My smart sleep mask broadcasts users' brainwaves to an open MQTT broker

Original Article ↗ Hacker News Discussion ↗

Initial reactions & tone

  • Many comments riff on the surreal premise: a crowdfunded sleep mask that lets a random stranger “read brainwaves and send electric impulses” feels like straight cyberpunk / Philip K. Dick / Inception / Paprika.
  • Some find it darkly funny that such a product exists at all; others are more disturbed than amused.

Security architecture & risks

  • Core issue: all devices share the same MQTT broker and credentials, with no meaningful access control. If you can subscribe, you can read everyone’s data and send control commands, including electrical stimulation.
  • Several note this “shared MQTT creds” pattern is common in cheap IoT (thermostats, smart plugs, air sensors), despite MQTT supporting client certificates and topic ACLs.
  • More advanced suggestions: per‑device keys, mutual auth over BLE, server‑mediated authorization, and hardened apps so spoofing and replay don’t work.
  • Some see this as a reason never to trust IoT health devices; others see an opportunity to hijack the traffic for local-only integration (e.g., via DNS override) and cut the vendor cloud out entirely.

Naming, disclosure, and verification

  • Big split over the author not naming the company:
    • One side: not naming is “cowardly” and irresponsible; users need to know to stop using the device immediately.
    • Other side: delaying “name and shame” gives the vendor time to fix things and may reduce opportunistic attacks.
  • People try to guess which Kickstarter it is; others point out that if attackers care, they can likely identify it already.
  • A few are skeptical of the entire story due to lack of protocol dumps or code, but the later-published Claude transcript reduces some of that doubt.

Brain data, privacy, and ethics

  • A neuroscientist emphasizes that while EEG isn’t “mind reading,” normalizing unprotected brain data is a bad precedent.
  • Even coarse signals (sleep/wake, alertness, presence in room) are sensitive: useful to burglars or employers, and reminiscent of prior fitness/GPS leaks exposing military sites.
  • Discussion notes that health privacy laws often don’t cover consumer wellness devices; ethics hinge on informed patient consent, which appears absent here.

IoT, Kickstarter, and engineering shortcuts

  • Commenters link this to a broader pattern: Kickstarter hardware teams (often designers/marketers) underestimating engineering, now emboldened by LLMs that make firmware/software appear “cheap.”
  • Expectation: more products that “work” superficially but have catastrophic security designs, like global shared credentials and no access control.

LLMs as reverse‑engineering agents

  • Many are struck by how far an LLM+shell can get: scanning BLE devices, decompiling APKs, running strings, inferring protocols, even auto‑installing tools.
  • Others argue the AI part is somewhat over‑dramatic: a competent human reverser would start with similar steps; the real risk is unskilled operators shipping whatever the model produces without understanding it.