I found a back door in my bed
Dylan Airey, co-founder of security company Truffle Security, reported that his IoT bed had a backdoor.
Removing Jeff Bezos From My Bed ◆ Truffle Security Co.
Mr. Ailey purchased a high-performance bed called '
The backdoor appears to have been created by Eight Sleep for the purpose of updating firmware, and Irie points out that the problem is that 'any Eight Sleep engineer could remotely SSH into a customer's bed and execute arbitrary code, circumventing any form of formal code review process.'
Part of the firmware shows that SSH is remotely exposed to a distant host, remote-connectivity-api.8slp.net. 'The variables in production.json seem to suggest that this access was opened up to remote hosts,' Iley claims. In addition, a public key that allows access to the device is also listed, and Iley says, 'Based on the email address ([email protected]) attached to the public key, the private key appears to be accessible to the entire engineering team.'
'What does this mean? Each bed contains a Linux-based computer, and if I'm right, that means all of Eight Sleep's engineers have full control over that computer whenever they want,' Iley said.
With this access, the company could do anything, including tracking how long a customer is sleeping, detecting when there are two people in bed instead of one, or even detecting when no one is in bed, changing the temperature of the bed, or turning on the vibration function, Iley said.
This could be used to stalk a customer, for example, if their ex-partner worked at Eight Sleep.
Additionally, there are no logs or notifications left on the device, so there's no way to know when this happened.
'Needless to say, giving arbitrary SSH access to engineers is not a best practice,' said Irie. He said he solved the problem by stopping using Eight Sleep's temperature control function and switching the water flow tube to an external aquarium temperature control system purchased for $150 (about 22,400 yen).
Related Posts:
