February 14, 2026
REM-ote control, anyone?
My smart sleep mask broadcasts users' brainwaves to an open MQTT broker
Sleep mask streams your brainwaves — commenters demand “name and shame”
TLDR: A crowdfunded sleep mask exposed users’ live brainwaves via a shared login on an open device server, and anyone could trigger face-zapping pulses. Commenters split between gallows humor and fury, with many demanding the maker be named to force a fix and spotlight wider gadget security failures.
A Kickstarter sleep mask meant to lull users to dreamland just jolted the internet awake. A tinkerer found the mask’s app had hardcoded logins to an open gadget “group chat” server (think a public message board for devices called MQTT). Result: live brainwaves from strangers were streaming in, and the same channel could send electric pulses back to their faces. The community’s reaction? Pure chaos.
The top vibe was stunned comedy: “Well that’s a brand new sentence,” one user deadpanned, while another just muttered “cyberpunk.” Others leaned into the Black Mirror mood, calling it a “REM-ote control” gone wrong. But the biggest flame war erupted over disclosure. The author refused to name the company, citing safety and responsible reporting. A loud faction yelled “Name and shame!”, arguing only public heat will fix this mess, while cautious voices warned that doxxing the brand might tempt trolls to abuse the still-open system. Meanwhile, armchair detectives tried to guess the product, and conspiracy jokesters dropped links to satire about sleeper gadgets. Even the tech-curious were rattled by how simple the exploit sounded: shared passwords, public broker, boom—brainwaves on tap. It’s the perfect storm of cheap “smart” hardware, sloppy security, and a comment section that’s very much awake.
Key Points
- •A Kickstarter sleep mask from a Chinese research company was reverse-engineered due to app instability.
- •BLE analysis and app decompilation revealed hardcoded credentials, endpoints, and protocol structure despite Flutter’s compiled Dart code.
- •Using blutter and strings, fifteen command types were fully mapped; the device responded with detailed sensor configuration and status.
- •Shared MQTT broker credentials allowed access to about 25 devices’ data, including live EEG, air quality, and presence sensors.
- •Because credentials were shared, remote EMS commands could be sent to other users’ masks; the author informed the company without naming it.