Privacy @lemmy.ml RobotToaster @mander.xyz 1d ago

A backdoor in a bed

trufflesecurity.com Removing Jeff Bezos From My Bed ◆ Truffle Security Co.

Eight Sleep smart bed found to contain an exposed AWS key and a likely backdoor that allowed engineers to remotely access users' beds

35 comments

Talk about building a solution in search of a problem
I was willing to overlook:

The bed costs $2,000

It won’t function if the internet goes down

Basic features are behind an additional $19/mo subscription

The bed’s only controls are via mobile app

My man would have been willing to overlook having Jeff bezos himself sleep in his bed with him before realizing what was happening.
- This was written by Papa Bear himself
Trying very hard not to come to the conclusion that if you waste 2000 bucks on a connected bed, you have only yourself to blame.

Seriously. Unlike dumb TVs, dumb beds are not going away. Buy one for 400 bucks and donate the remainder of your bed-buying fortune. Your body won't notice and €1600 can do a lot of good.
- on a connected bed
  
  If the protocol was documented and simple enough, and if you could make it talk to your smart home RPi, then one could replace AWS with nginx + a perl or lua module.
- I've read some people get help from the cooling these provide, but I think there's versions without subscriptions.
  
  Also I've read of people buying shit like this in the hope it helps intractable insomnia, and they probably aren't thinking that clearly, because of sleep deprivation.
  
  I share your suspicions but I'd go further. The bed industry has always struck me as an obvious scam that plays on people's nebulous health anxieties and also on the tempting cognitive fallacy that, since an 8-hour night is the same amount as an 8-hour workday, the exact physical makeup of your bed is somehow as important as your career or something. It all strikes me as almost completely irrational. People slept for aeons on straw and somehow survived. A bed is a soft flat object, any other abstract properties are just marketing IMO.
- I mean, I fully agree with the sentiment, but if you think you won’t notice the difference between a $400 and $2000 bed, you just haven’t slept in one. I got almost 2 hours more sleep a night switching up to a $2000 (dumb) bed.
  
  My partner and I have a basic box spring and a Queen-sized free mattress (from a family member.)
  
  We put a 4” thicc memory foam topper on it and I can easily get 13 hours straight of sleep. It’s horrifying.
  
  As a regular traveler I have slept in a lot of beds. Maybe 300 (sic) in the last decade, of all quality levels. For me it makes all but no difference to how much sleep I get, the only thing that bothers me is when the springs are literally sticking out. So this is all completely anecdotal and I do respect your own anecdote. But I can't help noticing that I see it repeated in lots of bed adverts.
- When you blame consumers for allowing antisocial tech into their lives, you’re doing free work for the tech barons.
  
  So nobody has any agency and we're all just helpless puppets on strings?
- To be fair it's more of a mattress than a bed
So, umm, my bed suddenly get too hard or soft at night? Yawn.
The email address attached to the public key, [email protected], to me suggests the private key is likely accessible to the entire engineering team.

This assumption is doing a lot of heavy lifting in the authors argument that this is a big deal.
- Remember, the “s” in IoT stands for “security”.
  
  I could completely see this email address being a shared email address and not tied to a single user.
  
  I'm 90% sure it is not a single user. I just don't see how that really affects the security of the product, given that the company that sells it can already do the things the author is saying can be done if you have this key.
  
  To be clear, I wouldn't buy this. I just don't think the SSH key makes it any worse than it already was
- How so, it's clearly a shared account
  
  I don't think that's a wild assumption to make
  
  A shared account doesn't mean everyone who works there has access to it, or that those who do have access aren't subject to some type of access control.
  
  The article basically goes on to say that the existence of this key makes a huge difference to the security/privacy of the product. It argues that using it, someone could access data from the device, or use it to upload arbitrary code to the device for it to run. However, those are both things the user is already trusting the company with. They have to trust that the company has access controls/policies to prevent individual rogue employees doing the things described. It seems unreasonable to say that an SSH key being on the device demonstrates that those controls aren't in place.
Great article, with a pretty cool (or warm) solution to the problem.
This is fucked up, but it's still somehow better than a Murphy Bed backdoor.

35 comments