Security researcher Dylan Ayrey has been investigating an Eight Sleep smart mattress cover, and isn’t terribly impressed with what he’s found: a backdoor that gives the company the ability to SSH into the bed, execute arbitrary code, and from there explore the user’s whole network.
“A little while ago I asked my infosec Twitter followers what IoT [Internet of Things] device in my house they thought I found a live AWS key in,” Ayrey explains. “Guesses ranged from a refrigerator to a bidet, but no one got it right. The right answer was my bed. I also found a backdoor into my bed.”
A smart mattress with heating and cooling capabilities has been found to bring something else into the home: an SSH backdoor. (📷: Eight Sleep)
The bed in question is a smart mattress from Eight Sleep, designed to cover the user’s existing mattress and circulate heated or cooled water in order to maintain the surface at a preferred temperature. Unsurprisingly, given the nature of the modern Internet of Things, the device is tied to a cloud service and subscription model that unlocks automatic temperature control and sleep tracking capabilities — and, it seems, also delivers a vulnerability that’ll keep the security-conscious up all night anyway.
“Sure, Eight Sleep needs a way to push updates, provide service, and offer support. That’s expected,” Ayrey says of his discovery. “What goes too far in my opinion, is allowing all of Eight Sleep’s engineers to remotely SSH into every customer’s bed and run arbitrary code that bypasses all forms of formal code review process. And yes, I found evidence that this is exactly what’s happening.”
By providing a way to connect over a Secure SHell (SSH) link to the cover’s controller, Eight Sleep provides its engineers with complete control of the device — and from there the ability to bounce out into the rest of the user’s network. “Any other device connected to that home network — smart fridges, smart stoves, smart washing machines, laptops — is typically routable via your bed,” Ayrey explains. “The (in)security of those devices is now entrusted to random Eight Sleep engineers.”
Rather than spending over $2,000 to add a security hole to his network, Dylan Ayrey bought a second-hand Eight Sleep mattress cover and hooked it up to an aquarium chiller. (📷: Dylan Ayrey/Truffle Security)
If you’re experiencing a strange sense of deja vu right now, there’s a good reason: last year engineer Dillan Mills discovered an SSH backdoor in smart beds from Sleep Number, a company seemingly unrelated to Eight Sleep other than being in the same market sector with a similar naming theme and having the same bad ideas about security-convenience trade-offs. At the time, Sleep Number described the backdoor as a “support system pathway” present only on “older Sleep Number smart bed” models and stated that it would “soon decommission this prior pathway as planned.”
Ayrey’s full write-up, which concludes with a simple guide to ripping out Eight Sleep’s controller and replacing it with a cheap and very-much-not-internet-connected aquarium chiller and pump that requires no subscription and definitely has no SSH server running, is available on the Truffle Security blog; Eight Sleep has been approached for comment.
Update (02/24/2025): Eight Sleep has provided us with a statement downplaying Ayrey’s discovery, claiming that the researcher’s findings “do not reflect a legitimate security vulnerability but rather speculation without real-world implications,” and claiming that “Eight Sleep devices are impenetrable to unauthorized individuals” without denying that the presence of an SSH backdoor would make customers’ private networks easily-penetrable to Eight Sleep’s own engineers.
“That said,” the company adds, “we appreciate the work that security researchers do to ensure that companies continue to follow the best-in-class protocols for consumer safety.”
The company did not comment on whether, like rival Sleep Number, it planned to remove the SSH backdoor in future firmware updates.
