The now-patched flaws found in the popular internet-connected baby bed underscore the importance of getting security right.
The Snoo Smart Bassinet pitch focuses on safety and sleep. Its purported ability to help babies—and their caregivers—get more shut-eye has fueled its popularity with those who can afford the $1,300 retail price. But the Snoo is ultimately another internet-connected gadget. And new research suggests that, like so many internet of things devices before it, the smart bassinet has had troubling bugs.
The now-patched software flaws and potential attacks exploiting them seemed unlikely to cause real-world harm to infants. But they underscore the stakes in producing connected devices and the importance of getting security right.
The Snoo is designed specifically to combat sudden infant death syndrome, according to its maker, the Happiest Baby Company, which launched Snoo in 2016. SIDS kills 3,600 infants in the United States each year in their sleep and is more likely to occur in babies that are sleeping on their stomachs. So the Snoo comes with a special swaddle designed to keep babies on their backs. There has never been a reported injury in a Snoo.
In addition to the swaddle, the Snoo also uses a built-in microphone, speaker, and motor to listen for a baby crying or fussing, and it responds automatically with gentle rocking and soothing white noise. Caregivers can monitor those functions and track their baby’s sleep with a mobile app that connects to the Snoo over Wi-Fi, rather than proximity-based Bluetooth. And a surprisingly powerful motor powers the bassinet’s gentle rocking.
Those details concerned researchers from the embedded-device security firm Red Balloon, who started looking into Snoo after buying one as a gift for their colleague. “You’ve got a steady internet connection and a motor that can put out a lot of power sitting underneath a sleeping baby,” says Red Balloon founder and CEO Ang Cui. “So, yeah, of course I got curious.”
The researchers quickly found two authentication and infrastructure issues, both of which have since been patched, that would have let an attacker on the same Wi-Fi network as the bassinet take total control of the device. Without physical access, they could have sent any commands to the motor, speaker, and microphones. The vulnerabilities didn’t expose Snoos directly on the open internet, but they could still be exploited from afar if an attacker first remotely compromised a target’s Wi-Fi network.
The Snoo does include a Wi-Fi switch that can physically disconnect the devices from the internet. With Wi-Fi disabled, the bassinet can’t receive wireless commands, which the Red Balloon researchers confirm would make their attacks impossible. Since the Snoo makes its rocking decisions locally using heuristics about a baby’s cry, the only functionality caregivers lose by turning off the Wi-Fi is sleep-tracking visualizations and some settings controls in the Snoo app.
“We hope it gives extra peace of mind knowing that Snoos have always come with a Wi-Fi off switch to allow concerned parents to completely disconnect from the internet, while still giving their baby all of SNOO’s sleep and safety benefits,” the company told WIRED in a statement.
Leaving Wi-Fi enabled, though, potentially exposed users to software vulnerabilities. Red Balloon says it also discovered what it views as two problematic hardware choices in Snoo devices that aren’t as easy to patch or fix.
The first involves the Snoo motor’s output limiter, which keeps the motor from rocking a baby too forcefully. The Snoo motor has multiple protections built in, like rubber components meant to dampen excessive forces, that make it difficult to shake a baby remotely with more force than intended. But the researchers found that despite those measures, they could still use the now-patched software vulnerabilities they discovered to physically manipulate the device’s motor from afar, driving it faster and generating more force than in normal Snoo use.
To test the exploit, the researchers cast a life-sized doll—18.875 inches long and 9.50 pounds, with a 14.625 inch waist—in EcoFlex 00-20 rubber, a silicone substance that mimics the density of human flesh. They implanted an accelerometer at the base of the doll’s neck during molding and affixed another to its forehead. Then they placed the dummy in the Snoo’s swaddle and started shaking.
The researchers found that despite the Snoo’s hardware safeguards, they could send specially crafted commands that moved the bottom of the bassinet to and fro rapidly, repeatedly switching directions to build up speed and force.
Using their test dummy and accelerometers, the researchers established a baseline maximum g-force of 0.2 G at the neck and less than 0.3 g at the forehead when the Snoo was operating normally. While executing “rocking attacks” on the dummy, they measured peak g-forces exceeding 0.7 g at the neck, and 1.8 g at the forehead.
Red Balloon also found that the Snoo uses only software to control volume maximums rather than a physical limiter. Think about times when you’ve streamed music to a speaker, turned the volume all the way up in a music app, and still had a song coming out quietly. Your next step would be to turn up the volume on your speaker itself. The current model of Snoo is set up with the equivalent of software limits in the music app, but no physical limits on the speaker.
Luckily, the speaker is small and can’t blast too loudly even outputting its physical maximum, but it can be pushed beyond the Snoo’s intended operating volume. The researchers observed that in normal use, the Snoo plays five levels of sounds that range from 76.5 decibels up to 94.7 decibels. When they attacked a Snoo and played a 650-Hz tone through the speaker at full blast, they found that it reached an average of 113.93 decibels. Similarly, playing a 1,500-Hz tone averaged 107.91 decibels.
“It is important to note that Snoo has always had built-in hardware limiters that prevent the bed’s calming sensations from ever going above a safe level,” the Happiest Baby company said in its statement. “For example, it’s impossible to make the bed sounds exceed the level of a baby’s cry and the platform cannot be made to move more than 1 inch to either side, which is similar to the motion experienced by a baby riding in a car on a bumpy road.”
The researchers did not test with specially calibrated microphones or in an anechoic chamber. The Happiest Baby Company emphasizes that even if Red Balloon’s decibel readings are accurate, though, sounds in that range are safe for babies to encounter. The company also notes that the software vulnerabilities the researchers originally exploited to build their remote attacks have been patched and that no one has ever reported a Snoo hack or breach. “Although these findings never presented any safety risk because they could not be reasonably replicated in real world conditions, we quickly resolved them and patched all connected Snoos via an over-the-airway update,” the Happiest Baby Company said.
The Red Balloon researchers later found and disclosed additional remotely exploitable vulnerabilities in Snoo’s software that could be used to mount the same attacks. The researchers disclosed their original findings to the Happiest Baby Company on April 17, 2019, and the company patched the software vulnerabilities in less than two weeks. After giving the company more than 90 days to address the perceived hardware issues, the Red Balloon researchers began considering public disclosure. First, though, they notified the Happiest Baby Company about the additional software vulnerabilities they found on January 29. The company says that those bugs have now been patched as well.
“In addition to the patches, they did push out some additional checks on the software side, like putting a check in the firmware that makes sure the sound isn’t too loud,” Red Balloon’s Cui says. “That’s good, but this is more fundamental, since it’s at the hardware level, so the hardware problems should be addressed. The additional software bugs we found show why this is important—there can always be more software bugs, so you need to secure hardware too.”
The Happiest Baby company is adamant that Red Balloon’s observations do not constitute hardware vulnerabilities, since the company says that the sounds and rocking the researchers produced would not be loud or vigorous enough to harm a baby.
When it comes to reducing SIDS, Fern Hauck, a family medicine specialist at the University of Virginia who serves on the American Academy of Pediatrics Task Force on SIDS, says that the current guidance is simply to place babies on their backs in an empty crib with a hard mattress.
“The guidelines for safe sleep specifically say that we don’t recommend any products to try to keep the baby safe—either positioners or other devices to keep babies on their back,” Hauck says. “The recommendation is to place a baby on his back on a firm mattress in a crib or bassinet.”
Despite discovery of the second round of software vulnerabilities, it’s still unlikely that a hacker would be motivated to target a Snoo given that it is challenging to carry out the attacks Red Balloon identified. Outside security experts who reviewed the research say, though, that the findings are legitimate and have significance even if the risk of real-world exploitation or injury is low.
“Red Balloon went to depths almost nobody goes to, and it’s great to see the kind of work that it takes to do cyber-physical effects,” says Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera. “A lot of the security of our everyday lives is based around the idea that no hacker will go through the kind of work and effort that Red Balloon did.”
Given the abysmal security track record of internet-of-hings devices, researchers also emphasize that it’s important to address the root causes of unintended behaviors, even if they don’t pose an immediate physical threat.
“We’ve had big incidents like baby cameras spying on babies in their house or people being scared through a baby monitor by having someone yelling or screaming at them, and there’s some harm there,” says Chris Wysopal, cofounder and chief technology officer of the application security company Veracode. “If you buy a product and it scares you and makes you feel unsafe, you have no recourse. Unless someone is physically harmed or maimed or dead, it seems like we just kind of brush it off and go, ‘Oh yeah, technology has problems. There are always bugs.'”
Red Balloon shares its lead investor, Bain Capital, with the company 4moms, which makes a Snoo competitor. Released in January, the 4moms mamaRoo Sleep Bassinet is a similar product in many ways, but it uses Bluetooth to connect to its companion app—meaning it would not be affected by Wi-Fi-based attacks—and retails at $330, compared to $1,300 for the Snoo. Red Balloon and The Happiest Baby Company also share a VC investor, the private equity firm Greycroft.
It would be difficult to retroactively make hardware upgrades in the current model of Snoo, but future generations could include a physical volume limiter for the speaker and refined motor limiter to totally negate the possibility of attacks like the ones Red Balloon devised—even if the potential real-world risk to infants is currently minimal. The Happiest Baby Company says there is no risk, and that it makes improvements in every iteration of the Snoo. The Red Balloon researchers argue that the issues are worth fixing and that the additional hardware protections would not be unduly burdensome to incorporate.
Parents with a Snoo don’t need to be alarmed, especially since they can turn the Wi-Fi switch off to be cautious. But the vulnerabilities Red Balloon identified in the smart bassinet underscore the need to think twice before you connect any device to the internet—especially when the stakes are so high.
All Rights Reserved for Lily Hay Newman