Dillan Mills Reverse Engineers the Sleep Number Smart Bed Hub — and Finds an SSH Security Hole

Engineer Dillan Mills has gained root on a device you wouldn't normally associate with running an operating system: a "smart" bed from Sleep Number, which requires an active internet connection — and that turned out to create a remote tunnel into owners' home networks, something guaranteed to give the security-conscious sleepless nights.

"I have been interested in exploring the possibility of local network access on my Sleep Number bed for a few years," Mills explains, having already built a plugin for querying the Sleep Number application programming interface — but having been asked to shut it down by the manufacturer due to branding issues and excessive query volume. "This was the motivator for finding a way to access the local network and bypass their servers completely."

Founded in 1987, Sleep Number got its start selling beds with air-based adjustment systems — allowing users to customize firmness and angle, rather than being stuck with only one type of mattress post-purchase. In 2017 the company expanded its offerings with the 360 Smart Bed series, offering built-in sensors capable of delivering a "SleepIQ score" and insights into the user's sleep patterns.

Like all too many smart appliances, Sleep Number's smart products require a connection to the company's servers to operate — which is what Mills was trying to avoid. The engineer began by opening the bed's hub hardware and finding a UART bus that offered a console — then set investigating a dump of the firmware for ways to access the operating system over a network.

"At first I was searching for a backdoor that would allow anybody to log into the hub without needing to hook up a UART, but I came up empty," Mills explains. "Well, not empty. What I did find was a 'convenient' backdoor that Sleep Number can use to SSH back into the hub (and my internal home network as a result). Likely it is to perform maintenance on the hub as needed, but the paranoid part of me was not happy when I found that. Regardless of if you choose to follow [my] guide or are just reading for fun, I highly recommend you disconnect the Wi-Fi on your hub and only use Bluetooth controls as much as possible."

For those willing to crack open the hardware, Mills' guide provides instructions on connecting to the UART bus and configuring the boot loader to look for a USB flash drive with a file called "let_me_root" on it. If present, it does exactly what you'd expect: provides root access to the hub's operating system. Using the on-board version of Python, it's possible to then run a local web server — from which you can control the bed, and monitor your sleep, without having to go through Sleep Number's servers.

Mills' full write-up is available on his website; Sleep Number has been invited to comment on the security implications of the reverse SSH tunnel the hub creates.

Update 07/02/2024: Sleep Number has issued a statement confirming the presence of what it calls a "support system pathway" in older smart bed hardware, but says it is in the process of decommissioning it.

"This user mechanically altered an older Sleep Number smart bed and found a support system pathway that is no longer used on current smart beds," a spokesperson informs us. "The prior pathway was used for servicing our customers on things like in-home Wi-Fi strength.

"Sleep Number has already provided firmware updates to the older smart beds and will soon decommission this prior pathway as planned. Importantly, this pathway does not impact or connect with other Sleep Number smart beds or sleep data."