Smart Sleep Mask Leaks Strangers' Brainwaves to Anyone With WiFi

News & Articles
1

“I was not expecting to end up with the ability to read strangers’ brainwaves and send them electric impulses in their sleep. But here we are.”

That’s the opening line. And it only gets worse from there. :brain:

The Cheat Sheet

A security researcher bought a smart sleep mask off Kickstarter. Cool hardware — EEG brain monitoring, electrical muscle stimulation, vibration, heating, audio. The whole package.

He wanted to build a better control app. So he reverse-engineered the Bluetooth protocol.

What he found instead:

  • Hardcoded credentials baked into every single copy of the app
  • An open MQTT broker streaming live data from ~25 active devices worldwide
  • Real-time brainwave data from sleeping strangers — one in REM sleep, one in deep slow-wave sleep
  • The ability to send electric shocks to any connected mask. While people are sleeping. :flushed_face:

Read that last one again.

brainwaves eeg monitor

Your Unfair Advantage (the technical breakdown)

The researcher used Claude to decompile the Android APK. The app was built with Flutter, which compiles Dart into native ARM64 — normally hard to reverse. But compiled binaries still have strings in them.

Running strings on the binary dumped:

  • Cloud API endpoints
  • All 15 command function names (vibration, heating, EMS intensity…)
  • The full packet structure — header, direction byte, command type, payload, footer
  • And the server credentials. Shared by every device. Globally.

One six-byte query packet later, the mask responded with 153 bytes of telemetry. Battery level. Firmware version. All eight sensor channels. Everything worked — vibration, heating, EMS, music.

Then things got dark. :unlocked:

Those hardcoded credentials connected to the company’s MQTT message broker. And it wasn’t just his device talking. It was ALL of them. Live EEG from sleeping users. Air quality sensors. Room occupancy detectors. All on one open pipe.

Why This Matters

This isn’t just a privacy bug. This is:

  • Your literal brain activity streamed to an unprotected server
  • Physical control over a device touching your face while you sleep
  • Every device sharing the same keys — one credential compromise = all users compromised
  • A masterclass in everything wrong with IoT security in 2026

The researcher did responsible disclosure and didn’t name the company. But the pattern is everywhere: cheap IoT + hardcoded creds + zero auth = nightmare.

hacking security breach

Full Story — How the Reverse Engineering Went Down

The mask connects via BLE (Bluetooth Low Energy). The researcher’s AI assistant scanned for devices, found the mask, and mapped two data channels — one for commands, one for streaming.

Standard protocol guessing (Modbus, JSON, raw bytes) got nowhere. So they pivoted to the app.

The APK was decompiled with jadx, but since it’s Flutter, the real logic lives in a 9MB compiled Dart binary blob. Using blutter — a specialized Flutter decompiler — they reconstructed all 15 command builder functions with readable annotations.

Every command byte was mapped. The protocol was fully cracked.

Then the MQTT discovery happened almost by accident. The hardcoded credentials were just… sitting there in the binary strings output. Connected first try. Immediately started receiving data streams from devices around the world.

The researcher captured EEG data showing distinct sleep stages — mixed-frequency REM activity from one user, strong delta waves (below 4Hz) from another in deep sleep.

The EMS control is just another command: mode, frequency, intensity, duration. Since every device shares credentials and the same broker — if you can read someone’s brainwaves, you can also zap them.

The entire reverse engineering session was done by Claude (Opus 4.6) in about 30 minutes of autonomous work. The conversation transcript is linked in the original post.

Your Move

If you own any smart sleep/health device:

  • Check if it requires an app with cloud connectivity — assume the worst
  • Read Karpathy’s Digital Hygiene post (the researcher recommends it too)
  • Consider whether a device that touches your face and has electrical stimulation capabilities really needs internet access
  • If you can, firewall IoT devices to block outbound connections they don’t need

If you’re a tinkerer: the full Claude conversation transcript for the reverse engineering session is linked in the original post. It’s a fascinating read on what AI-assisted security research looks like now.

Skip This If…

You sleep with a regular pillow like a normal person and don’t let internet-connected devices near your brain. Stay blessed. :victory_hand:

Source: aimilios.bearblog.dev

4 Likes