Russian IT specialist Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled. The researcher believes that she has access to all such feeders, which are now active in the world.
Smart feeders work on the principle of a dispenser that gives a cat or dog a certain amount of dry food at a time. The owner of the animal can set the schedule of meals and the amount of portions in the mobile application. Thanks to this device, the animal can be left for a long time in an empty apartment, without worrying that it will die of hunger.
“I have logs running on the screen from all existing feeders, I see data on the Wi-Fi networks of poor Chinese who bought these devices. I can suddenly feed all the cats and dogs with a couple of clicks, but I can delete the schedules from the devices and not give them food. In addition, I see how much food is in the bowl now," writes the researcher. She has such a smart feeder at home.
Prosvetova did not provide a detailed description of the vulnerability because it is not yet closed. However, she reported that the feeders used a microcontroller ESP8266, which makes it possible to install special firmware on all devices.
As the programmer notes, the vulnerability in Furrytail is ideal for hackers who plan DDoS attacks: the whole process can be easily automated and scaled.
Prosvetova found almost 11 thousand of such gadgets on which she could change the feeding schedule without a password.
She sent a letter to Xiaomi with a detailed analysis of the vulnerability, indicating the method of finding it and advice on how to fix it. Xiaomi confirmed the bug in the smart feeders and promised to fix it. However, the company does not have a mechanism to reward researchers for finding vulnerabilities.