The Snoo Smart Bassinet pitch focuses on safety and sleep. Its purported ability to help babies—and their caregivers—get more shut-eye has fueled its popularity with those who can afford the $1,300 retail price. But the Snoo is ultimately another internet-connected gadget. And new research suggests that, like so many internet of things devices before it, the smart bassinet has had troubling bugs.

The now-patched software flaws and potential attacks exploiting them seemed unlikely to cause real-world harm to infants. But they underscore the stakes in producing connected devices and the importance of getting security right.

The Snoo is designed specifically to combat sudden infant death syndrome, according to its maker, the Happiest Baby Company, which launched Snoo in 2016. SIDS kills 3,600 infants in the United States each year in their sleep and is more likely to occur in babies that are sleeping on their stomachs. So the Snoo comes with a special swaddle designed to keep babies on their backs. There has never been a reported injury in a Snoo.

In addition to the swaddle, the Snoo also uses a built-in microphone, speaker, and motor to listen for a baby crying or fussing, and it responds automatically with gentle rocking and soothing white noise. Caregivers can monitor those functions and track their baby's sleep with a mobile app that connects to the Snoo over Wi-Fi, rather than proximity-based Bluetooth. And a surprisingly powerful motor powers the bassinet's gentle rocking.

Those details concerned researchers from the embedded-device security firm Red Balloon, who started looking into Snoo after buying one as a gift for their colleague. "You've got a steady internet connection and a motor that can put out a lot of power sitting underneath a sleeping baby," says Red Balloon founder and CEO Ang Cui. "So, yeah, of course I got curious."

The researchers quickly found two authentication and infrastructure issues, both of which have since been patched, that would have let an attacker on the same Wi-Fi network as the bassinet take total control of the device. Without physical access, they could have sent any commands to the motor, speaker, and microphones. The vulnerabilities didn't expose Snoos directly on the open internet, but they could still be exploited from afar if an attacker first remotely compromised a target's Wi-Fi network.

The Snoo does include a Wi-Fi switch that can physically disconnect the devices from the internet. With Wi-Fi disabled, the bassinet can't receive wireless commands, which the Red Balloon researchers confirm would make their attacks impossible. Since the Snoo makes its rocking decisions locally using heuristics about a baby's cry, the only functionality caregivers lose by turning off the Wi-Fi is sleep-tracking visualizations and some settings controls in the Snoo app.

"We hope it gives extra peace of mind knowing that Snoos have always come with a Wi-Fi off switch to allow concerned parents to completely disconnect from the internet, while still giving their baby all of SNOO’s sleep and safety benefits," the company told WIRED in a statement.

Leaving Wi-Fi enabled, though, potentially exposed users to software vulnerabilities. Red Balloon says it also discovered what it views as two problematic hardware choices in Snoo devices that aren't as easy to patch or fix.

The first involves the Snoo motor's output limiter, which keeps the motor from rocking a baby too forcefully. The Snoo motor has multiple protections built in, like rubber components meant to dampen excessive forces, that make it difficult to shake a baby remotely with more force than intended. But the researchers found that despite those measures, they could still use the now-patched software vulnerabilities they discovered to physically manipulate the device's motor from afar, driving it faster and generating more force than in normal Snoo use.

WIRED video of Red Balloon’s testing results prior to the Happiest Baby Company’s initial software patch. No such attack on a Snoo has been reported outside of Red Balloon’s lab setting.

To test the exploit, the researchers cast a life-sized doll—18.875 inches long and 9.50 pounds, with a 14.625 inch waist—in EcoFlex 00-20 rubber, a silicone substance that mimics the density of human flesh. They implanted an accelerometer at the base of the doll's neck during molding and affixed another to its forehead. Then they placed the dummy in the Snoo's swaddle and started shaking.