Photo credit: www.techradar.com
High-tech Eight Sleep pods allow Elon Musk and DOGE staff to rest at workBut a researcher found security flaws, including an AWS key and remote accessHackers could exploit the beds to infiltrate home networks and connected devices
Regardless of one’s views on Elon Musk and his leadership of the Department of Government Expenses (DOGE), it’s clear that he and his team are working tirelessly. Reports from Wired suggest that Musk has been logging extensive hours at DOGE headquarters, located conveniently near the White House, with staff members also reportedly working up to 120 hours a week.
To help combat exhaustion, Musk has implemented the use of Eight Sleep pods at the office. These innovative smart beds not only support sleeping but also offer features for reading, personalized positioning, and snoring reduction. Equipped with a hub that adjusts the temperature for optimal comfort, these beds come with a hefty price tag. The premium Cali King Pod 4 Ultra retails for approximately $5,000 and demands a monthly subscription fee of either $17 or $25—costs that are manageable for someone of Musk’s financial stature.
Given such an investment, one might expect these high-tech beds to ensure user safety. However, recent findings from notable security researcher Dylan Ayrey have revealed alarming vulnerabilities associated with these smart beds.
An active AWS key
Ayrey, affiliated with Truffle Security, discovered a significant security flaw in the connectivity of Eight Sleep’s mattresses. His investigation identified an active AWS key embedded within the bed’s firmware, which appeared to be transmitting data directly to Amazon.
Upon further examination, he also found a remote backdoor that supposedly allows Eight Sleep engineers to gain SSH access to any customer’s bed, enabling them to execute arbitrary code with minimal oversight. This level of access raises concerns about potential monitoring of sleep patterns, bed occupancy, and even manipulation of bed functions from a distance.
The implications of this breach extend beyond individual privacy concerns, threatening the security of entire home networks. With total SSH access, hackers or even unscrupulous insiders could leverage the bed as a gateway to access other smart devices in a home, such as refrigerators and computers. Ayrey likened this access to Uber’s controversial "God Mode," a tool utilized unethically to surveil users without their knowledge.
Fortunately, the identified AWS key was disabled shortly after Ayrey reported it, but the exact functionality it served remains unclear. “From the context, we can infer that the key had write access to Kinesis, but specifics are still unknown,” Ayrey remarked. “However, an attacker could have exploited that key to send 5,000 PUT requests per second into Kinesis, potentially leading to a staggering monthly bill of $100,000 for Eight Sleep.”
Disheartened by what he uncovered, Ayrey devised an alternative to the smart bed—using an aquarium chiller to achieve similar temperature regulation without the inherent risks of apps, internet connectivity, or security vulnerabilities tied to an Eight Sleep.
You might also like
Source
www.techradar.com