A developer discovers his intelligent sleeping visor can access the neural signals of others because of inadequate digital protection — an unintended ability provided by substandard programming featuring embedded administrative login details.

The idiom "getting more than you bargained for" is usually applied in the context of unwanted, nasty consequences. Occasionally, it's used in the literal sense, like when AI engineer Aimilios Hatzistamou found his newly-bought sleep mask unwittingly granted him access to other users' EEG data and controls.

The story is straightforward: the product’s development stems from a process that barely considers the broader context. Hatzistamou purchased the sleep mask as a finished Kickstarter item from "a small Chinese research company." He declined to identify the firm, though we suspect it might be the SLEEPU DreamPilot.

Hatzistamou's mask suffered from persistent connectivity problems, so he followed the typical engineer's path: addressed the trouble himself. By employing the assistance of Claude Opus 4.6, he dismantled the Bluetooth protocol of the mask, only to observe that it didn't conform to any regular standards. Undeterred, he turned his attention to the Android application, which he used Claude to decompile and analyze (transcript here).

Unsurprisingly for any software engineer, he discovered certain hard-coded login details within the app binary, seemingly common to every version of the app (doh!), along with the anticipated API endpoints for transmitting/receiving Data accessed remotely Eventually, he mapped out the commands, and with Claude, they unraveled the underlying structure.

It was then time to turn to the web app, where he could manage the settings, and with a few adjustments, the system worked smoothly. Regrettably, that didn't mark the conclusion of the narrative. While conducting the reverse-engineering, he directed Claude to probe the external data endpoints. Upon accessing the MQTT services via the previously mentioned fixed login info, he truly received his telemetry data... As well as the records of all other users.

Hatzis estimated that around 200 people were involved, with the data suggesting that the participants, though scattered, were actively engaged—though the exact figures remained approximate. Since the mask includes a built-in mechanism, and given that the same signal can be transmitted across devices, the potential for triggering responses across devices exists.

The engineer sent the findings, having confirmed the product’s performance despite lingering issues. As a programmer myself, this scenario doesn't seem to reveal any harmful motives from the creators and acts as yet another predictable example of how low the standards have sunk for software engineering in this era and Age.

Follow 3DTested on Google News, or add us as a preferred source, to obtain our newest reports, breakdowns, & appraisals via your feeds.