Pretty wild. I used to have one of these beds, but it was before everything got "smart". It had two corded controller's hooked up to the pump. The controller displays the number and had up/down arrow buttons to adjust.
No internet required.
No Linux powered microcontroller required.
My bed couldn't get hacked.
I slept in comfort.
What I’m trying to teach myself to do whenever I think “this is ridiculous overcomplexity” is to imagine whose life it might make simpler.
Let’s assume I have some sort of motor disability: it could be anything from Parkinsons to quadraplegia. Having a bridge out to a common controller that maybe works on speech or some other standardised input method that works for your disability is a massive benefit. And avoids having to deal with the complexities of each individual products’ inability to meet your own accessibility needs in different ways.
So much smart home stuff is basically pointless to those of us fortunate enough to have currently able bodies, and a lifesaver to the rest.
You certainly don't need a cloud defaulted device in order to do what you describe. There are plenty of assistants, Google and Alexa being two, that can talk to things on your local network with a REST API. That controller also has a gig of memory, plenty enough to run a little API.
What manufacturers like about cloud enabled devices is that they can automatically upgrade the firmware and they can get semi-accurate counts for usage.
I think this goes right back to the parent's point.
I presume you personally could set that up. I probably could too. But 99% of the world isn't tech experts and can't do that. Or fix it if something goes wrong. Even if you can, you might just want to go to bed and not have to debug a broken assistant integration first.
The benefit of cloud integration, for that 99%, is that there is a professional out there to keep it working.
Maybe. My point is that there wasn't really an attempt at solving those things locally first. They just went straight to cloud with the reasoning you mentioned.
A friend of mine spent $10k on a sleep number bed a couple years ago. I'm not sure I could ever get a restful night sleep again on a $10k bed, thinking about the cost! ;)
I got a fancy new one a bit later with an adjustable frame and remote control and all that... $2200, and even that felt crazy expensive!
1. That's exactly why I prefer a plain old analog mattress that needs zero tech or support from anyone ever
2. Even with that being the case, for the average consumer who wants an electronic/controllable bed, it's still a better deal than anything that requires a custom home automation setup. Check out the prices for hiring somebody who can actually troubleshoot that.
> What manufacturers like about cloud enabled devices is that they can automatically upgrade the firmware and they can get semi-accurate counts for usage.
What they like is that they can charge you a recurring subscription for "service"
> What I’m trying to teach myself to do whenever I think “this is ridiculous overcomplexity” is to imagine whose life it might make simpler.
I prefer to think "How can this be used against someone" because while there are a lot of "smart" devices that can help people, they are often also being used to exploit those same people by collecting massive amounts of data and using that data against them or selling/leaking it to those who will use it against them, or allowing hackers to gain access to their data/network.
People with a disability or those with accessibility needs shouldn't need to give up their right to privacy or security to take advantage of every technological advance that might make their lives easier. Even people without a disability don't need some company collecting a detailed record of when/how often/how long they have sex, or how many nights they sleep alone, or what days/hours they spend in bed, or what times they go to sleep or how much sleep they get.
Devices should be designed to protect users and not to collect as much data as possible, or push ads, or expose them to hackers.
Have you considered talking to people instead of imagining their response? Because regular people seem kind of fed up, and we're still over here cramming insecure computers into everything.
Those outside of tech could not care less about anything discussed on this forum.
They may care in a passive sense -- the same way that most people care about social causes. They (myself included) agree that some situation is bad, but they don't inconvenience themselves improve the situation.
As an example, many people have some story about creepily being shown ads after talking about something with a friend. It's concerning to them, but no action is taken.
I'm currently recovering from some foot and knee injuries that seriously limited my mobility for the past few weeks, the fact that I can adjust my thermostat from my phone has been a Godsend.
This is a nice point that is often missed in the cacophony of complaints about complexity. If companies are not simply leveraging complexity for the sake of profit, restricted use or repair, etc. then these complaints, as feedback, should still be worthwhile in order to employ complexity.
Extending this idea to how devices operate or are maintained it seems like we're still in a nascent stage. I benefit from a few smart devices but even in a very simple setup, things fail sometimes and then I have to fix it. My mom might benefit from some of these things but she feels better off foregoing the benefits because resolving any issue would be far more costly or impractical.
That's all well and good until it's smothered in surveillance capitalist garbage. There's a thin veneer of helping the disadvantaged/vulnerable group du jour that is used to justify abusing everyone that interacts with it. You see the same crap with "think of the children" panic.
Unless these devices respect their users, they're simply profiteering off of the disadvantaged, which in my mind should be just as rage inducing.
This line of thinking is similar to "wont someone think of the children!" where harmful things are done in the name of good and designed so fighting them puts one in a precarious position.
A bridge to a common controller doesn't need an applications processor with millions of bytes of memory to run millions of lines of code to change the firmness of a stupid mattress. Stop using hammers to solve all your problems, other tools exist.
This is the kind of bed I would buy. Imagine having to buy a bed with access for Wi-Fi. That’s crazy because that’s more hardware needed than just plugging the freaking thing in the wall.
>The hub communicates with the Sleep Number servers by opening an SSH tunnel and providing a reverse tunnel back to the hub that their developers can use to connect to the hub and do maintenance when needed.
Kinda interested just to see what the parameters of this are like. Is it using PubkeyAuth or just password? Is it tunnelling home via ip or dns?
If everything is just right, I can imagine the setup for the most hilarious DNS hijack in human history.
In the immortal words of Homer Simpson. Bed goes up. Bed goes down.
Wired: Since Sleep Number beds get tied to orders, break into Sleep Number, find your target, SSH into their bed, and pivot into their home network to steal their crypto wallets.
After all, everyone always hides their money under their mattress ;)
I am not a crypto bro but was the victim of a sim swap attack recently. It was really annoying but at the same time kind of funny because they literally only went after the 2FA app (Authy) once they stole my number, which thankfully didn't have anything meaningful attached to it.
>The hub communicates with the Sleep Number servers by opening an SSH tunnel and providing a reverse tunnel back to the hub that their developers can use to connect to the hub and do maintenance when needed.
Shouldn't bed owners sue them if they haven't been warned of that fact prior to purchase? Getting illegitimate access to your network and backdooring it is criminal offense right?
T&C being enforceable and acknowledged by court systems is a true failure of modern society. There should be a hard character limit on any enforceable T&C agreed to by individuals.
Of all the possible timelines, we live in the dumbest. What was wrong with a plain old bed without 1GB of RAM and a full OS running on it?! It is the same everywhere. Finding a washing machine that was not WiFi-connected was a chore and I dread doing it again in ten years.
As a person who's broken into O(1000) "smart" devices (for fun and for profit both), I do not want them in my house, and avoiding them is getting harder due to insanity like this linux-running bed! Please make it stop!
A bed doesn't have to be complicated. Why in my day, we got shit done on beds with only a Z80 and 32K of RAM. I remember when I bought my first bed with cooperative multitasking - a red letter day! And double density duvets were a game changer. But I don't miss traipsing down to the public library with a blank vinyl record to get the soft wear updates - and if you forgot, you got bed bugs!
And this is another lame "insightful" meme. I work with plenty of cybersecurity people and they have plenty of smart devices. They're the ones with Home Assistant setups and ESPHome flashable hardware on they're own internet isolated wifi.
Which is in fact a standard feature on many consumer routers now.
What we're missing is a "local only" directive from the EU to get manufacturers to play ball for the common man.
We're in the era of measuring yourself for better outcomes. A century ago we figured out antibiotics. Big gains. Then we figured out a lot of other pretty obvious diseases with pretty obvious cures.
Now we're down to the complicated subtle things. This bed is running Linux so it can tell you how you slept. If you're sleeping poorly it has all sorts of mostly mild negative effects. If you know about them you can do things to fix them. It's doing a low-grade sleep study on you every night. That can be valuable information.
>avoiding them is getting harder due to insanity like this linux-running bed
Sleep Number beds cost several thousand dollars, I think you'll be able to avoid them just fine.
> Now we're down to the complicated subtle things.
Totally false. Any gains from micro optimizing people's sleep are wiped out by the constant mind pollution of social media. We are in an era of constant distraction.
That's a non-sequitur, and also not necessarily true?
For one, if you sincerely believe that social media is "mind pollution" then I don't see how sleep optimization is responsible. If someone has an unhealthy relationship with social media and invests in a more comfortable bed to keep themselves off their phone at night, isn't that a net win?
And for two, the minority of people in my circle even use social media. If you legitimately struggle with it, you can cut it out of your lifestyle without significant physiological impairment. You might live in an era of constant distraction, but many of us find it simple to cut-out external noise and simply exist. Mind pollution a-la tabloids and TMZ has existed for a long time, and social media isn't even it's zenith.
I feel the same way -- the silver lining is that it's helped push me to buying older / used / more maintainable stuff for a fraction of the price, all the while learning a little here and there about minor repairs for older electronics. This is a big win for the pocketbook and gratifying to keep something out of the landfill.
Reduce / reuse / recycle -- in order of importance.
"man, i tried going to bed last night, but it was a BSOD so I had to reboot it, but then it needed 45 minutes of OS updates before I could get in the bed."
seems like a pretty good torture on multiple levels
"before you go to bed you must acknowledge our updated terms of service. Please bear in mind, that our newly added AI engine will process all the thoughts you have during your sleep. Images you see will be stored in the cloud and allowed for further processing by us"
what would be a better way to design this that is cheap and updatable? Specialized hardware is riskier to build, b/c bugs would require a complete reprint.
Smart temperature and softness adaptation for different regions? Sleep stats of your positions, maybe combined with some deep sleep stats? I mean, there are options
The old Sleep Number beds were not smart, they worked fine. I think people want to drown in useless data these days trying to "fix" their sleep when the reality is its their job or high stress causing sleep issues.
How does a PIC12F509 connect via bluetooth to talk to an app for the consumer to configure things? How does it connect to wifi to talk to a server to save data to? Like it or not, an app to configure the device instead of the device having a VCR remote control to program in schedules is what consumers have gotten used to these days. If you think there's room in the market for a sleep pad that doesn't talk to the cloud, you're welcome to try, but mass market consumers have come to expect more from products.
>Like it or not, an app to configure the device instead of the device having a VCR remote control to program in schedules is what consumers have gotten used to these days.
No?? When was the last time you spoke to another human being about this topic? Has any other person in your life seriously told you that they like having to download a smartphone app to set up their soundbar? Have you managed to fully insulate yourself from the broader world with a circle of dead-eyed freaks that gleefully spend their free nights registering their appliances online and reading end-user license agreements?
I hate the app+cloud garbage as much as you, but have you considered how a VCR would be programmed today? Take your universal touchscreen device out of your pocket, select the VCR app, get a list of programms for the next weeks, touch the one you want to record (or do a full text search), select if you want to record this episode, all, or a certain set.
In the past, you needed to first buy this weeks TV magazine. Or if you got it by mail, find it between all the other magazines. Then, skip all the ads and find the schedule, in there find the program you're looking for. Now you either need to figure out the exact time slot the program airs, or some EPG code. This data now needs to be entered into the VCR. Either find the remote, or knee in front of the device. Enter the code using a rotary encoder, digits 0-9 and a few buttons, or a mixture thereof.
In both cases you need to set the receiver to the correct program before leaving the house, else the SCART-connected VCR wouldn't get the video signal. Also you'd need to hope the EPG sent by the station is updated properly - we often had some part of the recording missing, or the recording started to soon/stopped to late. I hope you did put in the correct tape and remembered to rewind it. (I'm ignoring that a modern "VCR" would store the video in the cloud and not need all of this; or a hybrid would at least get the video stream via IPTV and put it on a HDD).
Try speaking to other humans about this topic, they don't want these "good old times" back.
Also, apps suck because they are mostly always horribly made (they don't need be, but they often are, because the product needs to be cheap); and I hate being forced to use the cloud and have my hardware not work anymore after 5 years because someone decided their Amazon bill is becoming too expensive. Did I mention I don't want my data to be sold to virtually everyone - errr, I mean "shared with partners"? So I either buy things with local control, or no smarts at all.
I just had to pick the start time, the end time, and the channel the VCR need to be on to record. If i wanted to be fancy, I could pick the tape speed as well. VCR did the rest, as long as the time was correct (but really I just recorded for a minute or two on either side.)
Program guide was always in the sunday newspaper as its own booklet or in the daily newspaper.
I conjecture that mass market consumers have come to expect this because it's been pushed down their throats for the last ten years by rampant rent-seeking. Who is really asking for an internet-connected bed for goodness' sake??
but but but, we need to see all of that data about your sleeping patterns so we can adjust settings to make you even more comfy. are you getting too hot? we'll cool down the temp for you. getting too cold? we'll heat it up. starting to snore, we'll automatically incline you to change your positioning.
of course we'll also sell all of that data so we can send you an ad for new bamboo sheets to keep you cool. or any thing else from anyone else that offers us money for the data
I despise the modern "smart" device and actively look for "dumb" things, but if it's going to have a BLE chip in it, it needs to be updateable to fix vulnerabilities. There are mountains of devices from earlier years that are basically wide open radios now because of this.
Personally I'd much rather the damn thing just have a built-in display with hardware controls.
Sounds like the problem isn't Linux, it's insecure development practices. As mentioned in sibling comment, Linux development is far easier to hire for, iterate on, develop updating mechanisms for, etc - specialized embedded development is less popular.
> Sounds like the problem isn't Linux, it's insecure development practices.
No, it's making devices "smart". There doesn't need to be a wifi-connected computer inside a washing machine, cooker, or fridge. In fact all these things can run without a computer in them at all, and they're arguably better for it.
It’s not always demand. Lots of people don’t want smart TVs, but that’s too bad. The smart TVs are subsidized to manufacture because the software can put more advertising on, which makes it a supply-side issue.
If the people who wanted dumb TVs didn’t want smart TVs *enough*, they wouldn’t buy them - the reason it still works is because people just buy smart TVs and don’t use the smart features. So it’s still a demand problem - demand hasn’t dropped enough!
But you’re right - demand != desires of consumers. But they’re going to optimize for what people buy, not what they want or say they want.
Funny part to me is that I fully assumed that this was a post about hacking Eight Sleep beds by someone who didn't want to explicitly name the company, presumably for vague legal reasons.
Then I got to a picture of an apparently real "Number Sleep Hub" and my mind was blown. WTF are we in a timeline so weird that there are two companies making water cooled beds, one is called Eight Sleep and the other is Sleep Number? It's like the RNG for this instance had a bad seed.
Sleep Number gets its name from the firmness controls on their mattress. You pick your "sleep number" and your partner picks theirs on the other side of the bed.
You assume it's a funny coincidence, I'd say Eight Sleep picked a name that as a easy to confuse with Sleep Number as they could without getting immediately sued.
Sleep Number the brand has been around I think since the 80s? Never had one personally but definitely an old brand though maybe if you are not in the US you would never have heard of them.
I get your point but is there a significantly cheaper alternative? As far as DIY goes, I don't think I'd be able to replicate a "Sleep Number" bed with my air mattress and foam.
I was forced to buy one against my will. The new models are significantly better than they once were and it feels like a regular bed now rather then two air mattresses with some loosely arranged foam dividers. They've dumbed down the app and made the data reporting worse but it used to give decent stats on breath and heart rates.
I had never heard of either so thought the title was a metaphor for "how to get root access to your brain to improve sleep quality"
I sure hope these beds have tactile controls you can feel and use in the dark, and don't require pulling out a smartphone in front of your face while trying to sleep to adjust them, because bed/matress manufacturers for sure must know what is good and bad for sleep quality
I agree the interface should be simple to operate in the dark without being blinding, but I’m left wondering how common late-night adjustments are. I imagine it tends to be pretty “set it and forget it” for most people.
There's also BedJet, who makes a fancy-pants bed blower for between your sheets. It's running on an esp32 inside of itself to control the heater and the blower and the remote control, but they didn't quite make it as smart as I'd like.
There's a similar method to get into an Eight Sleep Pod 3 [0]. This requires less extra hardware though since some models come with a MicroSD card that you can modify. The method used in TFA might be a good way to get root on Pods without the card. That being said, I just learned that while Eight Sleep does sign their firmware updates, they also send you the private key used to sign the update in the same package.
Ironically this makes me more likely to buy one. If I can make the smart thing local and/or home assistant controlled, and kill their internet connectivity... I'm thinking that isn't so bad.
Don't get me wrong $2-4k is steep, but if it's a one-time for a decade or so, that's reasonable. But $4k plus you want $25/mo? Just fluff right off.
I'm interested if anyone has pulled the same thing with eight sleep. Not having access to control my bed's temperature because my internet is out bothers me deeply.
No it's actually 2-3k+ usd. I had done some cursory considering of it over the past few months because it seems like a potentially reasonable solution to a real problem I struggle with.
But yeah part of it is like, it's really weird. If you asked me how much consistently better sleep would be worth, the answer is how much do you want?
But phrase that as "Bed as a service" and my reflex is "you're kidding, righr?"
What problem are you trying to solve if you don’t mind sharing. It sounds like you’re paying for sleep tracking but couldn’t you just do that with something else like an Apple Watch?
They run cooled/heated water through them, the idea being that temperature can trigger / lengthen certain phases of sleep. Think getting into a warm bed that gets colder as you go into deep sleep, and then when the night is done warms up again for wakeup. In my case, it seems to work really well, but I have the same resistance/frustration with the ongoing subscription.
It shouldn't be too complicated for a motivated hobbyist/hacker to retrofit it to run it with some custom DIY hardware eschewing the subscription need completely.
After all, it is just a couple of pumps, a heat pump and/or a resistance and some sensors.
I was going to buy an Eight Sleep and then I immediately lost interest when I realized they pull this shit. If I'm paying you over $1000 for a mattress cover, I'm not paying you "rent" money just so the thing will work.
I slept on inflatable mattresses for years, until the company making them started outsourcing to China and the seams on the internal baffles broke on two mattresses.
> r: Following this guide will require modifying internal files on your Sleep Number hub. This will void your warranty
People, stop spreading this BS.
Just like those stickers that say "warranty void if removed" are not legally enforceable, nothing "automatically" invalidates your product's warranty except misuse or poor maintenance.
If your Smart Bed stops working, you having poked around in the controller does not relieve the manufacturer from their warranty obligations (including implied warranty.) The onus is on them to prove that you damaged it, subjected it to "unreasonable" use, or did not properly maintain it.
You fry the bed's brain trying to hook up a JTAG when you accidentally bridge 5V to a 3.3V logic circuit? That's on you.
The controller fails because the power supply blows? The fact that you installed a JTAG header, googly eyes, and painted it pink is irrelevant. They need to fix your shit.
Even if you modify the firmware, it's on them to prove your modifications caused the failure.
Would you expect to have your laptop's warranty invalidated because you use it to game (which generates lot of heat)? Of course not. How about if you install Firefox? Or install Linux? Again, of course not. So why do you think the rules change just because a device is "dumber"?
There's a difference between law on paper and law in practice. If the manufacturer refuses to honor the warranty, there's very little customers can do.
Do they really detect heart rate through pressure sensors? That seems like it'd have so much noise the data would be unusable.
Edit: Looks like they couple it with some fancy statistical analysis to get accurate enough data. Interesting
If you want to peek into consumer or any electronics.. probe with a signal analyzer for the usual suspects: RS-232 (TTL-levels, CMOS-levels, and serial-levels), JTAG, SPI, and I2C.
First, probe header pins and test points (rows of pads not meant for components) before probing around other components.
PSA: If you're designing a PCB for hand-testing, save money by eliminating connectors with tag connect plug of nails. They're also compatible with automated board testing.
With climate change and our general impact on environment worsening each year, our relationship with technology is starting to be like a big elephant in the room. Do people really think a sustainable and equitable society is possible while having microprocessors and telecommunication devices in beds ?
This kind of luxury will always be reserved to the wealthiest in society, and its availability dependent on the relentless exploitation of land and human beings.
I empathize with what you're saying, but "we shouldn't have things people want" is a solution to climate change in the same way that "we shouldn't have gravity" is a solution to air travel. It's not gonna work. Find another approach.
It's an overpriced bed with a tiny computer in it. It uses the same resources as a cheap bed + a tiny computer and lots of people have those. There's no extra exploitation going on here, these beds are just expensive because they're paying a bunch of engineers to do questionably necessary things.
The problem with activists is so many of them are foolish and just like complaining about things. Go find an actual problem to solve.
Puritan morality is so deeply embedded in our culture people don't even realise they're repeating it.
If I told them they couldn't have a coal-fired home blacksmithing setup "for the environment" then this would seem unfair.
But a 10c microchip? Suddenly this must be evidence of excess! (Even though the price represents that fact that it's a staggeringly efficient use of resources that also has supply-swappable carbon impact).
Buried lede: “What I did find was a "convenient" backdoor that Sleep Number can use to SSH back into the hub (and my internal home network as a result).”
Devil's advocate. As someone who has developed a Linux based appliance with over 100k live units across the globe, it seems insane to NOT have access to the thing you're selling and that you have to maintain. If your thing breaks or gets bricked by an update, you will call support and expect them to fix it. You don't want to send in your device or have a support technician come to your house to fix it.
So yes, to the conspiracy theorists it may look like a secret backdoor -- it sorta is. But in many cases I bet it's just a safety net for developers and support to fix things.
I speak for myself and my own experience working for $oldjob. Other companies or countries may of course use this differently. And of course companies get sold and such so you'll never know.
> As someone who has developed a Linux based appliance with over 100k live units across the globe, it seems insane to NOT have access to the thing you're selling and that you have to maintain.
I’ve developed Linux devices selling that many units (and more) and I’m baffled that anyone would think this is a viable way to handle things at this scale.
Units like this should have a firmly read-only Linux firmware that can only be changed by signed updates. The only data you would actually get or modify is the diagnostic data or the contents of the settings. Both of those can be sent through mechanisms that shouldn’t require SSH access.
The correct way to handle this is with a debug info feature. Put something in the app that will zip up logs and configuration files and send them in for support, with the user’s explicit permission obviously. If you can’t figure it out from logs, you can use their config files to clone the situation on a device in the office.
The bigger issue is: Who are you going to task with SSHing into customer devices? With 100K or more people filing support requests, it would be insane to have engineers handling those requests with anything having to do with SSH. It would be equally insane to hand off access to customer support people and give them the keys to SSH into customer devices.
I agree that that is the gold standard. Having an immutable Linux that is well tested on your own hardware and upgraded like that.
At the time I inherited a system that had 30-50k units deployed and was updated via Debian/APT. Older units were running Ubuntu 10.04 (it was 2016) and were hopelessly outdated. We managed to pull every single device to Ubuntu 16.04 and designed a fully automated image based update mechanism for them (I've linked it in other posts). We tried for read only base systems, but it was too tricky, so images stayed read-write, with migration of configs across upgrades.
At the time, customers even had access via SSH (similar to NAS devices these days).
I think what you are describing works for well defined hardware with a medium complexity software stack, or at least something that is limited in terms of epipheral device usage.
The appliance I was managing was heavily using raided disk, ZFS, loops, dmsetup, and many other Linux tools that we have all seen fail in horrible ways.
Not having SSH access, and not being able to diagnose lockups or hanging progress (D state issues) in a live system would have severely crippled us in being able to fix these issues. Many of them I'm sure we would not have been able to. We had failing disks, slow disks, failing RAM, hanging loop devices, corrupt loop devices, hanging ZFS, hanging ZFS, hanging ZFS, many of its bugs we fixed upstream, and and and...
On top of that, we had a "bring your own device" product that literally allowed people to use whatever hardware they want. That makes the read only firmware thing ever trickier.
As said in the beginning, I agree with you in principle, but there are many cases in which it's not as black and white. And I can fully understand the rationale of providing remote access.
Side note: I would have never expected to be down voted on HN for expressing an opinion in a respectful manner about a subject that I have knowledge about, just because it is the "unpopular" opinion. On Reddit, I'd expect to be downvoted for something folks don't like, but on HN in thought the button is just for use against trolling and such.
Re your side note, yes this is the new HN. People use the downvote as a lazy "I disagree". On the plus side, that's mainly the people who tend to read and react within the first 30 to 60 minutes of a comment being posted. After that the votes usually right themselves.
If you sold it, you should not have remote access to it.
Auto-update is de facto isomorphic with remote access capability but that doesn't mean you should have a remote shell. At most, maaaaybe a way for the customer to enable a shell for developer support.
Otherwise, a/b setup to avoid remote bricking, DFU or whatever current standard for customer driven unbricking in exceptional cases. But really, test all the forward and reverse update cases and keep a handful of samples of all shipped hardware so you can make sure everything actually works, and you can figure out how to fix it when you mess it up. Always test upgrades starting from factory fresh with all the versions you ever shipped from the factory. (I've run into products where several updates in, version X would work or not based on the original version from the factory forever ago because of original config or something that didn't get migrated properly but never caused problems until recently).
If you have the ability to update firmware, you have the ability to add remote access whenever you like. You're already trusting the vendor either way.
That said, this current situation of an always-on SSH connection/backdoor is just begging to be exploited by an irate employee, curious intern, or worms. It's impossible to know what sort of safeguards the vendor has in place, if any.
Putting a lock on a nuke is good, but not building the nuke at all is better.
That is correct. But it is possible to design a system with short lived auth tokens/keys and frequent key rotation. I designed such a system at $oldjob for remote access (see [1]). Obviously there is always a risk, and there are always syseng/ops people with access. That is correct.
That's a fair argument, but it doesn't appear that that updates are high on sleep number's priority list:
> The hub includes Python 2.7.18. While extremely old (keep in mind the Hub appears to have been last updated in 2018)
If we give them the benefit of the doubt, perhaps they intended to to keep it up to date but ultimately compaines need to either be transparent about their remote access and manage it responsibly, which includes keeping the system patched, or give up access
I am not defending them for not keeping their stuff up-to-date, but it is very common practice for embedded systems to be hopelessly outdated. I've done what OP describes with IPMI/BMC systems for $mainboardmanufacturer1 and $mainboardmanufacturer2 (both really big name brands), and their BMC systems were equally outdated. It was almost comical, but really sad at the same time.
Moral of the story is to firewall things off really well, I suppose.
At $oldjob, I designed an upgrade mechanism to do A/B image updates so things were always up to date, or at 2-3 weeks out of date. See [1].
For small embedded systems that do not have enough space/bandwidth, this may not be feasible though.
Even if it didn’t have the intentional backdoor… you probably should be treating it as hostile anyway.
Even where not intentionally hostile, not intentionally privacy invading, not trying to fetch updates so it can show you more ads, not… most of this stuff is so hopelessly out-of-date and full of security vulnerabilities it’s only not hostile out of luck.
I don’t connect anything to WiFi unless absolutely necessary. And by that I don’t mean “the device demands it” (I just won’t buy the damn thing) but “it’s a core part of the functionality I’m asking of it”. I’ll prefer zwave/zigbee, Bluetooth, or something else wherever possible when communication is required. (If I were forced to use this bed and it had no manual controls I would definitely have used Bluetooth, avoiding this whole issue.)
And even for the devices that do get a WiFi connection… they run entirely isolated, on a separate SSID and VLAN from my normal devices and traffic, and with a whitelist for what traffic is allowed.
As far as I’m concerned the only difference between this bed and the other devices is that we know about the issues with this bed. We have no reason to believe that the other devices are any better, and in fact a pretty large body of evidence suggesting that they’re probably not.
> And even for the devices that do get a WiFi connection… they run entirely isolated, on a separate SSID and VLAN from my normal devices and traffic, and with a whitelist for what traffic is allowed.
This is what I do today, and honestly I'm about to give up. We lost. Trying to get stuff like airplay / DLNA to work via mDNS is already impossible across subnets, and telling family to switch networks if they want to control X with their phones is just a shit solution. I have to disable 90% of my vehicle's "infotainment" screen to not feel spied upon, and which breaks the app I can use for remote starts, etc.
Maybe when the "Mega-Hack of 2025" happens and all IoT devices go nuclear something will change. But for now, if you buy a device it expects to be on one giant /24 and anything different creates problems. I'm starting to spend way more time than I want maintaining all the various pieces of networking glue that keeps my devices and home automation functioning. It's no longer fun, and I'm tired of fighting it.
I still have an ancient sleep number bed, with no connectivity. It's leaking, and old enough to drink. I'd like to replace it, but still can't bring myself to do it because of articles like this.
I've never felt more like Abe Simpson yelling at a cloud.
> This is what I do today, and honestly I'm about to give up. We lost. Trying to get stuff like airplay / DLNA to work via mDNS is already impossible across subnets, and telling family to switch networks if they want to control X with their phones is just a shit solution. I have to disable 90% of my vehicle's "infotainment" screen to not feel spied upon, and which breaks the app I can use for remote starts, etc.
I guess I never really specified, but I was only referring to "this random IoT/embedded crap" when I said devices.
My main network has all of our computers, phones, tablets, etc. None of it is really restricted or isolated for the reasons you mention.
The main network _also_ has things like the Apple TV. On the balance, it's (1) a device from a reputable vendor that (2) gets regular patches and updates and (3) would be an absolute pain in the dick to isolate.
(The whole reason I own the Apple TV in the first place is because I was never going to hook the Smart TV crap up to the network because I have zero trust that it will be secure or receive useful updates (I'm sure they'll find a way to shove more ads in it...) and it works fine as a TV without it.)
If I were to try and boil this sort of intuitive sense down to a somewhat useful heuristic... if it has a keyboard or has somewhere I can plug one in it's probably going on the main network by default.
My isolated network (well, networks) are for everything else.
There's one for my IP cameras that has no external routing. It only allows communication from Blue Iris to individual cameras and vice-versa. These are all cheap cameras full of security holes and a compromise has a high impact on my privacy (someone literally watching me in my house). Additionally, since most of them are wired this provides some protection against somebody pulling a camera off my wall and connecting a different device to that cable.
Another is for my home automation stuff. I've managed to build it out almost entirely with zwave, but there are still a few things on wifi. This also has no external routing, only allowing communication between Home Assistant and devices. I didn't achieve this by carefully curating firewall rules, but carefully choosing what I purchased. When I needed an air quality monitor, I ended up buying from a less well-known German company at a higher price specifically because "operating with no internet connection or app" was one of their supported use cases. Generally, anything that Home Assistant lists as needing the manufacturer's API for the integration just gets no further consideration.
Not to get too engineering-manager-y, but look at each risk in terms of the likelihood, impact, and effort to mitigate:
- The likelihood of the Apple TV being compromised is pretty low. The impact if it were is maybe moderate, everything within the network is still _secure_ in other ways. The effort to mitigate this through network isolation (as you're saying) is very high. Screw it, main network. We'll mitigate as much as we can ensuring that updates are being installed.
- The likelihood of one of our computers being compromised is moderate. The impact to the network is moderate. The effort to mitigate this through network isolation is, again, very high.
- The likelihood of this $20 Chinese IP camera being chock full of vulnerabilities is 100% (I've found vulnerabilities myself!). The impact is very high (someone watching me in my home). The effort to mitigate is very minimal (totally isolate from the network and greater internet, use my own DVR instead of their broken mobile app and cloud service). It's getting isolated.
- The likelihood of this wifi door lock being insecure is pretty high (though the likelihood of it being compromised by someone with physical access to my house is low). The impact is moderate. The effort to mitigate by buying a zwave lock instead is... pretty near nil. Risk avoided entirely!
As far as effort and risk, this strikes the right balance for me. It may or may not for you. The only advice I'd give is don't let the perfect be the enemy of the good. Don't burn yourself out chasing perfect and fall back to "bad" if "good enough" is an option.
While 2.7.18 hasn't been updated since 2018, it's also the last version of Python 2.
I've got several programs stuck in 2.7.18, as they have sizable dependancies that never got updated to Python 3 -- unless I'm willing to rewrite several large Python packages, I'm stuck here forever. As long as the program isn't network connected, I don't see a problem with fixing a Python version, and set of packages, and leaving the software running forever.
It does seem insane. But the support engineer having local network access after remoting in without the customers willing consent also seems insane. Its obviously there so they can fix these devices, but shortcuts made for engineers are such a common security risk.
Ideally you would have a backdoor on the device thats open only to the local network. User runs an app on their PC, provides willing consent for someone to complete a support task by providing an OTC to the engineer. App goes and discovers the device, and hosts the session for the engineer. If the user cant perform such a task they can probably buy a device with one button on it that will, or pay for a callout or return.
In my book if your setup grants access to anyone on your network then it was already insecure. Your wifi is too big a perimeter to defend; lock down the stuff you care about instead.
Yea, that part is insane. At this point it is safe to say that any non open source device that has access to you home network and the Internet can function as a backdoor. Not to be a conspiracy theorist, but I guarantee the CIA has a list of common devices with this feature that they can use to get local access in most houses.
Up until very recently all products wanting to use Bluetooth LE required the ___location permission because BLE beacons and similar can and we're used for ___location triangulation. It was a marketed feature of beacons that they could track your position down to the aisle in a store and potentially advertise to you if you walked past specific stores. There's finally a separate permission for it but it can still be used to determine your ___location.
Really really light shades. Destroying a country's ability to produce weapons grade nuclear fuel vs potentially burning down a hacker's/tinkerer's house; I don't think these are any where near the same level
It's very similar. It's a nation state using exploits to target individuals. It doesn't really matter why they're doing it, they're promulgating an unsafe environment, simply to create convenience for intelligence agencies.
As if they're at a lack of options when it comes to addressing problems on the world stage like this. Stuxnet was both an exceptionally morally lazy and destructive act.
As an American citizen, I genuinely wish my government did NOT do that.
Stuxnet was written to target a very specific bit of equipment for a nefarious purpose. This is just lazy development with no security or as a total after thought or worse deliberate weakening. This is just the state of software development/management we live in now. I really feel one of us have misreading of the situation.
> Stuxnet was written to target a very specific bit of equipment for a nefarious purpose
Except it didn't do that. It was found in dozens of networks in multiple countries. The vulnerabilities were discovered by other actors and used for other purposes.
The amount of collateral damage done here was far greater than the value of the initial operation. Importantly there were multiple different ways to achieve this particular outcome none of which required us to abuse vulnerabilities or release dangerous software to exploit them.
> This is just the state of software development/management we live in now.
Yes, and I think it's morally backwards, and I regret it.
> I really feel one of us have misreading of the situation.
I simply refuse to accept the intelligence agency marketing view of this action. It was incorrect. There were other less morally conflicted ways to solve this "problem."
Citation needed. Even at 100% duty cycle the heated bed tops out at a stable, safe temperature. I know because I’ve struggled to keep it hot enough for certain materials.
Maybe you could argue that the hot end could be set to melt down, ignoring the built-in safety mechanisms, but thats a stretch for doing much more than breaking the printer due to the way it’s designed.
Regardless, if all of this still scares someone they can run it in local-only mode without internet access.
But if you have to go out of your way to create a fire hazard, that's a different situation than the Chinese government having the ability to remotely cause fires in homes in towns across America.
They need it. Because of design choices by everyone involved, it's all gathered under the name "___location Services", and they are necessary to get the product to work. I'm not sure if it's a bad name or not. Your phone's bluetooth and wifi can be used to locate where you are, so the backwards framing is that it's ___location services, which isn't a lie, but it's misleading. Because the operating system manufacturers are trying to simplify things for us, it's "___location services", not GPS, wifi, bluetooth. An app with ___location services enabled could take your gps coordinates and beam them home to a foreign government, and it's entirely possible they do, but because of how manufacturers have decided to name things so as to not confuse consumers, apps need "___location services" to use bluetooth/change wifi.
I wouldn’t consider that a conspiracy theory, I would consider it common sense that an intelligence agency has a list of common potential sources of intelligence.
In fact it would be extremely surprising if they didn’t have that list.
Why are you assuming that only non open source devices are vulnerable? We've seen enough open source vulnerabilities in broad daylight to know that open source does not mean secure.
I don't have it backwards. That is what I said. They are assuming non open source is backdoored. That does not mean open source is not also backdoored.
I don't think you can say it tends to get fixed because you don't know the ratio between the number of vulnerabilities and the ones that get fixed. Closed source can also be audited. Auditing code for companies is an entire business model.
For those who know their stuff, setting up a dedicated VLAN for IoT and putting devices in it based on MAC addresses (allow or disallow lists) is a solid option as well and fun to learn.
I don't even want these devices making outgoing connections to the internet. I have my router drop all outgoing connection attempts from my IOT vlan. I can connect to the cameras etc on there from other VLANs but that's the only way packets get out.
There never was a Year of Linux on the Desktop, but there's been a year of linux on the phone, linux on the car, linux on the submarine, linux on the fridge, and so it's no surprise there's a year of linux in the bed.
Anything sufficiently complex (this bed: https://en.wikipedia.org/wiki/Sleep_Number#Sleep_Number_Bed) is going to have a microprocessor, and it makes sense to have an OS that lets you interact with it via a serial console, with Linux being the cheapest and most commonly supported OS in that context.
It's an inflatable mattress with an adjustable pressure regulator. That's pre-computer-age technology. The only thing that requires a computer is to make the adjustment remote. Why would you want to adjust your bed remotely?
Not only do they run an SSH server on their embedded Linux device but the entire Linux component is unnecessary. All it really does as far as I can tell is act as a bridge between an STM32 and a process long-polling AWS for commands. They could have achieved the same thing with less cost and complexity with an ESP32.
Also bad: they engineered it maliciously, making it completely and unnecessarily dependent on the cloud. All the sensor data is streaming in real time to the cloud and the only way to send it commands is through AWS.
If a Chinese company did this, the company would be cancelled.
In fact I'll be shocked if their product isn't blown out of the water in a couple of years by a Chinese copy that can function entirely offline and despite that massive disadvantage, can implement advanced features that Eight Sleep charges $200/yr for, like an alarm clock.
Thankfully their nonsense resulted in it being pretty easy to hack. There's a GitHub project to replace parts of the firmware.
> Also bad: they engineered it maliciously, making it completely and unnecessarily dependent on the cloud. All the sensor data is streaming in real time to the cloud and the only way to send it commands is through AWS.
Why would they unnecessarily add local processing capabilities to their data collection tool? The entire point was collecting the data.
Is this your first exposure to Linux-based embedded devices? It’s very common to run Linux on embedded devices. There are even variants of Linux designed for microcontrollers.
how else would you record and transmit measurements to a server? lower-level hardware and software is expensive to develop on and potentially be difficult to update.
I don't need my bed to transmit measurements to a server. I need my bed to be comfortable to sleep on. I need exactly zero interactions with a server for that.
So, yeah, back to the question. Why does my bed have an SSH server? Because it needs to be able to talk to some machine on the internet. And why does my bed need that? It's a bed.
[Edit: Wait a minute. Even if I do want to transmit measurements, why is my bed running a server? My bed should be running a client.]
If you sleep alone, live in a comfortable climate, and don't have any sleep problems, or back pain problems, I'm happy for you. Your experience isn't universal though and sleep is the most important thing you can do for your body so getting good sleep is paramount. Furthermore, having data on how well you slept is very useful for figuring out your own body. We wear devices to log how many steps we take, a device to log how you sleep is just an extension of that.
Are you even taking care of yourself if you don't have one?
Okay no but seriously, a smart bed that helps you get really good sleep at night so you wake up rested and ready to face the whole world may not be your cup of tea, but that's what they're selling. You could get that without all the technology, but what's the sleep company going to do with the data? Know that you sleep at night? What's the privacy danger in that?
The bed doesn’t need a cloud connection to do any of those advanced features. A phone app and BLE connection (like a smart watch) could easily handle it.
> I don't need my bed to transmit measurements to a server. I need my bed to be comfortable to sleep on. I need exactly zero interactions with a server for that.
Then don’t buy this specific bed?
These features are part of why people buy this product. Nobody is accidentally purchasing this as “just a bed” and then discovering that it has an app and smart controls as a surprise later.
> And why does my bed need that? It's a bed.
This is a very dishonest take. If you don’t understand or don’t want the product, then don’t buy it. But the smart controls exist because people (other than you) want them.
because you bought it. sitting across the show room floor or one of the other pics on the sales website were other beds that did not have these features. instead, you let the sales person push you into a sale of a product you weren't happy with or you did not pay attention to the product listing. or your spouse bought it. none of these says anything positive about your situation though, so some inner reflecting on why you're such a bad consumer is warranted
Embedded linux is everywhere.
Making the initial connection (connect to BED23234 wifi and do xyz on a web page) requires more than a microcontroller.
There's no point trying to save a few bucks on such a ridiculously expensive item.
You're so stuck in your line of thinking. How about you run an API and host the client in a native app? Problem solved. How about you don't run sshserver. Problem solved.
For me it's more about security. If I have a an appliance tied to the internet my entire network is susceptible. With an app, and bluetooth, I could just send data between the appliance and the iPhone, and then use the iPhone connection to the network to send data to the server (if needed / wanted but probably not for this application).
I tried 2 different IP addresses from Brazil and they got blocked.
I tried an IP address from the USA and another from Canada, and both worked correctly.
The message you get when you're blocked is:
Sorry, you have been blocked
You are unable to access dillan.org
Performance & security by Cloudflare
Why have I been blocked?
This website is using a security service
to protect itself from online attacks.
The action you just performed triggered
the security solution. There are several
actions that could trigger this block
including submitting a certain word or
phrase, a SQL command or malformed data.
which is false since I wasn't doing any of the things they list.
I wonder why they think that Brazil and other countries shouldn't be reading this site? Is the owner of the site able to geo-target which countries he wants his site to be shown in via Cloudflare?
No internet required. No Linux powered microcontroller required. My bed couldn't get hacked. I slept in comfort.