Engineer hacks his Sleep Number bed, reveals potential backdoor and security vulnerability

Modern Sleep Number beds are marvels, tracking your sleep, breathing, and heart rate and even maintaining the mattress temperature to your liking. One computer engineer has also figured out how to root the bed’s control hub to allow local control. Along the way, he also made a discovery that may trouble you: a backdoor-like connection that allows Sleep Number to remotely connect to your bed’s hub at will without your knowledge.

Dillan Mills discovered all this after Sleep Number asked him to turn off a Homebridge plugin he’d developed to deactivate some of the bed’s features and run smart home automation if its sensors detected nobody was laying on the mattress. Since the plugin had grown in popularity and polled Sleep Bed’s servers every five seconds, it significantly strained the company’s public servers.

So, Mills set out to find a way to access the bed locally and bypass Sleep Number’s servers altogether. Poking around inside the controller hub for his Sleep Number bed with a UART-TTY device , he eventually struck gold and was able to access the hub’s device console. Looking for a “backdoor” that would give local access to the hub without hooking up a UART reader, he found something else instead.

Sleep Number has a backdoor into the controller hub, allowing it to SSH into the hub. While Mills acknowledges that this is likely for maintenance purposes, the fact that it’s undocumented and secret is disconcerting. After all, it presents a point of entry to your home network that you have no control over and may not even know about. On top of that, the controller hub runs a version of Linux that dates back to 2018.

There is good news, though. Mills was able to root the device and wrote a tutorial to enable local network control over the bed. This way, you can disconnect the bed from your Wi-Fi network and use Bluetooth to control the settings and monitor the bed’s sensors and status.

The process does require some technical knowledge and some hardware. The tutorial is well-written, though, and the hardware you need is fairly inexpensive. You can choose to connect a USB-to-UART reader when you need to access the device console or permanently install a Raspberry Pi Pico W to enable SSH access without opening the hub and connecting the reader.

Once you’ve rooted your bed’s hub, Mills’s tutorial walks you through creating a local network control and monitoring server. This is useful not only for taking control of your bed without connecting to Sleep Number’s server. It could also be the key to keeping your bed “smart” if Sleep Number folds or shuts down the servers, usually making the bed more than a “dumb” mattress.