Engineer finds his smart sleep mask can read other people's brainwaves due to poor software security — superpower granted via poor-quality software with hardcoded high-level credentials

Source: Tom’s Hardware

Story

The idiom “getting more than you bargained for” is usually applied in the context of unwanted, nasty consequences. Occasionally, it’s used in the literal sense, like when AI engineer Aimilios Hatzistamou found his newly‑bought sleep mask unwittingly granted him access to other users’ EEG data and controls.

Hatzistamou bought the mask as a completed Kickstarter product from a small Chinese research company (he refrains from naming it, but it appears to be the SLEEPU DreamPilot).

Image credit: Aimilios Hatzistamou

He estimated that about 25 masks were in use at the time of testing and captured real‑time EEG readings from two unrelated users. Because the mask includes electrical muscle stimulation (EMS) and uses the same hard‑coded access credentials for every device, it could theoretically be commanded to trigger electrical impulses on other masks.

The engineer reported his findings to the company. While he remains pleased with the hardware itself, the incident highlights how software security is often an afterthought in consumer products.