alt.hn

2/14/2026 at 3:35:47 PM

My smart sleep mask broadcasts users' brainwaves to an open MQTT broker

 https://aimilios.bearblog.dev/reverse-engineering-sleep-mask/

by minimalthinker

2/14/2026 at 4:45:10 PM

Kickstarter is full of projects like this where every possible shortcut is taken to get to market. I’ve had some good success with a few Kickstarter projects but I’ve been very selective about which projects I support. More often than not I can identify when a team is in over their heads or think they’re just going to figure out the details later, after the money arrives.

For a period of time it was popular for the industrial designers I knew to try to launch their own Kickstarters. Their belief was that engineering was a commodity that they could hire out to the lowest bidder after they got the money. The product design and marketing (their specialty) was the real value. All of their projects either failed or cost them more money than they brought in because engineering was harder than they thought.

I think we’re in for another round of this now that LLMs give the impression that the software and firmware parts are basically free. All of those project ideas people had previously that were shelved because software is hard are getting another look from people who think they’re just going to prompt Claude until the product looks like it works.

by Aurornis

2/14/2026 at 5:00:29 PM

At this point, I trust LLMs to come up with something more secure than the cheapest engineering firm for hire.

by lr4444lr

2/14/2026 at 5:14:25 PM

The cheapest engineering firms you hire are also using LLMs.

The operator is still a factor.

by Aurornis

2/14/2026 at 5:43:42 PM

Yeah, but they’ll add another layer of complexity over doing it yourself

by jama211

2/14/2026 at 6:01:48 PM

The people doing these kickstarters are outsourcing the work because they can’t do it themselves. If they use an LLM, they don’t know what to look for or even ask for, which is how they get these problems where the production backend uses shared credentials and has no access control.

The LLM got it to “working” state, but the people operating it didn’t understand what it was doing. They just prompt until it looks like it works and then ship it.

by Aurornis

2/14/2026 at 6:33:48 PM

You're still not following.

The parents are saying they'd rather vibe code themselves than trust an unproven engineering firm that does(n't) vibe code.

by caminante

2/14/2026 at 9:26:11 PM

> they'd rather vibe code themselves than trust an unproven engineering firm

You could cut the statement short here, and it would still be a reasonable position to take these days.

LLMs are still complex, sharp tools - despite their simple appearance and proteststions of both biggest fans and haters alike, the dominating factor for effectiveness of an LLM tool on a problem is still whether or not you're holding it wrong.

by TeMPOraL

2/14/2026 at 7:45:59 PM

LLMs definitely write more robust code than most. They don't take shortcuts or resort to ugly hacks. They have no problem writing tedious guards against edge cases that humans brush off. They also keep comments up to date and obsess over tests.

by Kiro

2/14/2026 at 9:34:55 PM

I had 5.3-Codex take two tries to satisfy a linter on Typescript type definitions.

It gave up, removed the code it had written directly accessing the correct property, and replaced it with a new function that did a BFS to walk through every single field in the API response object while applying a regex "looksLikeHttpsUrl" and hoping the first valid URL that had https:// would be the correct key to use.

On the contrary, the shift from pretraining driving most gains to RL driving most gains is pressuring these models resort to new hacks and shortcuts that are increasingly novel and disturbing!

by BoorishBears

2/14/2026 at 7:54:48 PM

Interesting and completely wrong statement, what gave you this impression?

by devmor

2/14/2026 at 8:16:00 PM

The discourse around LLMs has created this notion that humans are not lazy and write perfect code. They get compared to an ideal programmer instead of real devs.

by Kiro

2/14/2026 at 9:46:30 PM

This. The hacks, shortcuts and bugs I saw in our product code after i got hired, were stuff every LLM would tell you not to do.

by joe_mamba

2/14/2026 at 9:11:12 PM

Amen. On top of that, especially now, with good prompting you can get closer to that better than you think.

by gxs

2/14/2026 at 8:43:56 PM

LLM's at best asymptotically approach a human doing the same task. They are trained on the best and the worst. Nothing they output deserves faith other than what can be proven beyond a shadow of a doubt with your own eyes and tooling. I'll say the same thing to anyone vibe coding that I'd say to programmatically illiterate. Trust this only insofar as you can prove it works, and you can stay ahead of the machine. Dabble if you want, but to use something safely enough to rely on, you need to be 10% smarter than it is.

by salawat

2/14/2026 at 8:20:32 PM

I know right. I kept waiting for a sarcasm tag at the end

by dylanowen

2/14/2026 at 8:23:55 PM

right and wrong don't exist when evaluating subjective quantifiers

by majorchord

2/14/2026 at 5:13:17 PM

And the cheapest engineering firm won't use LLMs as well, wherever possible?

by lukan

2/14/2026 at 7:34:18 PM

The cheapest engineering firm will turn out to be headed up by an openclaw instance.

by fc417fc802

2/14/2026 at 5:18:02 PM

fun fact, LLMs come in cheapest and useless and expensive but actually does what's being asked, too.

So, will they? Probably. Can you trust the kind of LLM that you would use to do a better job than the cheapest firm? Absolutely.

by TheRealPomax

2/14/2026 at 5:02:51 PM

this.

by minimalthinker

2/14/2026 at 10:23:28 PM

I'm the founder of neurotech/sleeptech company https://affectablesleep.com, and this post shows the major issue with current wellness device regulation.

I believe there was some good that came from last months decision to be more open to what apps and data can say without going through huge regulatory processes (though because we apply auditory stimulation, this doesn't apply to us), however, there should be at least regulatory requirements for data security.

We've developed all of our algorithms and processing to happen on device, which is required anyway due to the latency which would result from bluetooth connections, but even the data sent to the server is all encrypted. I'd think that would be the basics. How do you trust a company with monitoring, and apparently providing stimulation, if they don't take these simple steps?

by pedalpete

2/14/2026 at 4:52:27 PM

How about complaining that brain waves get sent to a server? I'm a neuroscientist, so I'm not going to say that the EEG data is mind reading or anything, but as a precedent, non privacy of brain data is very bad.

by SubiculumCode

2/14/2026 at 6:41:21 PM

Non-privacy of this person is currently sleeping data is very bad as well, for different reasons.

You know, now that I'm thinking about it, I'm beginning to wonder if poor data privacy could have some negative effects.

by willturman

2/14/2026 at 7:36:23 PM

Unsecured fitness monitor data revealed military guard post (IIRC) activity a while back.

by fc417fc802

2/14/2026 at 10:17:52 PM

not because you knew how much someone worked out. But because it had GPS.

by iririririr

2/14/2026 at 6:27:08 PM

People will be lining up to have their brainwaves harvested because it'll be mildly easier to send emails or something similarly inane.

by b00ty4breakfast

2/14/2026 at 7:46:00 PM

Corporations will be lining up to require their employees have their brainwaves harvested, so they can fire employees who aren't alert enough.

by RobotToaster

2/14/2026 at 10:42:34 PM

"Broker" is right there in the title of the post.

Baby's gotta get some cash somewhere.

by zephen

2/14/2026 at 6:14:15 PM

You could read the alertness level from an EEG, which could be helpful to a burglar. The device with slow-wave status seems ideal.

by delichon

2/14/2026 at 5:02:58 PM

How useful could something like this be for research? I'm not a neuroscientist so I have no clue, but it seems like the only justification I can think of..

by amarant

2/14/2026 at 7:25:13 PM

The general idea of an EEG system that posts data to a network?

Very, but there are already tons of them at lots of different price, quality, openness levels. A lot of manufacturers have their own protocols; there are also quasi/standards like Lab Streaming Layer for connecting to a hodgepodge of devices.

This particular data?

Probably not so useful. While it’s easy to get something out of an EEG set, it takes some work to get good quality data that’s not riddled with noise (mains hum, muscle artifacts, blinks, etc). Plus, brain waves on their own aren’t particularly interesting—-it’s seeing how they change in response to some external or internal event that tells us about the brain.

by mattkrause

2/14/2026 at 5:40:13 PM

Not a neuroscientist either but I would imagine that raw data without personal information would not be useful for much. I can imagine that it would be quite valuable if accompanied with personal data plus user reports about how they slept each night, what they dreamed about if anything, whether it was positive dreams or nightmares etc. And I think quite a few people wouldn’t mind sharing all of that in the name of science, but in this case they don’t seem to have even tried to ask.

by brabel

2/14/2026 at 8:07:01 PM

What if you gonna think about your social security number 30000 times in your dreams, and someone knows the pattern? See the danger? That's evil.

by iberator

2/14/2026 at 5:37:44 PM

If they're taking patient data for research without permission, they are not ethical researchers.

by AnimalMuppet

2/14/2026 at 7:24:46 PM

Is it really “without permission” if it’s from a server for which the access credentials have been deliberately published to the entire internet?

by sneak

2/14/2026 at 9:36:52 PM

If it's without the patient's permission, then yes, it is without the only permission that matters for medical ethics.

by AnimalMuppet

2/14/2026 at 5:39:04 PM

I believe they use it for sleep tracking

by minimalthinker

2/14/2026 at 5:18:11 PM

I would presume data privacy laws already have good precedent for health data?

by minimalthinker

2/14/2026 at 5:42:33 PM

> I would presume data privacy laws already have good precedent for health data?

Google for a list of all the exceptions to HIPPA. There are a lot of things that _seem_ like they should be covered by HIPPA but are not...

by baby_souffle

2/14/2026 at 5:44:14 PM

Interesting...

by minimalthinker

2/14/2026 at 5:44:57 PM

Only for "covered entities" under HIPAA (at least in the US)

by freedomben

2/14/2026 at 7:22:45 PM

Millions of people voluntarily use Gmail which gives a lot more useful data than EEG output to DHS et al without a warrant under FAA702. What makes you think people who “have nothing to hide” would care about publishing their EEG data?

by sneak

2/14/2026 at 6:29:44 PM

Ok, obviously unethical to do it, but this sounds like you've got the power to create some sci-fi shared dreaming device, where you can read people's brainwaves and send signals to other people's masks based on those signals. Or send signals to everyone at the same time and suddenly people all across the world experience some change in their dream simultaneously.

Like, don't actually do it, but I feel like there's inspiration for a sci-fi novel or short story there.

by simonbw

2/14/2026 at 8:54:29 PM

That’s the plot of Paprika.

by pjerem

2/14/2026 at 9:08:51 PM

Dreamscape, 1984

by StanislavPetrov

2/14/2026 at 6:56:47 PM

Inception

by billylo

2/14/2026 at 9:24:55 PM

[dead]

by darba

2/14/2026 at 4:59:28 PM

Remember that the S in IoT stands for Security.

I have deployed open MQTT to the world for quick prototypes on non personal (and healthcare) data. Once my cloud provider told me to stop because they didn’t like it, that could be used for relay DDOS attacks.

I would not trust the sleep mask company even if they somehow manage to have some authentication and authorisation on their MQTT.

by speedgoose

2/14/2026 at 10:45:46 PM

And the P in IoT stands Privacy, and the Q for quality.

The K, of course, stands for Ka-ching!

by zephen

2/14/2026 at 6:05:51 PM

I don't think there is an S in IoT?..

by n4bz0r

2/14/2026 at 6:11:34 PM

Right - the saying indicates that IoT stuff is well known for ignoring security.

by BenjiWiebe

2/14/2026 at 6:15:51 PM

Went right over my head :)

by n4bz0r

2/14/2026 at 6:58:17 PM

Where I work, the saying is, "The H in ABC stands for Happiness."

(Also, "We're not happy until you're not happy.")

by rationalist

2/14/2026 at 7:35:49 PM

Thank you for your astute observation. :)

by roysting

2/14/2026 at 6:13:17 PM

Exactly

by absoluteunit1

2/14/2026 at 4:25:22 PM

I would love to see the prompt history. Always curious how much human intervention/guidance is necessary for this type of work because when I read the article I come away thinking I prompt Claude and it comes out with all these results. For example, "So Claude went after the app instead. Grabbed the Android APK, decompiled it with jadx." All by itself or the author had to suggest and fiddle with bits?

by dnw

2/14/2026 at 4:30:03 PM

Very little intervention tbh. I will try to retrieve it and post.

by minimalthinker

2/14/2026 at 10:32:00 PM

That's great to hear. I'd be interested to see the session. Yes, Claude Code keeps sessions in ~/.claude/projects/ by default. Thank you!

by dnw

2/14/2026 at 5:41:01 PM

By default, Claude code keeps session history (as jsonl files in ~/.claude).

It’s wasteful not to save and learn from those.

by selkin

2/14/2026 at 4:43:56 PM

Really is a derth of livestreams demostrating these things. Youd think if thetes so much Unaided AI work people would stream it.

by cyanydeez

2/14/2026 at 7:21:29 PM

The shared hardcoded credentials pattern isn't just an IoT problem. I work in AWS security and see the same thing constantly. Teams hardcode a single set of AWS access keys into their application, share them across every environment, and hope nobody runs strings on the binary. Same logic, same laziness, same outcome.

The difference is when it's a sleep mask, someone reads your brainwaves. When it's a cloud credential, someone reads your customer database. Per-device or per-environment credential provisioning isn't even hard anymore. AWS has IAM roles, IoT has device certificates, MQTT has client certs and topic ACLs. The tooling exists. Companies skip it because key management adds a step to the assembly line and nobody budgets time for security architecture on v1.

by kevincloudsec

2/14/2026 at 7:33:44 PM

> nobody budgets time for security architecture on v1

It’s quite literally why the internet is so insecure, because at many points all along the way, “hey, should we design and architect for security?” is/was met with “no, we have people to impress and careers to advance with parlor tricks to secure more funding; besides, security is hard and we don’t actually know what we are doing, so tow the line or you’ll be removed.”

by roysting

2/14/2026 at 6:04:32 PM

> I was not expecting to end up with the ability to read strangers' brainwaves and send them electric impulses in their sleep. But here we are.

Almost out of a Phillip K Dick novel

by rbbydotdev

2/14/2026 at 9:40:16 PM

While most comments are focused on the issue that they found, I’m more intrigued by the fact that Claude was able to reverse engineer so well.

Lowering the skills bar needed to reverse engineer at this level could have its own AI-related implications.

by yumraj

2/14/2026 at 4:24:51 PM

Name the company, hiding it is irresponsible

by basedrum

2/14/2026 at 6:09:23 PM

Author doesn’t spell out why they are not naming them, but my guess is they are trying to not promote the product to malicious actors who would be interested in the sleep data of others.

I guess that’s not a huge problem, though, since all users are presumably at least anonymous.

by Jolter

2/14/2026 at 7:55:36 PM

less sleep data, i imagine, and more the whole “send remote electrical impulses” thing

by bstsb

2/14/2026 at 5:58:35 PM

It’s probably safe to assume they are all like that.

by brabel

2/14/2026 at 10:03:52 PM

Nevermind. I have just described my iPhone as a “generic chinese mobile device” to Claude, and he successfully gained root access with admin privileges to my iPhone, and even captured a couple minutes of EEG from 30 genetic mobile devices in my neighborhood. Seems like iPhones are tracking your thoughts, Claude could prove that, just ask it to tell you everything

by t3chd33r

2/14/2026 at 6:57:44 PM

This feels like a reason to buy the device to me? I would want to block all of the data going to the cloud and would only want operations happening locally. But the MQTT broadcast then allows me to create a local only integration in Home Assistant with all of the data.

What's the real risk profile? Robbers can see you are asleep instead of waiting until you aren't home?

I have not implemented MQTT automations myself, but it's there a way to encrypt them? That could be a nice to have

by Larrikin

2/14/2026 at 7:15:19 PM

Sounds like you cannot control which MQTT endpoint it is headed to? It just goes to the server of the device. Assuming you could modify the firmware, you could program it to send to a local MQTT.

by matthewfcarlson

2/14/2026 at 7:45:41 PM

Simpler just update your local network dns so whatevercompany.brain.com redirect to your local 10.0.0.3 mqtt

by erazor42

2/14/2026 at 9:15:43 PM

The narrator in the article acts as a third person observer and identifies "Claude" as the active hacker. So assuming the (unidentified) company that sells/manages the product wants to prosecute a CFAA violation, who do they go after? Was Claude the one responsible for all of the hacking?

by anonymousiam

2/14/2026 at 5:53:25 PM

This guy bought an internet connected sleep mask so it's not surprising that it was collecting all kinds of data, or that it was doing it insecurely (everyone should expect IoT anything to be a security nightmare) so to me the surprising thing about this is that the company actually bothered to worry about saving bandwidth/power and went through the trouble of using MQTT. Probably not the best choice, and they didn't bother to do it securely, but I'm genuinely impressed that they even tried to be efficient while sucking up people's personal data.

by autoexec

2/14/2026 at 7:02:58 PM

Meanwhile streaming everyone's data, negating any benefit.

by 8n4vidtmkvmk

2/14/2026 at 4:00:56 PM

huh, not sure if life imitates snark and bull https://medium.com/luminasticity/great-products-of-illuminat...

"The ZZZ mask is an intelligent sleep mask — it allows you to sleep less while sleeping deeper. That’s the premise — but really it is a paradigm breaking computer that allows full automation and control over the sleep process, including access to dreamtime."

or if this is another scifi variation of the same theme, with some dev like embellishments.

by bryanrasmussen

2/14/2026 at 5:50:55 PM

That is the premise of HypnoSpace Outlaw, a neat game about 90s internet nostalgia and scifi.

by mrguyorama

2/14/2026 at 3:56:12 PM

Well that’s a brand new sentence.

by baby_souffle

2/14/2026 at 4:25:09 PM

But not a beautiful sentence.

by amelius

2/14/2026 at 6:05:53 PM

the shared MQTT credentials pattern is unfortunately super common in budget IoT. seen the exact same thing in smart plugs and air quality sensors. the frustrating part is per-device auth is not even hard to set up, mosquitto supports client certs and topic ACLs with minimal config. manufacturers skip it because per-device key provisioning adds a step to the assembly line and nobody wants to think about key management. so they hardcode one set of creds and hope nobody runs strings on the binary.

by tomsmithtld

2/14/2026 at 9:54:32 PM

Is this some kind of joke? Claude hallucinated everything, including capacity of device to accurately measure EGG of brain waves and hallucinated the process of decoding APK to some paranoidal user who has posted his conspiracy level AI hallucinations “finds” to his blog post and everyone is like “Yeah, Claude can do this”. Is everyone here insane? I am insane?

by t3chd33r

2/14/2026 at 9:45:14 PM

I discovered a very similar vulnerability in Mysa smart thermostats a year ago, also involving MQTT, and also allowing me to view and control anyone's thermostat anywhere in the world: https://news.ycombinator.com/item?id=43392991

Also discovered during reverse-engineering of the devices’ communications protocols.

IoT device security is an utterly shambolic mess.

by dlenski

2/14/2026 at 10:20:09 PM

That is terrifying. Messing with thermostats could be enough to kill vulnerable people.

by stevage

2/14/2026 at 9:53:43 PM

I’m not super familiar with MQTT. I wonder how common this is..

by minimalthinker

2/14/2026 at 10:10:14 PM

MQTT is a very simple pub/sub messaging protocol.

It's used in a enormous number of IoT devices.

The "IoT gateway" service from AWS supports MQTT and a whole lot of IoT devices are tethered to this service specifically.

by dlenski

2/14/2026 at 6:24:55 PM

This smells like bullshit to me, although I am admittedly not experienced with Claude.

I find it difficult to believe that a sleep mask exists with the features listed: "EEG brain monitoring, electrical muscle stimulation around the eyes, vibration, heating, audio." while also being something you can strap to your face and comfortably sleep in, with battery capacity sufficient for several hours of sleep.

I also wonder how Claude probed bluetooth. Does Claude have access to bluetooth interface? Why? Perhaps it wrote a secondary program then ran that, but the article describes it as Claude probing directly.

I'm also skeptical of Claude's ability to make accurate reverse-engineered bluetooth protocol. This is at least a little more of an LLM-appropriate task, but I suspect that there was a lot of chaff also produced that the article writer separated from the wheat.

If any of this happened at all. No hardware mentioned, no company, no actual protocol description published, no library provided.

It makes a nice vague futuristic cyperpunk story, but there's no meat on those bones.

by flax

2/14/2026 at 10:22:10 PM

Claude could access anything on your device, including system or third party commands for network or signal processing - it may even have their manuals/sites/man pages in the training set. It’s remarkably good at figuring things out, and you can watch the reasoning output. There are mcp tools for reverse engineering that can give it even higher level abilities (ghidra is a popular one).

Yesterday I watched it try and work around some filesystem permission restrictions, it tried a lot of things I would never have thought of, and it was eventually successful. I was kinda goading it though.

by threecheese

2/14/2026 at 7:06:26 PM

A lot of BLE peripherals are very easy to probe. And there are libraries available for most popular languages that allow you to connect to a peripheral and poke at any exposed internals with little effort.

As for the reverse engineering, the author claims that all it took was dumping the strings from the Dart binary to see what was being sent to the bluetooth device. It's plausible, and I would give them the benefit of the doubt here.

by skibz

2/14/2026 at 9:24:10 PM

Yes, it is very lacking in details. The Claude output would have been interesting, or a few logs or protocol dumps.

The lack of detail makes me suspect the truth of most of the story.

by RachelF

2/14/2026 at 6:40:52 PM

https://www.kickstarter.com/projects/selepu/dreampilot-ai-gu...

Found that in seconds. EEG, electrical stimulation, heat, audio, etc. Claims a 20 hour battery.

As to the Claude interactions, like others I am suspicious and it seems overly idealized and simplified. Claude can't search for BT devices, but you could hook it up with an MCP that does that. You can hook it up with a decompiler MCP. And on and on. But it's more involved than this story details.

by llm_nerd

2/14/2026 at 6:52:37 PM

That appears to be more than a centimeter thick, and not particularly flexible. It's more like ski goggles than a sleep mask.

So yeah, a product exists that claims to be a sleep mask with these features. Maybe someone could even sleep while wearing that thing, as long as they sleep on their back and don't move around too much. I remain skeptical that it actually does the things it claims and has the battery life it claims. This is kickstarter after all. Regardless, this would qualify as the device in question for the article. Or at least inspiration for it.

Without evidence such as wireshark logs, programs, protocol documentation, I'm not convinced that any of this actually _happened_.

by flax

2/14/2026 at 7:02:10 PM

Claude, or any good agent, doesn't need MCP to do things. As long as it has access to a shell it can craft any command that it needs to fulfill its prompt.

by orsorna

2/14/2026 at 7:35:18 PM

There are no shell commands to do what is described. I could get Claude to interact with BLE devices, but it did it by writing and running various helper applications, for instance using the Bleak library. So I guess not an MCP per se.

by llm_nerd

2/14/2026 at 7:38:24 PM

I was originally going to ask something similar, but from a different angle.

These blog posts now making the rounds on HN are the usual reverse engineering stories, but made a lot more compelling simply because they involve using AI.

Never mind that the AI part isn't doing any heavy lifting and probably just as tedious as not using AI in the first place. I am confused why the author mentions it so prominently. Past authors would not have been so dramatic and just waved their hands that they had some trial and error before finding out how the app is built. The focus would have been on the lack of auth and the funny stuff they did before reporting it to the devs.

by sublinear

2/14/2026 at 4:04:29 PM

>Since every device shares the same credentials and the same broker, if you can read someone's brainwaves you can also send them electric impulses.

Amazing.

by morkalork

2/14/2026 at 5:44:15 PM

As an aside, it seems cool that the bar to reverse engineering has lowered from all the LLMs. Maybe we'll get to take full control of many of these "smart" devices that require proprietary/spyware apps and use them in a fully private way. There's no excuse that any such apps solely to interact with devices locally need to connect to the internet, like dishwasher.

https://www.jeffgeerling.com/blog/2025/i-wont-connect-my-dis...

by digiown

2/14/2026 at 7:48:03 PM

It's disappointing to see. It doesn't take much work to configure a MQTT server to require client certificates for all connections. It does require an extra step in provisioning to give each device a client certificate. But for a commercial product, it's inexcusably negligent.

Then there's hardening your peripheral and central device/app against the kinds of spoofing attacks that are described in this blog post.

If your peripheral and central device can securely [0] store key material, then (in addition to the standard security features that come with the Bluetooth protocol) one may implement mutual authentication between the central and peripheral devices and, optionally, encryption of the data that is transmitted across that connection.

Then, as long as your peripheral and central devices are programmed to only ever respond when presented with signatures that can be verified by a trusted public key, the spoofing and probing demonstrated here simply won't work (unless somebody reverse engineers the app running on the central device to change its behaviour after the signature verification has been performed).

To protect against that, you'd have to introduce server-mediated authorisation. On Android, that would require things like the Play Integrity API and app signatures. Then, if the server verifies that the instance of the app running on the central device is unmodified, it can issue a token that the central device can send to the peripheral for verification in addition to the signatures from the previous step.

Alternatively, you could also have the server generate the actual command frames that the central device sends to the peripheral. The server would provide the raw command frame and the command frame signed with its own key, which can be verified by the peripheral.

I guess I got a bit carried away here. Certainly, not every peripheral needs that level of security. But, into which category this device falls, I'm not sure. On the one hand, it's not a security device, like an electronic door lock. And on the other hand, it's a very personal peripheral with some unusual capabilities like the electrical muscle stimulation gizmo and the room occupancy sensor.

[0]: Like with the Android KeyStore and whichever HSMs are used in microcontrollers, so that keys can't be extracted by just dumping strings from a binary.

by skibz

2/14/2026 at 5:57:55 PM

Interesting project. Here's a thought which I've always had in the back of my mind, ever since I saw something similar in an episode of Buck Rogers (70s-80s)! Many people struggle with falling asleep due to persistent beta waves; natural theta predominance is needed but often delayed. Imagine an "INEXPENSIVE" smart sleep mask that facilitates sleep onset by inducing brain wave transitions from beta (wakeful, high-frequency) to alpha (8-13 Hz, relaxed) and then theta (4-8 Hz, stage 1 light sleep) via non-invasive stimulation. A solution could be a comfortable eye mask with integrated headphones (unintrusive) and EEG sensors. It could use binaural beats or similar audio stimulation to "inject" alpha/theta frequencies externally, guiding the brain to a tipping point for abrupt sleep onset. Sensors would detect current waves; app-controlled audio ramps from alpha-inducing beats to theta, ensuring natural predominance. If it could be designed, it could accelerate sleep transition, improve quality, non-pharmacological.

by SilentM68

2/14/2026 at 6:14:43 PM

So are the brain waves the cause or the effect?

Are beta waves a sign that my mind is racing and wide awake, or are they the reason?

by BenjiWiebe

2/14/2026 at 6:11:03 PM

What’s your proposed mechanism for how audio waves would induce brain waves?

by Jolter

2/14/2026 at 7:08:53 PM

the headlines these days

by ThouYS

2/14/2026 at 4:52:41 PM

Won't they sue for the reverse engineering?

by bobim

2/14/2026 at 6:12:04 PM

On what grounds could they sue?

by Jolter

2/14/2026 at 8:30:42 PM

"smart sleep mask :D - what next, smart toilet seats? Oh, wait...

Dudes so stupid being tied to tech everywhere.

by techsocialism

2/14/2026 at 4:02:26 PM

cyberpunk

by roywiggins

2/14/2026 at 4:10:22 PM

> For obvious reasons, I am not naming the product/company here, but have reached out to inform them about the issue.

Coward. The only way to challenge this garbage is "Name and Shame". Light a fire under their asses. That fire can encourage them to do right, and as a warning to all other companies.

My guess is this is Luuna https://www.kickstarter.com/projects/flowtimebraintag/luuna

by mystraline

2/14/2026 at 4:20:13 PM

Doesn't disclosing this to the world at the same time as you disclose it to the company immediately send hundreds of black hats to their terminals to see how much chaos they can create before the company implements a fix?

Perhaps the author is not a coward, but is giving the company time to respond and commit to a fix for the benefit of other owners who could suffer harm.

by a4isms

2/14/2026 at 5:01:31 PM

but is giving the company time to respond and commit to a fix for the benefit of other owners who could suffer harm.

If that's the case then they should have deferred this whole blog post.

by rkagerer

2/14/2026 at 4:21:58 PM

It took me 30 seconds with ChatGPT by saying:

Identify the kickstarter product talked around in this blog post: (link)

To think some blackhat hasn't already did that is frankly laughable. What I did was like the lowest of low-bars these days.

by mystraline

2/14/2026 at 4:33:19 PM

Put the product name in the title & maybe it sends thousands instead of hundreds of blackhats…

We often treat doxxing the same way, prohibiting posting of easily discovered information.

by Barbing

2/14/2026 at 4:39:30 PM

So your plan is to let the blackhats in the know attack user devices, rather than send out a large warning to "Quit using immediately"?

If we applied this similar analogy to a e.coli infection of foods, your recommendation amounts to "If we say the company name, the company would be shamed and lose money and people might abuse the food".

People need to know this device is NOT SAFE on your network, paired to your phone, or anything. And that requires direct and public notification.

by mystraline

2/14/2026 at 5:01:27 PM

And ChatGPT hallucinated a misleading answer that you are confidently regurgitating.

by pphysch

2/14/2026 at 5:16:34 PM

their original message said "my guess", not ChatGPT's, talk about responsible disclosure...

by croisillon

2/14/2026 at 4:52:02 PM

I did consider naming, but they were very responsive to the disclosure and I was not entirely familiar with potential legal implications of doing so. (For what it's worth, it is not Luuna)

by minimalthinker

2/14/2026 at 5:45:57 PM

Please name 50 other companies it's not.

It's good that they were responsive in the disclosure, but it's still a mark of sloppiness that this was done in the first place, and I'd like to know so I can avoid them.

by stavros

2/14/2026 at 4:36:01 PM

I don't see estim mentioned on that website, but I do see a comparison chart with 4 other competitors with similar capabilities to the one you linked.

What makes you think this is the one?

by itishappy

2/14/2026 at 4:17:15 PM

Even if naming and shaming doesn't work, I sure want to know so I can always avoid them for myself and my family. Thanks for the call-out and the educated guess.

by everdrive

2/14/2026 at 5:05:23 PM

EEG devices can cost a lot to own personally as well.

The other side of owning equipment like this is it still could be useful for some for personal and private use.

by j45

2/14/2026 at 5:58:38 PM

EEG is very useful for accurate sleep tracking.

by minimalthinker

2/14/2026 at 4:22:52 PM

Presumably they’ll be named and shamed after they’ve been given a chance to fix things.

by hxbdg

2/14/2026 at 4:04:42 PM

[dead]

by intellirim

2/14/2026 at 5:38:45 PM

There should be two separate lines of products. One in which privacy is priority and adheres to government regulations (around privacy) and probably costs 2x and one with zero government intervention (around privacy) which costs less and time-to-market is faster.

I don't want a few irrationally paranoid people bottlenecking progress and access to the latest technology and innovation.

I'm happy to broadcast my brainwaves on an open YouTube channel for the ZERO people who are interested in it.

by ai-x

2/14/2026 at 7:11:10 PM

> I don't want a few irrationally paranoid people bottlenecking progress and access to the latest technology and innovation.

Paranoid? Is there not enough evidence posted almost daily on HN that tech companies are constantly spying on their users through computers, Internet-of-Shit devices, phones, cars and even washing machines? You might not care about the brainwave data specifically, but there is bound to be information on your devices that you expect remains private.

Things have become so bad that I now refuse to use computers that don't run a DIY Linux distro like Arch that allows users to decide what goes into their system. My phone runs GrapheneOS because Google and Apple can't be trusted. I self host email and other "cloud" services for the same reason.

by drnick1

2/14/2026 at 5:52:57 PM

Explain how sending EEG recordings is progress. And why faster access to the latest tech is always good, for everyone.

by tgv

2/14/2026 at 5:44:00 PM

otoh: the non regulated should cost more.

It’s kinda like “qualified investors” - you want to make sure people who are wiling to do something extremely stupid can afford it and acknowledge their stupidity.

We don’t need regulation to protect those that can afford to buy protection: we need it for those who can’t.

by selkin

2/14/2026 at 5:00:50 PM

It is a governance failure.

It is also technically a user failure to have purchased a connected device in the first place. Does the device require a closed-source proprietary app? Closed-source non-replaceable OS? Do not buy it.

by plagiarist

2/14/2026 at 5:57:48 PM

Very few options available, if any, if you actually do that. The IoT market is unfortunately small and dominated by vendors that don’t want at all an open ecosystem. That would hinder their ability to force you to pay for a subscription which is where all the money is.

by brabel

2/14/2026 at 6:00:49 PM

Yes, that’s right, don’t buy any new car, any phone, any television. Hell don’t buy any x86 laptop or desktop computer, since you can’t disable out replace Intel ME/etc.

by jmb99

2/14/2026 at 5:31:01 PM

Without a brand name, how can we verify this is real?

by throw876987696

2/14/2026 at 5:39:26 PM

Without any skin in the game with your username, why should we take anything you say seriously?

by ohyoutravel

2/14/2026 at 6:47:44 PM

Interesting position in a thread about the dangers of exposing yourself to the internet.

by edgarvaldes