The state of the product's security wasn't unexpected. I was, however, shocked by this part:
> I was willing to overlook:
> The bed costs $2,000
> It won’t function if the internet goes down
> Basic features are behind an additional $19/mo subscription
> The bed’s only controls are via mobile app
Nothing about this bed should depend on off-site servers. Nothing about the product should necessitate a subscription fee.
The market is clearly too stupid to vote against the rent seeking tech industry. It makes me so sad.
In addition to everything else, also love how a bed with the express purpose to increase sleep quality requires you to open your phone every time you want to adjust a setting.
> In addition to everything else, also love how a bed with the express purpose to increase sleep quality requires you to open your phone every time you want to adjust a setting.
Don't worry, they'll repeat over and over how their product was thoughtfully designed with exquisite craftsmanship by the re-animated corpse of Johnny Ive [1] until people believe it's true.
[1] I know he's not dead.
Also...
> ... Essentially all you need to do is unplug the rubber tubing from the Eight Sleep cover, which is available on eBay for a few hundred bucks, and plug it into a $150 aquarium chiller.
> That’s it. Aquarium chillers are somewhat of a misnomer, as they can also provide heat. They use thermoelectric devices to regulate temperature, either cooling or warming the liquid that flows through them, which is the same technology found in eight sleep.
How much do you want to bet the Eight Sleep is literally an off-the-shelf Chinese Aquarium chiller in a custom case marked up 15x, with a shitily-programmed computer bolted on to enable a $20/month subscription?
I mean this comment is slightly disconcerting to next generation of brilliant hackers sleeping on this bed and dreaming big of a Cloud controlled Toilet Paper Dispenser, Effececy®. It will always give right amount of paper based of amount and moisture content of just delivered product.
I rolled my own solution to this using a Boston Dynamics Spot (2nd gen). With the structured light scanner, YOLO v5 for classification, and a custom IK solver (BD's is too hard for me), I can just lay back like a baby once I'm finished and Spot takes care of everything.
Don’t fall for this. I purchased this product then they pushed a bunch of the basic features behind a paywall. The ‘vibrate on SMS’ is worth it if you do go that route and don’t mind proxying your phone comms through their servers, though.
I agree with this so much. Opening an app is the last thing I want to do to adjust something while I'm in bed. I have a zigbee lightswitch so I can turn the light off from bed, and sure I could open an app to do that, but it's so much better to get a zigbee button and stick it to the wall above my head and program it to control the lightswitch.
Unlike all the cloud garbage, my zigbee devices continue to function even when the internet is down. I have my zigbee hub (Home Assistant Yellow) on a battery backup, so all the zigbee devices with a battery keep functioning even when the power is out (like my automatic cat feeders)
Totally agree.
I got a philips hue dimmer switch for next to the bed. One of the best things I got for the home automation.
Just click it and everything in the house goes into night mode. no phone needed.
My room mate had one of these and I found out there was a script online someone put together on github I think to control it over a shell. Was hilarious because I kept turning off their light at weird times.
Yikes, does the hub have some kind of unauthenticated http server exposed to the LAN? Yet another reason I run open source software rather than buying the proprietary hubs.
You have to tap the button on the hub and then you have 30 seconds to send a specific package to create a user. So yeah, not super, but also not totally u authenticated
I kind of remember just connecting to the MAC of the lightbulb itself by finding it on my routers table and then plugging in the info to his script. You could change colors too by passing little JSON strings. Maybe things are different now as this was in maybe 2018ish
I’m still fairly upset that ambient devices never really took off. Nanoleaf at least made a remote like this. It’s a dodecahedron with an accelerometer, so you can program each face with a different setting. The simplest being to program opposing faces for two different light levels. You want to take a nap, turn the controller upside down.
There was a cool device I saw once, used for timing your work. You'd program the faces for different tasks (bug fixes, new features, etc.) and whatever you worked on, you'd have that face up, and when you changed tasks, you'd turn it to something else, and it would track how you spent your time.
No, it was dodecahedral or octahedral, I can't remember. I just vaguely recall it looked like a Platonic solid. I don't remember it having a subscription. I think it just communicated with BT to your laptop or something? Might've just been a kickstarter that didn't get funding.
I've seen energy-harvesting remote light switches for sale — they supposedly get enough energy from the physical act of flipping the toggle to send a few radio packets. I haven't used one in the real world though.
I've got a cube that's hooked into my Home Assistant setup that works similarly. Flipping the cube upside down turns my bedside light on or off, rotating it clockwise increases the brightness, and counterclockwise decreases it.
I did something similar using these: https://eu.aqara.com/products/aqara-cube-t1-pro (or rather, an earlier iteration). Just Zigbee, nothing too complex, and then you hook it into something which knows how to interpret the events it sends (or events + current state if you want it to be a little more contextually smart). I generally tried to centralise the smarts, dumb devices and a smart interpreter always worked out more robust than clever devices. It's amazing how many combinations of actions you can indicate just by shaking/tapping/turning/flipping - more than enough to do the things you commonly do with one actuator (a light or set of lights for example).
I like this idea, now I want to make one of those. Even a two- or six-sided one would be useful, and I can print different enclosures and reprogram the feather or ESP if I want to add sides.
I don’t think they sell it anymore, but I forgot it’s actually a HomeKit controller, so you could (try) to use it to control several devices at once. Since only one face is up at a time you would have to gang the behaviors, such as turning off several lights or turning them on.
And not true, at least for the newest version. V4 has touch sensors for adjusting the temps on the side of the mattress.
I do own of these and while I hate the price, the subscription, the fact that it didn't work for an hour last night due to the internet being down (first time ever really) but there really isn't a better option. I love the temp control and would use anyone else if they had a valid competitor, but sadly there isn't one (or at least wasn't when I bought mine). The alternative is to not have temp control which is pretty amazing.
I've heard the sleep people get with this is excellent, but no way in hell am I paying a subscription and requiring an internet connection for my bed. The entire concept is just absurd. If it sells, it sells, I guess.
The "smart" features on it are genuinely useful for me - I have sleep apnea, as well as an eight sleep + the electronic platform. It automatically changes the elevation of my head based on apnea events, and I see a marked reduction in them when using this feature.
I have a cpap machine that also makes automatic adjustments but I still get noticeably better sleep quality with the eight sleep. I also really enjoy the temperature control, since it saves on HVAC costs vs. climate controlling the whole house. I've not tried an aquarium chiller for this purpose, though I have used one for doing temperature control on a beer fermenter, and I can extrapolate from there that I value the management of the actual eight sleep device vs. managing an aquarium chiller's temp control.
> The "smart" features on it are genuinely useful for me...
All of those features could be provided by local compute, either nestled somewhere in the soft and fluffy gross profit margin of a $2,000 product, or with Bluetooth to a "thick" application running on a phone.
The reason this product, and so many other "IoT" products, put their compute across the Internet is to facilitate a business model. The industry has the technology to put as much compute, storage, and reliability on-site with a high-margin, high-cost product like this.
Even if it were a nightstand device rather than a phone. The immediate loss of functionality when loss of signal to the mothership is an egregious design flaw. There's no reason the thing can't have a bit of storage so it can then upload the logged data when the signal returns.
Of course, they'll probably claim AI running in the cloud is making the decisions which makes the local first controller not possible.
It would be nice if we could provide medical assistance to people who need it without jamming these devices full of adware garbage and forcing people to connect to the internet to use their own possessions.
I've also heard about people finding new foam mattresses too hot :(
like me. will buy a spring mattress next time
Edit thank you for your recommendation but I'm in italy, European and American mattresses are quite different.
Before discovering this, I once wrote to the customer support of the flamingo hotel, Las Vegas, because I loved their mattress: Hi, i do think that what i'm gonna write is weird, but anyway haha.
On july of the summer 2019 i visited the fabulous las vegas. nor the nightlife neither the opulence of sin city could, however, reach the pinnacle of the human civilization, the mattress on which i slept at flamingo. I now have to change my own mattress at home, and i'm looking for the model on which i slept. the website only says "Simmons beautyrest", although Beautyrest is just a brand name used by simmons and doesn't mean a specific model. could you help me in this modern day divine comedy, be my Virgil and help me find the mattress name?
Regards
Name
I got an answer: Thank you for contacting Caesars Entertainment. I was delighted to hear that you enjoyed our mattress on your visit! Currently, we are using the Simmons Hospitality Beautyrest Felicity Pillow Top. They can be purchased at https://caesarsguestpurchase.com/shop or 1-866-926-8233. Please feel free to write back if you have any further questions.
Thank you for choosing Caesars for your gaming entertainment!
While going with a non-foam mattress will be colder than a foam mattress, if you were interested in a colder foam then I'd like to recommend latex mattresses. They're more expensive than memory foam and they feel different but I no longer overheat at night. Also I sleep better knowing my bed has proper kerning.
Because the Talalay and Dunlop processes involve vulcanization at 115+ C to turn the material into a foamed rubber, which denatures the proteins that the immune system recognizes and overreacts to. Denatured protein - think egg white once it's heated and turns white, instead of clear - has its structure radically altered. The molecules get pulled apart, tangled with others, and can in no way be recognized by the antibodies that trigger the immune response.
Similarly, Talalay latex mattress material is usually only about 30% natural and 70% synthetic, and the synthetic does not cause immune response.
If you powder the natural material and directly expose it to IgE, the dominant protein of interest for allergies, you can get a reaction (https://pubmed.ncbi.nlm.nih.gov/10436396/), but in practice with sheets and the outer cloth covering on the mattress basically no proteins ever come into contact with the body. And even in that study only Hev B I was detectable, which is only one of many latex proteins that trigger the immune response, and only 3 of the 21 tested human sera actually had a reaction to the direct mixing with the powdered latex. As far as I understand it, there has never been a confirmed case of an allergic reaction to a latex mattress.
Have you tried a more firm foam mattress? I had similar sentiments about foam mattresses but they were all the type where you just feel like you're sinking into the foam.
I did, but in the showrooms in the short time I tried them (and with jeans and clothes and so on) I didn't got that it was warmer than other firmer mattresses
I wonder if there'd be a cottage industry for new control boards which de-shittify IOT devices but keep their functionality. Like buy the bed, and then buy a little pre-programmed ESP32 logic board to replace the factory board.
ESPHome fills much of this niche for me. It's a framework for turning YAML device definitions into custom microcontroller firmware, with myriad supporting tools. The official device database at https://devices.esphome.io lists 554 devices but that's nowhere near the end of it.
Most manufacturers bolt on IOT functions by dropping an off-the-shelf module onto their device-specific board. It's sometimes possible to replace the factory firmware with ESPHome, sometimes even using over-the-air updates. For example, AirGradient air quality sensors: https://github.com/MallocArray/airgradient_esphome
Even when it isn't possible to commandeer the factory IOT module, the fact that it _is_ a module is still useful, because it's almost always possible to inhibit or remove the factory module and connect your own instead. The factory IOT module controls and senses the device, so your replacement module can too, using the same pins. For example, an IOT air filter: https://github.com/mill1000/esphome-winix-c545#final-assembl...
Some devices are designed around multidrop communication busses. These are usually even easier, since the ability to join the bus is an intended design feature, even if the device you're using is not intended. For example, many Samsung residential HVAC systems: https://github.com/omerfaruk-aran/esphome_samsung_hvac_bus/d...
As an EE, there's a healthy amount of this in some industries with very high costs, equipment use beyond manufacturer obsolescence, and in hobby circles with technical enthusiasts. But not generic devices for the general population.
At my day job, we've replaced and re-engineered controllers in industrial laser cutters, CNCs, welders, robots, and similar equipment. There are replacement control boards for hobbyist stuff like pinball machines, motorcycles, retro computers, and retro game consoles.
But as evidenced by the fact that people are buying shitty cloud-only IoT devices, neither the interest nor the capacity to do this is common.
Likewise, I've looked into this after being asked to build retrofit electronics for both expensive machine tools and consumer goods (I had a client who was adding bill acceptors to massage chairs and other items). I was never able to find a niche with a consistent need. They do exist but are hard to find.
That's good to know but if it's a custom board and it gets fried by soapy water getting in or a decade of humidity, it would still be good if the pinout was something that a new device could be programmed and dropped into to replace.
I think this would need to be enabled by regulation that forced the original manufacturers to make their products open. Hopefully we'll get that eventually.
I feel like websites like https://www.tindie.com could definitely fill that gap. It's like an Etsy + Hackaday where people sell different levels of hardware etc.
Probably could never make that kind of thing work at scale, but maybe as something within the maker community, perhaps adjacent to the world of 3d printing, Arduino, and RPi.
There'd probably be a few liability concerns at scale. Like if you made a replacement board for a Keurig to allow aftermarket k-cups, it'd likely be a matter of time before Keurig sued you, or someone burnt their house down.
>The market is clearly too stupid to vote against the rent seeking tech industry. It makes me so sad.
It is a $2000 dollar internet connected bed. The market in this case is probably people who could wipe their ass with that $20 every day and not miss it. I don't think they are stupid. This class of Americans has always been about paying for ongoing service instead of being pragmatic or doing things themselves. "Let the help over in bangladesh fiddle with the connectivity and updating the mobile app for me, while I merely rest my head and make plenty of money," they probably figure, at least subconsciously.
One might argue that the market itself becomes "stupid" (stops accurately indicating value) when people have so much money that they stop caring about how they spend it.
I don't think you're wrong, but I know people who grew up poor and blow money on stupid shit -- or at least unnecessary purchases (eg, upgrading to every single new iPhone).
OTOH, I grew up upper-middle class, my dad being quite frugal and a big DIYer. Similarly, I make good money and am also very frugal. I have no reason to flaunt money around my peers.
I don't think the people buying the bed are stupid.
The collective mass of people who buy these "IoT" devices that (1) don't actually need to use Internet-hosted services to function, (2) don't actually need a subscription for their business model to work _except_ for having been unnecessarily tied to an Internet-hosted service, and (3) will fail to function when the Internet-hosted service is gone do not understand the ramifications of the buying decisions they're making.
They're enabling these awful companies and business models. They're making the world worse by buying this soon-to-be e-waste garbage.
Stupid is a bad word. Let's say ignorant, instead. They don't even know what they don't even know. Our asinine industry normalizes these practices because profit.
I think computers have tremendous power to make life better for humanity. I think that can happen without being contingent on this kind of business model.
The bed is an egregious example. There are certainly other lower-priced products that still have this kind of stupid unnecessary "tie" to Internet-hosted services and subscriptions.
Software is devil-is-in-the-details to the extreme, and maximally opaque even to programmer-capable consumers, much less general consumers.
And all tech companies are now founded with zero regard for good behavior. I mean, they don't even do minimal amounts of customer service, which is the bare minimum of having regard for your customers.
In general, the IoT industry has suffered and adopters get burned over and over and over so the market is what it deserves in the long run. But that doesn't mean that snooping and monitoring doesn't increase insidiously year after year.
This is a serious problem with future technology. What person would do cybernetics or similar life saving products from companies like this? Perhaps the rigor that Medtronic and similar device companies are subjected to would apply, but I'm not sure those regulations cover information security and privacy.
We are clearly in an age of increasing authoritarianism. China has become far more authoritarian under Xi, right wing fascists are on the rise in Europe, and extreme partisanism just leads to round robin authoritarianism on the path we're on, assuming the next election happens. Russia is trying to expand its reach, and disrupt democratic institutions worldwide.
Undermined privacy and data collection is the tools for total information awareness by authoritarian states, only made far far far far far far far worse by the rise of functional AI.
The future of humanity is bleak. The filter approaches.
> Perhaps the rigor that Medtronic and similar device companies are subjected to would apply, but I'm not sure those regulations cover information security and privacy.
As someone on an insulin pump they do. Iirc they have reps showing up at hacker conferences looking for red teams.
Definitely agree with your worries generally though.
I think one would also assume that some fraction of that $2000 would go into a fund to keep those servers up.
One thing SaaS has not learned from nonprofits with longevity: you do big fund raisers to get money so you can live on the interest payments. If you think of a new project that will increase your burn rate, you throw another fund raiser.
Figure out how many of those beds you expect to be junked for breakage or obsolescence each year and set your margins to keep the long tail running for 10-15 years.
> One thing SaaS has not learned from nonprofits with longevity...
I think SaaS has eschewed strategies for longevitiy because it's contrary to the market's "wisdom" that for-profit companies must have sustained high-rate growth.
> Basic features are behind an additional $19/mo subscription
One can just question how we want to live our lives in the future. Behind each and every step a subscription? And all of them seem to be priced 10-20/month, no matter how much value they provide.
I know someone who signed agreeement about delivering an app and then providing fixes for free. He escaped the country. Market is not stupid, market learned nothing is free.
> Nothing about this bed should depend on off-site servers. Nothing about the product should necessitate a subscription fee.
I'll play the Devil's Advocate here. If this product isn't controlled by a remote server, it either needs to be controlled by a local bit of hardware (i.e. with its own screen and hardware input devices) or by your phone. Considering the upper-class target market (high-priced luxury product), the "local bit of hardware" option is a bad call. If it's controlled by your phone, then it would presumably happen over Bluetooth, which is both (a) unreliable and (b) would disconnect if you don't have your phone in your bedroom, which if you're willing to spend $2k on a cover for better sleep, you've probably already tried.
The industry went in the direction of direct-to-Internet connections for home devices because, quite frankly, it's the lowest-friction approach for most home users. Everything else is a distraction from a great product experience for 99% of the market.
With all that said... bundling in hard-coded AWS IAM keys (for Kinesis Data Streams) and hard-coded SSH public keys is just bad engineering. You can't revoke an abusive customer without revoking everyone, and you can't fire any employees without updating every customer end device. Sleep Eight needed to set up IAM Roles Anywhere with a private CA where a user's initial setup gets the private CA to issue a cert for the base unit in the user's name, which is then used to get temporary credentials through AWS STS to write to Kinesis. Similar story with SSH, if it's actually genuinely needed for some reason, set up a private CA, in both cases, with certificate revocation lists. They're unlikely to sell enough beds (remember: luxury product) or fire enough employees for CRLs not to scale well on this solution.
It's not that the market is stupid, it's that consumers are flawed. We are all just meat sacks at the end of the day. Our time is limited. We can't investigate everything thoroughly.
I mean, if I wanted to check how many calories are in a food item and the FDA didn't make companies tell me, that's going to be at least 1000 hours of work. For one food item. One time. If I had to do that for everything I'd just starve.
Software is, arguably, more complex than modern ultra-processed food. We can't audit these things. Even when we do audit, we only scratch the surface. There's billions of lines of code behind "hello world".
I mean, even at the start 13 - 15 people were killed in leaded gas's infancy all because the oil companies couldn't make as much money from ethanol as from tel. That's insane.
A rational society would have shut those companies down and thrown the executives into prison.
> The market is clearly too stupid to vote against the rent seeking tech industry. It makes me so sad.
A lot of this bullshit only happens long after the sale has been made and consumers are blindsided when things advertised as free are suddenly paywalled off behind a subscription following a ToS update.
"The market" is never going to solve this. What we need are consumer protections in the form of laws and regulations with real teeth and consistent enforcement.
I used to work for match.com and we had a readout in the office that streamed customer feedback. 90% of it was people who had paid subscriptions complaining about intrusive advertising on the site or in the app while logged in.
I raised this at a meeting and was told that they weren‘t going to change it because it made too much money.
I’m sure engineers raised issues about this as well and were shut down by the business people who are more than happy to risk customer satisfaction and security if it means more revenue.
Finding another job and marking them as unethical on glassdoor would be more like taking a stand. Raising awareness of management is just the polite first step.
At the very least, many products have unpopular features that are easier than one might expect to disable. And that’s quite often down to a developer who disagrees creating or leaving a covert channel lying around to circumvent the feature. Their boss didn’t tell them to put it in, and they didn’t tell anyone about it so that it was insubordination if they didn’t agree to take it out. Just a little something we accidentally left in for debugging or PoC purposes. Whupsie!
My partner has difficulty sleep unless it is the perfect environment (black out curtains, noise cancellation, sound bath, temperature), and is more prone to the effects of a single bad nights sleep. For people like her, $20/mo + $2000 fee is a small price to pay for a solution to a very difficult problem.
I would of course, attempt to veto unnecessary IoT devices and subscriptions for usage, but this would be a fight I would likely not win.
They're not complaining about the price. They're complaining about the high price for a bed where those high priced features stop working if your internet goes down, or there is a server outage, or you stop paying a monthly fee, or the original company goes bankrupt.
How in the world does this necessitate a subscription? All of these things can work without centralization, setup once, and contained entirely within the home.
> How in the world does this necessitate a subscription?
I can only speculate.
But, there is demand to improve sleep quality. The provider wants to charge a monthly fee for that.
The market simply puts buys and sellers together. People making business decisions will stick with Econ 101--charge what the market will bare, and why shouldn't they?
I think there is some naming convention gap here. I would call it Sleep Equipment as we have exercise equipments. Then folks will find pricing more reasonable. There is further opportunity to differentiate market with Sleep, Sleep Pro and Sleep Enterprise products.
The pro and enterprise version would allow local server setup for critical sleep equipment functioning and can manage all beds in a household or hotel etc . It can update the version of software or data models when its online and new features are available on cloud server.
I surmise at 300 dollar/month for pro version could be really attractive proposition. Of course local server setup and maintenance can be charged separately.
How easy is it to know what works when the network is down before purchasing? Do you expect everyone to take down their wifi after purchase to test and return if it doesn't work?
Maybe there should be a mandatory information sheet such as listing all functionality that stops working without a network connection.
Consumer protection regulation with mandatory labeling would be a good answer but, at least in the US, we're not going to have anything like that anytime soon (if ever).
I don't have the enthusiasm to start a competing company. It sounds like the barrier to entry to the market is fairly low, the tech isn't unproven, and there appears to be a ton of margin.
I have a mortgage so I will follow all lawful orders. I'll blow the whistle if illegal activities are forced upon me, but if there's an ethical issue bothering you, I'd suggest you write to your MP or if you believe they are incompetent or hostile, to run against them in the next election and change the law yourself.
The market is clearly too stupid to vote against the rent seeking tech industry. It makes me so sad.