A smart sleep mask from a Chinese research company exposes users' EEG brainwave data through an insecure MQTT broker with hardcoded credentials. The device broadcasts live brainwaves to anyone who discovers the open connection, along with allowing control of electrical muscle stimulation through the same channel. Researchers discovered the flaw after reverse engineering the Bluetooth protocol and app.

The reverse engineering process involved scanning BLE devices, decompiling the Android app built with Flutter, and analyzing a 9MB binary blob. Among thousands of strings, the team found hardcoded broker credentials, API endpoints, and command function names. With this information, they mapped all fifteen commands for controlling the mask's various features.

The investigation revealed approximately 25 active devices broadcasting sensitive data, including EEG readings from sleep masks showing users in REM and deep sleep states. The same credentials that allow reading brainwaves also enable sending electrical impulses. The researcher has contacted the company but withheld its name due to security concerns.