My smart sleep mask broadcasts users' brainwaves to an open MQTT broker
Hacker News
February 14, 2026
AI-Generated Deep Dive Summary
A smart sleep mask designed by a Chinese research company, purchased from Kickstarter, unexpectedly granted access to live EEG brainwave data from strangers via an open MQTT broker. The device featured advanced features like EEG monitoring, electrical muscle stimulation (EMS), vibration, heating, and audio capabilities. However, its app, built with Flutter, posed significant reverse-engineering challenges. By extracting hardcoded credentials and leveraging the device's protocol vulnerabilities, Claude was able to create a custom web dashboard to control the mask’s functions. This revelation exposed potential security risks, as any user could access live data from multiple devices worldwide and even send electric impulses.
The journey began with Bluetooth scanning and protocol analysis, revealing two-way communication channels. Despite initial resistance, Claude successfully mapped the device's command structure by analyzing compiled binaries and strings within the Flutter app. The hardcoded credentials provided a gateway to the MQTT broker, which streamed real-time data from 25 active devices. This included EEG readings of REM sleep stages and deep slow-wave sleep patterns. The mask’s EMS feature also raised ethical concerns, as it allowed unauthorized control over users’ physical sensations during sleep.
The implications for privacy and cybersecurity are profound. While the device offers innovative health monitoring, its lack of robust security measures leaves users vulnerable to remote interference. This incident highlights the importance of securing IoT devices, especially those with access to sensitive biometric data. For tech enthusiasts and developers, it underscores the need for rigorous security testing in smart hardware.
Verticals
techstartups
Originally published on Hacker News on 2/14/2026