Chinese-made smart eye masks found to have a vulnerability that allows them to read other people's brainwaves

AI engineer Aimilios Hatzistam discovered a serious vulnerability in a Chinese-made smart eye mask he bought on Kickstarter that could read other people's brainwaves in real time and even send electrical impulses.

My smart sleep mask broadcasts users' brainwaves to an open MQTT broker | aimilios

https://aimilios.bearblog.dev/reverse-engineering-sleep-mask/

Engineer finds his smart sleep mask can read other people's brainwaves due to poor software security — superpower granted via poor-quality software with hardcoded high-level credentials | Tom's Hardware
https://www.tomshardware.com/peripherals/wearable-tech/engineer-finds-his-smart-sleep-mask-can-read-other-peoples-brainwaves-superpower-granted-via-poor-quality-software-with-hardcoded-high-level-credentials

The device in question is a smart eye mask developed by a Chinese startup, and features electroencephalogram (EEG) monitoring, electrical muscle stimulation (EMS) around the eyes, vibration, heating, and audio functions. However, the app was unstable. Hatzistam attempted to analyze the Bluetooth Low Energy (BLE) protocol to identify and connect to his own mask among 35 surrounding devices, but was unable to send direct commands due to the proprietary communication method.

Hatzistam then switched to analyzing Android apps using Anthropic Claude. After examining the binaries of apps built with Flutter, he was able to identify credentials, cloud API endpoints, 15 command function names, and packet structures shared between all copies.

After further analysis, Hatzistam was able to identify each command and create a simple web dashboard to control it. In response to a six-byte query, the device returned 153 bytes, revealing not only the model number, firmware version, and serial number, but also brainwave frequency, breathing, 3-axis acceleration, 3-axis gyro sensor information, and battery level.

Using the discovered credentials, the researchers connected to the manufacturer's MQTT broker and received real-time raw waveform data from approximately 25 other active masks, including mixed-frequency activity indicating one user was in rapid eye movement (REM) sleep, and strong delta waves below 4 Hz indicating another user was in deep slow-wave sleep.

The eye mask had an EMS function, and control was specified as separate commands with mode, frequency, intensity, and duration. Hatzistam said that all devices shared the same credentials and the same broker, so if they could read other people's brainwaves, they should also be able to send electrical stimulation. In addition to the sleep mask, the MQTT broker also allowed them to receive data from an air quality monitor, including temperature, humidity, and CO2, as well as a motion sensor that detects room occupancy.

Hatzistam declined to disclose the names of the products or companies, but said he had contacted the companies about the issue. The transcript of the session between Hatzistam and Claude is available on GitHub.

session.txt · GitHub
https://gist.github.com/aimihat/a206289b356cac88e2810654adf06a55