This article assumes you have and understand Linux.
I recently got an old man's bed. You know, the kind with hydraulics to raise or lower the head or foot of the bed. It connects to wifi, so I decided to poke it a bit.
Here's what I learned. It has a TCP web server of some sort running on port 80 that's used for configuring and querying it's wifi setup. It doesn't present much of a website, but after sniffing traffic between their Android app and the bed I learned that it provides a JSON response with it's configuration if you go to http://[bedip]/sys
A bit of research shows that this is a Marvell IoT device. I don't know much about them but I've stashed that knowledge away for later hacking.
In addition to the web interface, it listens for UDP packets on port 50007. This is the important part for us.
Getting to the good bits
A bit more sniffing showed that the control codes are sent to the bed using UDP packets. This makes it a bit more complicated than say, opening your web browser. In Linux we have a great tool called netcat that will let us craft UDP packets and send them at will.
The control codes contain more than just plain text, so I opted to store them as hexadecimal and use xxd to convert it to the binary that gets injected into netcat.
Here's a few of the hex codes I've figured out:
- Memory 1: 33053203945C0000C8
- Memory 2: 33053203945c0100c9
- Flat: 3305320A945C0400CC
- Vibe 1: 33053203948D007861
- Vibe off: 3305320A9486000012
Sending the control codes
In order to send these codes to your bed you need to know the IP address of the bed's controller. If your router allows you to set a static DHCP address to a device (i.e. it always issues the same DHCP address to that device) then I recommend doing that.
Once you know the bed's IP address, you simply echo the code to xxd and pipe it into netcat like so (assuming your bed is at 192.168.1.59):
echo "33053203945c0000c8" | xxd -r -p | nc -n -4u -w1 192.168.1.59 50007
The possibilities are endless
From here you could use an IFTTT connection to trigger the bed to do certain things based on other events (use if-this-then-node on your home network to send the packets based on an IFTTT recipe), or even just throw commands into a cron job to wake you up every morning by shaking the bed. Yeah, I said it - your computer could shake you awake.
Really, with people using Amazon Echo to open the garage, start their Tesla and pull it out into the driveway, manipulating your bed with Echo should be simple.
In order to capture the codes, I used "Packet Capture" by Grey Shirts on the Google Play Store. I installed that on the device that was running the ergo app - this way I didn't have to stress over trying to sniff the traffic off the wifi, I could grab it at the source device. It's a great app, by the way. Simply capture the packets and then switch to the Ergo app and push a button. When viewing the captured outgoing UDP packet, be sure to view it as hex.
The security geek in me wants to rant and rave over the complete lack of security built into this device. But, really, what's the real risk? Someone hacks your network and wakes you up at 4AM by vibrating and folding your bed?
What if I don't have a wifi-enabled frame?
There's a project I stumbled on called Tempurpedic Remote Relay that you can use along with hardware hacking your remote to give your computer control of your bed.