Buried lede: “What I did find was a "convenient" backdoor that Sleep Number can use to SSH back into the hub (and my internal home network as a result).”
Why does a bed need to run Linux? Why?
Of all the possible timelines, we live in the dumbest. What was wrong with a plain old bed without 1GB of RAM and a full OS running on it?! It is the same everywhere. Finding a washing machine that was not WiFi-connected was a chore and I dread doing it again in ten years.
As a person who's broken into O(1000) "smart" devices (for fun and for profit both), I do not want them in my house, and avoiding them is getting harder due to insanity like this linux-running bed! Please make it stop!
what would be a better way to design this that is cheap and updatable? Specialized hardware is riskier to build, b/c bugs would require a complete reprint.
NOTHING in a bed needs to be updatable. Nothing. It needs a PIC12F509 to run a motor when you press a button and check for a jam.
How do you ensure the network traffic is encrypted with a PIC12F509?
Correct. Beds should have no network or traffic.
how do you analyze your sleeping quality and habits over time? a built in display?
This reminds of the 2005: "phones shouldn't support texting. people should just call" vibes.
At most a BLE chip to send data to your phone in a way that doesn’t touch the internet
I despise the modern "smart" device and actively look for "dumb" things, but if it's going to have a BLE chip in it, it needs to be updateable to fix vulnerabilities. There are mountains of devices from earlier years that are basically wide open radios now because of this.
Personally I'd much rather the damn thing just have a built-in display with hardware controls.
Bro are you serious? Those aren't things the average person wants.
You get to decide this? The average person is also not homosexual.
How do I analyze my sleep quality? I gauge how tired I am when I wake up... as man has done for eons.
We're not talking about different modes off communication, we're talking about adding communication to a "device" that doesn't need it.
How does a PIC12F509 connect via bluetooth to talk to an app for the consumer to configure things? How does it connect to wifi to talk to a server to save data to? Like it or not, an app to configure the device instead of the device having a VCR remote control to program in schedules is what consumers have gotten used to these days. If you think there's room in the market for a sleep pad that doesn't talk to the cloud, you're welcome to try, but mass market consumers have come to expect more from products.
Like it or not, an app to configure the device instead of the device having a VCR remote control to program in schedules is what consumers have gotten used to these days.
No?? When was the last time you spoke to another human being about this topic? Has any other person in your life seriously told you that they like having to download a smartphone app to set up their soundbar? Have you managed to fully insulate yourself from the broader world with a circle of dead-eyed freaks that gleefully spend their free nights registering their appliances online and reading end-user license agreements?
I hate the app+cloud garbage as much as you, but have you considered how a VCR would be programmed today? Take your universal touchscreen device out of your pocket, select the VCR app, get a list of programms for the next weeks, touch the one you want to record (or do a full text search), select if you want to record this episode, all, or a certain set.
In the past, you needed to first buy this weeks TV magazine. Or if you got it by mail, find it between all the other magazines. Then, skip all the ads and find the schedule, in there find the program you're looking for. Now you either need to figure out the exact time slot the program airs, or some EPG code. This data now needs to be entered into the VCR. Either find the remote, or knee in front of the device. Enter the code using a rotary encoder, digits 0-9 and a few buttons, or a mixture thereof.
In both cases you need to set the receiver to the correct program before leaving the house, else the SCART-connected VCR wouldn't get the video signal. Also you'd need to hope the EPG sent by the station is updated properly - we often had some part of the recording missing, or the recording started to soon/stopped to late. I hope you did put in the correct tape and remembered to rewind it. (I'm ignoring that a modern "VCR" would store the video in the cloud and not need all of this; or a hybrid would at least get the video stream via IPTV and put it on a HDD).
Try speaking to other humans about this topic, they don't want these "good old times" back.
Also, apps suck because they are mostly always horribly made (they don't need be, but they often are, because the product needs to be cheap); and I hate being forced to use the cloud and have my hardware not work anymore after 5 years because someone decided their Amazon bill is becoming too expensive. Did I mention I don't want my data to be sold to virtually everyone - errr, I mean "shared with partners"? So I either buy things with local control, or no smarts at all.
I remember it being far less complicated.
I just had to pick the start time, the end time, and the channel the VCR need to be on to record. If i wanted to be fancy, I could pick the tape speed as well. VCR did the rest, as long as the time was correct (but really I just recorded for a minute or two on either side.)
Program guide was always in the sunday newspaper as its own booklet or in the daily newspaper.
For those not brought up in the Era of Video Cassette Recorders…
SCART: https://en.m.wikipedia.org/wiki/SCART
EPG: https://en.m.wikipedia.org/wiki/Electronic_program_guide
No, manufacturers have come to expect monthly revenue on top of getting paid for the hardware.
I conjecture that mass market consumers have come to expect this because it's been pushed down their throats for the last ten years by rampant rent-seeking. Who is really asking for an internet-connected bed for goodness' sake??
but but but, we need to see all of that data about your sleeping patterns so we can adjust settings to make you even more comfy. are you getting too hot? we'll cool down the temp for you. getting too cold? we'll heat it up. starting to snore, we'll automatically incline you to change your positioning.
of course we'll also sell all of that data so we can send you an ad for new bamboo sheets to keep you cool. or any thing else from anyone else that offers us money for the data
Why would I want so much software in my bed that even makes sense to discuss updating it?
Updating the domain name the server talks to, updating the security system (like supporting new versions of TLS, updating certificates, etc).
TBH, I wouldn't trust a custom hardware chip that can decrypt the traffic and have it last for the life of the product.
I wouldn't trust a bed that sends traffic to a remote server.
The old Sleep Number beds were not smart, they worked fine. I think people want to drown in useless data these days trying to "fix" their sleep when the reality is its their job or high stress causing sleep issues.
Smart temperature and softness adaptation for different regions? Sleep stats of your positions, maybe combined with some deep sleep stats? I mean, there are options
At least it doesn't run windows
"man, i tried going to bed last night, but it was a BSOD so I had to reboot it, but then it needed 45 minutes of OS updates before I could get in the bed."
seems like a pretty good torture on multiple levels
"before you go to bed you must acknowledge our updated terms of service. Please bear in mind, that our newly added AI engine will process all the thoughts you have during your sleep. Images you see will be stored in the cloud and allowed for further processing by us"
If this paragraph made you giggle, give "Feed" by MT Anderson a read.
And they wonder why so many people are sleeping on the streets these days. It’s just better UX.
It wasn't that long ago I tried to use an ATM only to find a WinCE error screen displayed on it. Scary stuff.
I've heard the Windows 3.1 ding (1) on an ATM. This was 2022. I hope it's just because the developers stole the wave file from Windows 3.1...
Sounds like the problem isn't Linux, it's insecure development practices. As mentioned in sibling comment, Linux development is far easier to hire for, iterate on, develop updating mechanisms for, etc - specialized embedded development is less popular.
Sounds like the problem isn't Linux, it's insecure development practices.
No, it's making devices "smart". There doesn't need to be a wifi-connected computer inside a washing machine, cooker, or fridge. In fact all these things can run without a computer in them at all, and they're arguably better for it.
The reason is demand. There's nothing wrong with a smart device (even one you find to be useless) if it's secure. Just.. don't use its smart features.
I of course agree with you principally, I don't want smart devices, but it's not very malicious to have a sleep number bed sitting unconnected...
It’s not always demand. Lots of people don’t want smart TVs, but that’s too bad. The smart TVs are subsidized to manufacture because the software can put more advertising on, which makes it a supply-side issue.
The reason is demand
Induced demand.
A bed doesn't have to be complicated. Why in my day, we got shit done on beds with only a Z80 and 32K of RAM. I remember when I bought my first bed with cooperative multitasking - a red letter day! And double density duvets were a game changer. But I don't miss traipsing down to the public library with a blank vinyl record to get the soft wear updates - and if you forgot, you got bed bugs!
Bonus points for "double density duvet"
Me and my wife manufactured our kids in a bed that only had relays as logical devices.
"The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise."
No way a printer in proximity to a shotgun (or window) last more than a few months.
And this is another lame "insightful" meme. I work with plenty of cybersecurity people and they have plenty of smart devices. They're the ones with Home Assistant setups and ESPHome flashable hardware on they're own internet isolated wifi.
Which is in fact a standard feature on many consumer routers now.
What we're missing is a "local only" directive from the EU to get manufacturers to play ball for the common man.
I feel the same way -- the silver lining is that it's helped push me to buying older / used / more maintainable stuff for a fraction of the price, all the while learning a little here and there about minor repairs for older electronics. This is a big win for the pocketbook and gratifying to keep something out of the landfill.
Reduce / reuse / recycle -- in order of importance.
I like: reduce, re-use, repair, recycle.
I agree with fixing older stuff. I buy used frequently. Estate sales are my lifeblood. If you can't fix it you don't own it.
Why does a bed need to run Linux? Why?
We're in the era of measuring yourself for better outcomes. A century ago we figured out antibiotics. Big gains. Then we figured out a lot of other pretty obvious diseases with pretty obvious cures.
Now we're down to the complicated subtle things. This bed is running Linux so it can tell you how you slept. If you're sleeping poorly it has all sorts of mostly mild negative effects. If you know about them you can do things to fix them. It's doing a low-grade sleep study on you every night. That can be valuable information.
avoiding them is getting harder due to insanity like this linux-running bed
Sleep Number beds cost several thousand dollars, I think you'll be able to avoid them just fine.
Now we're down to the complicated subtle things.
Totally false. Any gains from micro optimizing people's sleep are wiped out by the constant mind pollution of social media. We are in an era of constant distraction.
Why does a bed need to run Linux? Why?
the bed got envious of the toaster and refused inference until Linux was installed.
Funny part to me is that I fully assumed that this was a post about hacking Eight Sleep beds by someone who didn't want to explicitly name the company, presumably for vague legal reasons.
Then I got to a picture of an apparently real "Number Sleep Hub" and my mind was blown. WTF are we in a timeline so weird that there are two companies making water cooled beds, one is called Eight Sleep and the other is Sleep Number? It's like the RNG for this instance had a bad seed.
Nah, Sleep Number beds are basically just an "air bladder" (aka a giant vaguely mattress-shaped rectangular bag) that sit in a tomb of foam.
https://i.ytimg.com/vi/pMiTq6YkJ2c/maxresdefault.jpg
People are literally paying a couple grand for a fancy adjustable airbed with some foam on top of it.
I get your point but is there a significantly cheaper alternative? As far as DIY goes, I don't think I'd be able to replicate a "Sleep Number" bed with my air mattress and foam.
The cheaper alternative is a regular mattress.
I was forced to buy one against my will. The new models are significantly better than they once were and it feels like a regular bed now rather then two air mattresses with some loosely arranged foam dividers. They've dumbed down the app and made the data reporting worse but it used to give decent stats on breath and heart rates.
I had never heard of either so thought the title was a metaphor for "how to get root access to your brain to improve sleep quality"
I sure hope these beds have tactile controls you can feel and use in the dark, and don't require pulling out a smartphone in front of your face while trying to sleep to adjust them, because bed/matress manufacturers for sure must know what is good and bad for sleep quality
I agree the interface should be simple to operate in the dark without being blinding, but I’m left wondering how common late-night adjustments are. I imagine it tends to be pretty “set it and forget it” for most people.
The older models had a corded control with a red led display that didn't destroy your eyes at 3am.
It turns out naming things is an unsolved problem outside of computer science as well.
Also in computer science, if one looks at all stupid product / framework / language names.
There’s actually another company called SleepMe (or maybe that’s the product…?) that makes a mattress cover that’s water cooled (or warmed)
As a night shifter it’s completely life changing in allowing me to sleep comfortably during the day. 100% worth the price to me
There's also BedJet, who makes a fancy-pants bed blower for between your sheets. It's running on an esp32 inside of itself to control the heater and the blower and the remote control, but they didn't quite make it as smart as I'd like.
Fortunately I can just use the ESPHome Bedjet module (https://esphome.io/components/climate/bedjet.html) and just yell out in the middle of the night if I'm too cold.
You assume it's a funny coincidence, I'd say Eight Sleep picked a name that as a easy to confuse with Sleep Number as they could without getting immediately sued.
I didn't read the article, so I too thought the title was something unrelated and ridiculous.
People are beginning to forget about waterbeds, thus allowing space for doing something weird with beds again, I assume.
Sleep Number the brand has been around I think since the 80s? Never had one personally but definitely an old brand though maybe if you are not in the US you would never have heard of them.
two companies making water cooled beds
Sleep Number aren't water cooled I don't think.
Sleep Number gets its name from the firmness controls on their mattress. You pick your "sleep number" and your partner picks theirs on the other side of the bed.
I'm interested if anyone has pulled the same thing with eight sleep. Not having access to control my bed's temperature because my internet is out bothers me deeply.
What fresh hell is that. Why does it need to reach out to the internet?
To ensure you've paid your monthly subscription fee (Not joking - the mattress cover has a subscription)
What sort of person is buying this? Do they give away the mattress for some really cheap price initially?
No it's actually 2-3k+ usd. I had done some cursory considering of it over the past few months because it seems like a potentially reasonable solution to a real problem I struggle with.
But yeah part of it is like, it's really weird. If you asked me how much consistently better sleep would be worth, the answer is how much do you want?
But phrase that as "Bed as a service" and my reflex is "you're kidding, righr?"
What problem are you trying to solve if you don’t mind sharing. It sounds like you’re paying for sleep tracking but couldn’t you just do that with something else like an Apple Watch?
They run cooled/heated water through them, the idea being that temperature can trigger / lengthen certain phases of sleep. Think getting into a warm bed that gets colder as you go into deep sleep, and then when the night is done warms up again for wakeup. In my case, it seems to work really well, but I have the same resistance/frustration with the ongoing subscription.
It shouldn't be too complicated for a motivated hobbyist/hacker to retrofit it to run it with some custom DIY hardware eschewing the subscription need completely.
After all, it is just a couple of pumps, a heat pump and/or a resistance and some sensors.
If you asked me how much consistently better sleep would be worth, the answer is how much do you want?
Get to bed early, sleep cool, don't use an alarm? (also don't work shifts)
don't use an alarm? (also don't work shifts)
You forgot 'don't be poor'
Shouldn't "bed as a service" be a hotel?
What. The. Fuck. Why would anyone buy such thing then? I really don't get it.
The intersection of lots of money and moron is where most product-market fit exists. It also happens to be a large addressable market.
It's no doubt also collecting data on you.
I was going to buy an Eight Sleep and then I immediately lost interest when I realized they pull this shit. If I'm paying you over $1000 for a mattress cover, I'm not paying you "rent" money just so the thing will work.
I use a blanket which handles 95% of my cases; in my ski cabin I have a cheap electric mattress pad that handles the other 5%
Wait, this is about an actual bed -- you know, the kind that you sleep on -- that runs an SSH server on Linux?
W. T. F. !?
how else would you record and transmit measurements to a server? lower-level hardware and software is expensive to develop on and potentially be difficult to update.
I don't need my bed to transmit measurements to a server. I need my bed to be comfortable to sleep on. I need exactly zero interactions with a server for that.
So, yeah, back to the question. Why does my bed have an SSH server? Because it needs to be able to talk to some machine on the internet. And why does my bed need that? It's a bed.
[Edit: Wait a minute. Even if I do want to transmit measurements, why is my bed running a server? My bed should be running a client.]
If you sleep alone, live in a comfortable climate, and don't have any sleep problems, or back pain problems, I'm happy for you. Your experience isn't universal though and sleep is the most important thing you can do for your body so getting good sleep is paramount. Furthermore, having data on how well you slept is very useful for figuring out your own body. We wear devices to log how many steps we take, a device to log how you sleep is just an extension of that.
Are you even taking care of yourself if you don't have one?
Okay no but seriously, a smart bed that helps you get really good sleep at night so you wake up rested and ready to face the whole world may not be your cup of tea, but that's what they're selling. You could get that without all the technology, but what's the sleep company going to do with the data? Know that you sleep at night? What's the privacy danger in that?
The bed doesn’t need a cloud connection to do any of those advanced features. A phone app and BLE connection (like a smart watch) could easily handle it.
I don't need my bed to transmit measurements to a server. I need my bed to be comfortable to sleep on. I need exactly zero interactions with a server for that.
Then don’t buy this specific bed?
These features are part of why people buy this product. Nobody is accidentally purchasing this as “just a bed” and then discovering that it has an app and smart controls as a surprise later.
And why does my bed need that? It's a bed.
This is a very dishonest take. If you don’t understand or don’t want the product, then don’t buy it. But the smart controls exist because people (other than you) want them.
How about just don't run SSH?
There never was a Year of Linux on the Desktop, but there's been a year of linux on the phone, linux on the car, linux on the submarine, linux on the fridge, and so it's no surprise there's a year of linux in the bed.
Anything sufficiently complex (this bed: https://en.wikipedia.org/wiki/Sleep_Number#Sleep_Number_Bed) is going to have a microprocessor, and it makes sense to have an OS that lets you interact with it via a serial console, with Linux being the cheapest and most commonly supported OS in that context.
It's an inflatable mattress with an adjustable pressure regulator. That's pre-computer-age technology. The only thing that requires a computer is to make the adjustment remote. Why would you want to adjust your bed remotely?
The only 'why' that springs to mind is messing with friends, relatives, AirBnB guests remotely while filming it on the webcam .. all very problematic.
Still, imagine an uninflated mattress half under the actual mattress, inflated at midnight to tip someone out of bed.
Juvenile college humour, yes. Market size low but likely non zero.
That is one crazy stock graph (zoom out to max):
https://www.nasdaq.com/market-activity/stocks/snbr
Bedco went up 10x during the pando.
You think that's bad, you should see Eight Sleep.
Not only do they run an SSH server on their embedded Linux device but the entire Linux component is unnecessary. All it really does as far as I can tell is act as a bridge between an STM32 and a process long-polling AWS for commands. They could have achieved the same thing with less cost and complexity with an ESP32.
Also bad: they engineered it maliciously, making it completely and unnecessarily dependent on the cloud. All the sensor data is streaming in real time to the cloud and the only way to send it commands is through AWS.
If a Chinese company did this, the company would be cancelled.
In fact I'll be shocked if their product isn't blown out of the water in a couple of years by a Chinese copy that can function entirely offline and despite that massive disadvantage, can implement advanced features that Eight Sleep charges $200/yr for, like an alarm clock.
Thankfully their nonsense resulted in it being pretty easy to hack. There's a GitHub project to replace parts of the firmware.
If a Chinese company did this, the company would be cancelled.
It's worth noting that this is the first time I've ever heard of this company in my life. Something can't be "cancelled" if it has no mind share.
Also bad: they engineered it maliciously, making it completely and unnecessarily dependent on the cloud. All the sensor data is streaming in real time to the cloud and the only way to send it commands is through AWS.
Why would they unnecessarily add local processing capabilities to their data collection tool? The entire point was collecting the data.
Is this your first exposure to Linux-based embedded devices? It’s very common to run Linux on embedded devices. There are even variants of Linux designed for microcontrollers.
Pretty wild. I used to have one of these beds, but it was before everything got "smart". It had two corded controller's hooked up to the pump. The controller displays the number and had up/down arrow buttons to adjust.
No internet required. No Linux powered microcontroller required. My bed couldn't get hacked. I slept in comfort.
What I’m trying to teach myself to do whenever I think “this is ridiculous overcomplexity” is to imagine whose life it might make simpler.
Let’s assume I have some sort of motor disability: it could be anything from Parkinsons to quadraplegia. Having a bridge out to a common controller that maybe works on speech or some other standardised input method that works for your disability is a massive benefit. And avoids having to deal with the complexities of each individual products’ inability to meet your own accessibility needs in different ways.
So much smart home stuff is basically pointless to those of us fortunate enough to have currently able bodies, and a lifesaver to the rest.
You certainly don't need a cloud defaulted device in order to do what you describe. There are plenty of assistants, Google and Alexa being two, that can talk to things on your local network with a REST API. That controller also has a gig of memory, plenty enough to run a little API.
What manufacturers like about cloud enabled devices is that they can automatically upgrade the firmware and they can get semi-accurate counts for usage.
I think this goes right back to the parent's point.
I presume you personally could set that up. I probably could too. But 99% of the world isn't tech experts and can't do that. Or fix it if something goes wrong. Even if you can, you might just want to go to bed and not have to debug a broken assistant integration first.
The benefit of cloud integration, for that 99%, is that there is a professional out there to keep it working.
Maybe. My point is that there wasn't really an attempt at solving those things locally first. They just went straight to cloud with the reasoning you mentioned.
What manufacturers like about cloud enabled devices is that they can automatically upgrade the firmware and they can get semi-accurate counts for usage.
What they like is that they can charge you a recurring subscription for "service"
They also like the possibility of future MRR.
Have you considered talking to people instead of imagining their response? Because regular people seem kind of fed up, and we're still over here cramming insecure computers into everything.
Those outside of tech could not care less about anything discussed on this forum.
They may care in a passive sense -- the same way that most people care about social causes. They (myself included) agree that some situation is bad, but they don't inconvenience themselves improve the situation.
As an example, many people have some story about creepily being shown ads after talking about something with a friend. It's concerning to them, but no action is taken.
I'm currently recovering from some foot and knee injuries that seriously limited my mobility for the past few weeks, the fact that I can adjust my thermostat from my phone has been a Godsend.
This is a nice point that is often missed in the cacophony of complaints about complexity. If companies are not simply leveraging complexity for the sake of profit, restricted use or repair, etc. then these complaints, as feedback, should still be worthwhile in order to employ complexity.
Extending this idea to how devices operate or are maintained it seems like we're still in a nascent stage. I benefit from a few smart devices but even in a very simple setup, things fail sometimes and then I have to fix it. My mom might benefit from some of these things but she feels better off foregoing the benefits because resolving any issue would be far more costly or impractical.
What I’m trying to teach myself to do whenever I think “this is ridiculous overcomplexity” is to imagine whose life it might make simpler.
I prefer to think "How can this be used against someone" because while there are a lot of "smart" devices that can help people, they are often also being used to exploit those same people by collecting massive amounts of data and using that data against them or selling/leaking it to those who will use it against them, or allowing hackers to gain access to their data/network.
People with a disability or those with accessibility needs shouldn't need to give up their right to privacy or security to take advantage of every technological advance that might make their lives easier. Even people without a disability don't need some company collecting a detailed record of when/how often/how long they have sex, or how many nights they sleep alone, or what days/hours they spend in bed, or what times they go to sleep or how much sleep they get.
Devices should be designed to protect users and not to collect as much data as possible, or push ads, or expose them to hackers.
That's all well and good until it's smothered in surveillance capitalist garbage. There's a thin veneer of helping the disadvantaged/vulnerable group du jour that is used to justify abusing everyone that interacts with it. You see the same crap with "think of the children" panic.
Unless these devices respect their users, they're simply profiteering off of the disadvantaged, which in my mind should be just as rage inducing.
This is the kind of bed I would buy. Imagine having to buy a bed with access for Wi-Fi. That’s crazy because that’s more hardware needed than just plugging the freaking thing in the wall.
With climate change and our general impact on environment worsening each year, our relationship with technology is starting to be like a big elephant in the room. Do people really think a sustainable and equitable society is possible while having microprocessors and telecommunication devices in beds ?
This kind of luxury will always be reserved to the wealthiest in society, and its availability dependent on the relentless exploitation of land and human beings.
Why does it sound like you're proposing that nobody should have fancy things, instead of proposing that everyone should have access to fancy things?
If everyone has fancy things then there will be even less environment to go around.
Do people really think a sustainable and equitable society is possible while having microprocessors and telecommunication devices in beds ?
You realize the cost of the chips in the bed are a lot less than the cost to even ship a mattress right?
Puritan morality is so deeply embedded in our culture people don't even realise they're repeating it.
If I told them they couldn't have a coal-fired home blacksmithing setup "for the environment" then this would seem unfair.
But a 10c microchip? Suddenly this must be evidence of excess! (Even though the price represents that fact that it's a staggeringly efficient use of resources that also has supply-swappable carbon impact).
It's an overpriced bed with a tiny computer in it. It uses the same resources as a cheap bed + a tiny computer and lots of people have those. There's no extra exploitation going on here, these beds are just expensive because they're paying a bunch of engineers to do questionably necessary things.
The problem with activists is so many of them are foolish and just like complaining about things. Go find an actual problem to solve.
I empathize with what you're saying, but "we shouldn't have things people want" is a solution to climate change in the same way that "we shouldn't have gravity" is a solution to air travel. It's not gonna work. Find another approach.
The hub communicates with the Sleep Number servers by opening an SSH tunnel and providing a reverse tunnel back to the hub that their developers can use to connect to the hub and do maintenance when needed.
Kinda interested just to see what the parameters of this are like. Is it using PubkeyAuth or just password? Is it tunnelling home via ip or dns?
If everything is just right, I can imagine the setup for the most hilarious DNS hijack in human history.
In the immortal words of Homer Simpson. Bed goes up. Bed goes down.
The hub communicates with the Sleep Number servers by opening an SSH tunnel and providing a reverse tunnel back to the hub that their developers can use to connect to the hub and do maintenance when needed.
Shouldn't bed owners sue them if they haven't been warned of that fact prior to purchase? Getting illegitimate access to your network and backdooring it is criminal offense right?
I'm sure there was a T&C that included all this and you waive rights to complain about this or join a class action about it.
Tired: SIM swapping attacks against cryptobros.
Wired: Since Sleep Number beds get tied to orders, break into Sleep Number, find your target, SSH into their bed, and pivot into their home network to steal their crypto wallets.
After all, everyone always hides their money under their mattress ;)
I am not a crypto bro but was the victim of a sim swap attack recently. It was really annoying but at the same time kind of funny because they literally only went after the 2FA app (Authy) once they stole my number, which thankfully didn't have anything meaningful attached to it.
Anyone else getting cloudfare blocked on TFA?
I am getting blocked. What is "TFA"?
I tried 2 different IP addresses from Brazil and they got blocked.
I tried an IP address from the USA and another from Canada, and both worked correctly.
The message you get when you're blocked is:
Sorry, you have been blocked
You are unable to access dillan.org
Performance & security by Cloudflare
Why have I been blocked?
This website is using a security service
to protect itself from online attacks.
The action you just performed triggered
the security solution. There are several
actions that could trigger this block
including submitting a certain word or
phrase, a SQL command or malformed data.
which is false since I wasn't doing any of the things they list.I wonder why they think that Brazil and other countries shouldn't be reading this site? Is the owner of the site able to geo-target which countries he wants his site to be shown in via Cloudflare?
r: Following this guide will require modifying internal files on your Sleep Number hub. This will void your warranty
People, stop spreading this BS.
Just like those stickers that say "warranty void if removed" are not legally enforceable, nothing "automatically" invalidates your product's warranty except misuse or poor maintenance.
If your Smart Bed stops working, you having poked around in the controller does not relieve the manufacturer from their warranty obligations (including implied warranty.) The onus is on them to prove that you damaged it, subjected it to "unreasonable" use, or did not properly maintain it.
You fry the bed's brain trying to hook up a JTAG when you accidentally bridge 5V to a 3.3V logic circuit? That's on you.
The controller fails because the power supply blows? The fact that you installed a JTAG header, googly eyes, and painted it pink is irrelevant. They need to fix your shit.
Even if you modify the firmware, it's on them to prove your modifications caused the failure.
Would you expect to have your laptop's warranty invalidated because you use it to game (which generates lot of heat)? Of course not. How about if you install Firefox? Or install Linux? Again, of course not. So why do you think the rules change just because a device is "dumber"?
There's a difference between law on paper and law in practice. If the manufacturer refuses to honor the warranty, there's very little customers can do.
That's wonderful, but it doesn't change the lived experience of warranty's.
Small claims court is cheap and easy, and often the only way to get them to honour the warranty even if you haven't messed with anything.
Next, ransomware. "Pay us $1000 or you won't be able to sleep in your bed for the next month".
Wouldn't subscriptions be next?
Pay us $50 a month and we’ll keep the other hackers at bay.
Is there a ransomware protection racket yet?
Yeah, they have existed for a long time, the are called anti-viruses.
Same thing, really
Here are some facts for you
* sleep number beds have sensors in them that detect heart rate
* they do this by detecting pressure differences in the air mattress
* these are effectively microphones, right? and quite sensitive
Do they really detect heart rate through pressure sensors? That seems like it'd have so much noise the data would be unusable. Edit: Looks like they couple it with some fancy statistical analysis to get accurate enough data. Interesting
They acquired Bam Labs' tech to do this.
Best add 'solder' to your shopping list unless you already have some, or the new iron you buy comes with a starter amount.
If you click the actual link in the article you can see it's a kit that comes with solder and a bunch of other stuff
I don't have to do any hacks to use my Lidl mattress. It just works. Am I doing something wrong here?
Have you considered a mattress topper?
Thats a brand new sentence
Cool, but I liked this bed-related hack better https://techcrunch.com/2009/12/12/newlywed-sex-tweets/
I have an analog bed. No root access necessary for sleeping.
There's a similar method to get into an Eight Sleep Pod 3 [0]. This requires less extra hardware though since some models come with a MicroSD card that you can modify. The method used in TFA might be a good way to get root on Pods without the card. That being said, I just learned that while Eight Sleep does sign their firmware updates, they also send you the private key used to sign the update in the same package.
OK, not buying Sleep Number.
I slept on inflatable mattresses for years, until the company making them started outsourcing to China and the seams on the internal baffles broke on two mattresses.
Devil's advocate. As someone who has developed a Linux based appliance with over 100k live units across the globe, it seems insane to NOT have access to the thing you're selling and that you have to maintain. If your thing breaks or gets bricked by an update, you will call support and expect them to fix it. You don't want to send in your device or have a support technician come to your house to fix it.
So yes, to the conspiracy theorists it may look like a secret backdoor -- it sorta is. But in many cases I bet it's just a safety net for developers and support to fix things.
I speak for myself and my own experience working for $oldjob. Other companies or countries may of course use this differently. And of course companies get sold and such so you'll never know.
That's a fair argument, but it doesn't appear that that updates are high on sleep number's priority list:
If we give them the benefit of the doubt, perhaps they intended to to keep it up to date but ultimately compaines need to either be transparent about their remote access and manage it responsibly, which includes keeping the system patched, or give up access
I am not defending them for not keeping their stuff up-to-date, but it is very common practice for embedded systems to be hopelessly outdated. I've done what OP describes with IPMI/BMC systems for $mainboardmanufacturer1 and $mainboardmanufacturer2 (both really big name brands), and their BMC systems were equally outdated. It was almost comical, but really sad at the same time.
Moral of the story is to firewall things off really well, I suppose.
At $oldjob, I designed an upgrade mechanism to do A/B image updates so things were always up to date, or at 2-3 weeks out of date. See [1].
For small embedded systems that do not have enough space/bandwidth, this may not be feasible though.
[1] https://blog.heckel.io/2019/09/18/image-based-upgrades-upgra...
I know I'm preaching to the choir, but I do prefer not having to treat my bed as a hostile device on my network
Even if it didn’t have the intentional backdoor… you probably should be treating it as hostile anyway.
Even where not intentionally hostile, not intentionally privacy invading, not trying to fetch updates so it can show you more ads, not… most of this stuff is so hopelessly out-of-date and full of security vulnerabilities it’s only not hostile out of luck.
I don’t connect anything to WiFi unless absolutely necessary. And by that I don’t mean “the device demands it” (I just won’t buy the damn thing) but “it’s a core part of the functionality I’m asking of it”. I’ll prefer zwave/zigbee, Bluetooth, or something else wherever possible when communication is required. (If I were forced to use this bed and it had no manual controls I would definitely have used Bluetooth, avoiding this whole issue.)
And even for the devices that do get a WiFi connection… they run entirely isolated, on a separate SSID and VLAN from my normal devices and traffic, and with a whitelist for what traffic is allowed.
As far as I’m concerned the only difference between this bed and the other devices is that we know about the issues with this bed. We have no reason to believe that the other devices are any better, and in fact a pretty large body of evidence suggesting that they’re probably not.
This is what I do today, and honestly I'm about to give up. We lost. Trying to get stuff like airplay / DLNA to work via mDNS is already impossible across subnets, and telling family to switch networks if they want to control X with their phones is just a shit solution. I have to disable 90% of my vehicle's "infotainment" screen to not feel spied upon, and which breaks the app I can use for remote starts, etc.
Maybe when the "Mega-Hack of 2025" happens and all IoT devices go nuclear something will change. But for now, if you buy a device it expects to be on one giant /24 and anything different creates problems. I'm starting to spend way more time than I want maintaining all the various pieces of networking glue that keeps my devices and home automation functioning. It's no longer fun, and I'm tired of fighting it.
I still have an ancient sleep number bed, with no connectivity. It's leaking, and old enough to drink. I'd like to replace it, but still can't bring myself to do it because of articles like this.
I've never felt more like Abe Simpson yelling at a cloud.
I mean it's not like sleep number can tell when you're having sex or sleeping or anything....
Er, I mean okay, well at least they're budget friendly....
Well at least they don't have an ssh server constantly running in the background or something
Either treat your devices as potentially hostile or simply don’t connect your bed to a network.
While 2.7.18 hasn't been updated since 2018, it's also the last version of Python 2.
I've got several programs stuck in 2.7.18, as they have sizable dependancies that never got updated to Python 3 -- unless I'm willing to rewrite several large Python packages, I'm stuck here forever. As long as the program isn't network connected, I don't see a problem with fixing a Python version, and set of packages, and leaving the software running forever.
Oh good catch, I thought python 2's depreciation was more recent, time flies I guess!
I’ve developed Linux devices selling that many units (and more) and I’m baffled that anyone would think this is a viable way to handle things at this scale.
Units like this should have a firmly read-only Linux firmware that can only be changed by signed updates. The only data you would actually get or modify is the diagnostic data or the contents of the settings. Both of those can be sent through mechanisms that shouldn’t require SSH access.
The correct way to handle this is with a debug info feature. Put something in the app that will zip up logs and configuration files and send them in for support, with the user’s explicit permission obviously. If you can’t figure it out from logs, you can use their config files to clone the situation on a device in the office.
The bigger issue is: Who are you going to task with SSHing into customer devices? With 100K or more people filing support requests, it would be insane to have engineers handling those requests with anything having to do with SSH. It would be equally insane to hand off access to customer support people and give them the keys to SSH into customer devices.
I agree that that is the gold standard. Having an immutable Linux that is well tested on your own hardware and upgraded like that.
At the time I inherited a system that had 30-50k units deployed and was updated via Debian/APT. Older units were running Ubuntu 10.04 (it was 2016) and were hopelessly outdated. We managed to pull every single device to Ubuntu 16.04 and designed a fully automated image based update mechanism for them (I've linked it in other posts). We tried for read only base systems, but it was too tricky, so images stayed read-write, with migration of configs across upgrades.
At the time, customers even had access via SSH (similar to NAS devices these days).
I think what you are describing works for well defined hardware with a medium complexity software stack, or at least something that is limited in terms of epipheral device usage.
The appliance I was managing was heavily using raided disk, ZFS, loops, dmsetup, and many other Linux tools that we have all seen fail in horrible ways.
Not having SSH access, and not being able to diagnose lockups or hanging progress (D state issues) in a live system would have severely crippled us in being able to fix these issues. Many of them I'm sure we would not have been able to. We had failing disks, slow disks, failing RAM, hanging loop devices, corrupt loop devices, hanging ZFS, hanging ZFS, hanging ZFS, many of its bugs we fixed upstream, and and and...
On top of that, we had a "bring your own device" product that literally allowed people to use whatever hardware they want. That makes the read only firmware thing ever trickier.
As said in the beginning, I agree with you in principle, but there are many cases in which it's not as black and white. And I can fully understand the rationale of providing remote access.
Side note: I would have never expected to be down voted on HN for expressing an opinion in a respectful manner about a subject that I have knowledge about, just because it is the "unpopular" opinion. On Reddit, I'd expect to be downvoted for something folks don't like, but on HN in thought the button is just for use against trolling and such.
Re your side note, yes this is the new HN. People use the downvote as a lazy "I disagree". On the plus side, that's mainly the people who tend to read and react within the first 30 to 60 minutes of a comment being posted. After that the votes usually right themselves.
I personally disagree with you, but I absolutely appreciate the perspective presented along with reasonable rationale.
The problem is it's gonna be a golden key system where everyone who's worked there for the last ten years has a copy
That is correct. But it is possible to design a system with short lived auth tokens/keys and frequent key rotation. I designed such a system at $oldjob for remote access (see [1]). Obviously there is always a risk, and there are always syseng/ops people with access. That is correct.
[1] https://blog.heckel.io/2019/11/19/providing-remote-access-to...
Nice write up and a lot of gotchas you encountered
If you sold it, you should not have remote access to it.
Auto-update is de facto isomorphic with remote access capability but that doesn't mean you should have a remote shell. At most, maaaaybe a way for the customer to enable a shell for developer support.
Otherwise, a/b setup to avoid remote bricking, DFU or whatever current standard for customer driven unbricking in exceptional cases. But really, test all the forward and reverse update cases and keep a handful of samples of all shipped hardware so you can make sure everything actually works, and you can figure out how to fix it when you mess it up. Always test upgrades starting from factory fresh with all the versions you ever shipped from the factory. (I've run into products where several updates in, version X would work or not based on the original version from the factory forever ago because of original config or something that didn't get migrated properly but never caused problems until recently).
If you have the ability to update firmware, you have the ability to add remote access whenever you like. You're already trusting the vendor either way.
That said, this current situation of an always-on SSH connection/backdoor is just begging to be exploited by an irate employee, curious intern, or worms. It's impossible to know what sort of safeguards the vendor has in place, if any.
Putting a lock on a nuke is good, but not building the nuke at all is better.
And I'm sure every one of those 100k devices has a unique ssh key right?
Surely you can see the problem.
Not just that's they have
- per session ssh keys that are valid for only 6 hours
- all ssh sessions are audit logged and have to go through jump servers tied to tech roles
- all sessions fully monitored via "script" and can be replayed
You can also see a write-up here: https://news.ycombinator.com/item?id=40840040
It does seem insane. But the support engineer having local network access after remoting in without the customers willing consent also seems insane. Its obviously there so they can fix these devices, but shortcuts made for engineers are such a common security risk.
Ideally you would have a backdoor on the device thats open only to the local network. User runs an app on their PC, provides willing consent for someone to complete a support task by providing an OTC to the engineer. App goes and discovers the device, and hosts the session for the engineer. If the user cant perform such a task they can probably buy a device with one button on it that will, or pay for a callout or return.
Yea, that part is insane. At this point it is safe to say that any non open source device that has access to you home network and the Internet can function as a backdoor. Not to be a conspiracy theorist, but I guarantee the CIA has a list of common devices with this feature that they can use to get local access in most houses.
This is what makes me suspicious about Chinese home products like govee and how cheap they are.
You're required to hard code in your SSID and Wi-Fi password. And they consistently beg for your location, despite having no need for it.
Now think about 3D printers like the Bambu. A machine tool that can self-combust.
Shades of Iranian centrifuges.
Really really light shades. Destroying a country's ability to produce weapons grade nuclear fuel vs potentially burning down a hacker's/tinkerer's house; I don't think these are any where near the same level
It's very similar. It's a nation state using exploits to target individuals. It doesn't really matter why they're doing it, they're promulgating an unsafe environment, simply to create convenience for intelligence agencies.
As if they're at a lack of options when it comes to addressing problems on the world stage like this. Stuxnet was both an exceptionally morally lazy and destructive act.
As an American citizen, I genuinely wish my government did NOT do that.
Stuxnet was written to target a very specific bit of equipment for a nefarious purpose. This is just lazy development with no security or as a total after thought or worse deliberate weakening. This is just the state of software development/management we live in now. I really feel one of us have misreading of the situation.
Except it didn't do that. It was found in dozens of networks in multiple countries. The vulnerabilities were discovered by other actors and used for other purposes.
The amount of collateral damage done here was far greater than the value of the initial operation. Importantly there were multiple different ways to achieve this particular outcome none of which required us to abuse vulnerabilities or release dangerous software to exploit them.
Yes, and I think it's morally backwards, and I regret it.
I simply refuse to accept the intelligence agency marketing view of this action. It was incorrect. There were other less morally conflicted ways to solve this "problem."
Citation needed. Even at 100% duty cycle the heated bed tops out at a stable, safe temperature. I know because I’ve struggled to keep it hot enough for certain materials.
Maybe you could argue that the hot end could be set to melt down, ignoring the built-in safety mechanisms, but thats a stretch for doing much more than breaking the printer due to the way it’s designed.
Regardless, if all of this still scares someone they can run it in local-only mode without internet access.
The Bambu printer fear mongering is ridiculous.
Actual citation: https://forum.prusa3d.com/forum/original-prusa-i3-mk3s-mk3-g... (read the whole thread and note the picture) https://www.thissmarthouse.net/dont-burn-your-house-down-3d-... some academic paper: https://www.researchgate.net/publication/313025688_CONSUMER_...
I suspect the biggest problems happen when users make their own mods and/or store their IPA or acetone next to the printer.
Simply noting that you have trouble getting a heated bed to stay hot does not mean that people's printers are not catching on fire.
But if you have to go out of your way to create a fire hazard, that's a different situation than the Chinese government having the ability to remotely cause fires in homes in towns across America.
oh believe me, american manufacturers are absolutely no better
They need it. Because of design choices by everyone involved, it's all gathered under the name "location Services", and they are necessary to get the product to work. I'm not sure if it's a bad name or not. Your phone's bluetooth and wifi can be used to locate where you are, so the backwards framing is that it's location services, which isn't a lie, but it's misleading. Because the operating system manufacturers are trying to simplify things for us, it's "location services", not GPS, wifi, bluetooth. An app with location services enabled could take your gps coordinates and beam them home to a foreign government, and it's entirely possible they do, but because of how manufacturers have decided to name things so as to not confuse consumers, apps need "location services" to use bluetooth/change wifi.
Up until very recently all products wanting to use Bluetooth LE required the location permission because BLE beacons and similar can and we're used for location triangulation. It was a marketed feature of beacons that they could track your position down to the aisle in a store and potentially advertise to you if you walked past specific stores. There's finally a separate permission for it but it can still be used to determine your location.
Why are you assuming that only non open source devices are vulnerable? We've seen enough open source vulnerabilities in broad daylight to know that open source does not mean secure.
You have it backwards. They're assuming non-open source is backdoor'ed. Not that open source isn't backdoor'ed.
I don't have it backwards. That is what I said. They are assuming non open source is backdoored. That does not mean open source is not also backdoored.
No, you you said
Yes, the word "only" is causing the confusion.
Open source is auditable, and tends to get fixed.
I don't think you can say it tends to get fixed because you don't know the ratio between the number of vulnerabilities and the ones that get fixed. Closed source can also be audited. Auditing code for companies is an entire business model.
I wouldn’t consider that a conspiracy theory, I would consider it common sense that an intelligence agency has a list of common potential sources of intelligence.
In fact it would be extremely surprising if they didn’t have that list.
This was the most interesting point for me, and I assume most of my IOT type shit has this functionality.
some of the newer WiFi setups have an IoT subnet that works like a guest network.
Worth using if your gear has it.
For those who know their stuff, setting up a dedicated VLAN for IoT and putting devices in it based on MAC addresses (allow or disallow lists) is a solid option as well and fun to learn.
I have a separate IOT vlan, but ensuring things like AirPlay work correctly is really, really, really annoying.
if my iot bed can talk to my iot camera, that's still not great. better than it talking to my NAS or laptop I suppose though
Sometimes this type of guest network can provide device isolation: devices can talk to the open internet, but not to anything else on the LAN.
you absolutely need to do this. we call it the "internet of shit VLAN".
This takes on extra meaning when you consider my internet-connected automatic cat litter box.
I don't even want these devices making outgoing connections to the internet. I have my router drop all outgoing connection attempts from my IOT vlan. I can connect to the cameras etc on there from other VLANs but that's the only way packets get out.
I created 3 new firewall rules after reading this comment.
In my book if your setup grants access to anyone on your network then it was already insecure. Your wifi is too big a perimeter to defend; lock down the stuff you care about instead.