A smart pet feeder couldn’t possibly do much damage in your home, right? Well, like many IoT devices, it could offer criminals an easy way into your local network if it harbors vulnerabilities or proper security measures are lacking.
This is the case of the Xiaomi FurryTail pet feeder, which can be programmed via an app to release small quantities of dog or cat food when you’re not home. But a vulnerability in its backend API allows other people to access it without authentication and put your pet on an unnecessary diet.
In fact, all FurryTails sold so far around the world could be accessed in one go, as Anna Prosvetova, a security research from Saint Petersburg, Russia, found out this month. She went public with her discovery on social media but didn’t go into the specifics, since she had alerted Xiaomi to the vulnerability and was waiting for a fix.
Still, she did say this much: she bought a FurryTail off Aliexpress (it retails for a little over $80) and, when setting it up, she noticed that the API made visible other FurryTails around the globe. Prosvetova claimed she could have hacked into all 10,950 of them and changed the pre-programmed feeding times without providing any verification.
She also notes on social media that the FurryTail uses an ESP8266 chipset for WiFi connectivity. This component comes with a vulnerability that a hacker could leverag to include the device in an IoT DDoS botnet. For this, the attacker could access the feeder and update it with a custom firmware version. All this could be automated for a large-scale operation.
Prosvetova notified Xiaomi of the vulnerability and they promised a fix, ZDNet reports. They also said she wouldn’t get a bug bounty, since they don’t have a vulnerability rewards program (VRP). She will probably have to settle for the gratitude of pet owners.
Image credit: Xiaomi