Adding AI to sinus surgery system saw malfunctions rocket from eight to 100 incidents, according to new investigation
Much to no software engineer's surprise, he found some hard-coded access credentials in the app binary, apparently shared across all copies of the app (doh!), as well as the expected API endpoints for sending/receiving data remotely. Eventually, he and Claude mapped out the mask's 15 commands and functions, and had the communication protocol reasonably reverse-engineered.
It was then time to make a small web app to control the mask. That worked fine, and Hatzistamou could get his mask's information and control its functions without using the buggy Android application. Alas, that was not the end of the story. During the reverse-engineering, he had Claude poke at the remote data endpoints. When connecting to the MQTT services with the aforementioned hardcoded credentials, he did indeed get his sensor readings… along with everyone else's.
Hatzistamou estimated that among the received data, about 25 masks were in use right there and then, and he even captured the real-time EEG readings from two hapless people somewhere on the planet. Since the mask has electrical muscle stimulation (EMS) and the access credentials are the same for every device, he could theoretically tell other masks to trigger electrical impulses.
The engineer sent his findings to the company, as he actually sounds happy with the product, data issues notwithstanding. As a developer myself, this situation doesn't appear to show any malicious intent from the makers and serves as yet another unsurprising illustration of how low the bar has become for software development in this day and age.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/peripherals/wearable-tech/SPONSORED_LINK_URL
- https://www.tomshardware.com/peripherals/wearable-tech/engineer-finds-his-smart-sleep-mask-can-read-other-peoples-brainwaves-superpower-granted-via-poor-quality-software-with-hardcoded-high-level-credentials#main
- https://www.tomshardware.com
- $5,000 RTX 5090 Lightning Z gets killed in extreme overclocking attempt, thermal shock cracks the GPU core — MSI's 2,500-Watt XOC BIOS pushed too high a voltage
- This external disc drive can play 4K 3D Blu-rays, along with all your old CDs and DVDs, now for 43% off — TROPRO's media player is just $79.99
- How to Get Started With Visual Generative AI on NVIDIA RTX PCs
- Tech tinkerer gets Gemini to help him 'vibe code' an x86 motherboard design — bot help was impressive, but project still required human awareness and interventi
- Engineer finds his smart sleep mask can read other people's brainwaves due to poor software security — superpower granted via poor-quality software with hardcod
Informational only. No financial advice. Do your own research.