloud. Again this is only theoretical, but if the key fell into the wrong hands it could lead to serious violations of user privacy.<\/p>\n

\"AWS<\/a>

(Not the) best practices for programming smart devices: hardcoded AWS key in the firmware accessible to anyone Source<\/a><\/p><\/div>\n

For better or for worse, the full truth about the presence of an Amazon key won\u2019t come out. Dylan notified Eight Sleep, and by the time his research was published the key had already been revoked. However, the mere presence of the key within the firmware, where it was accessible to anyone, was clear evidence that user security and privacy were taken lightly.<\/p>\n

Dylan further adds that the key could have, at the very least, been used to cause financial damage to the company by sending a large number of meaningless requests to the AWS cloud.<\/p>\n

Smart mattress hack No. 3: jailbreaking with the help of an aquarium chiller<\/h2>\n

Clearly inspired by his earlier findings, Dylan decided to attempt jailbreaking the Pod \u2014 that is, detaching it from Eight Sleep\u2019s cloud services. Dylan took a drastic approach: he disconnected the external unit (with all its smart electronics and internet connectivity).<\/p>\n

\"Physical<\/a>

Detaching an Eight Sleep smart mattress from the cloud using a $150 aquarium chiller Source<\/a><\/p><\/div>\n

Dylan replaced the Eight Sleep Hub with\u2026 a common aquarium chiller. This system, in contrast, doesn\u2019t require an app or a subscription fee, collects no user data, comes without any backdoors, and runs perfectly well without an internet connection. What it does<\/em> do is effectively adjust the temperature of your bed, and, just as importantly, it costs only $150.<\/p>\n

For those who prefer a less radical approach to the issue of Eight Sleep products being tied to the vendor cloud, Free Sleep<\/a> offers a solution. This is an open-source software suite that allows you to take control of your smart mattress.<\/p>\n

Want to know what other unexpected devices have been successfully hacked? Here you go!\u2026<\/p>\n