Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Communications The Internet Technology

Security Researcher Gets Access To Thousands of Automatic Pet Feeders By Xiaomi (habr.com) 35

New submitter arkamax writes: A security researcher based in Russia discovered that her research (article in Russian, Google Translate) into API for a new automatic pet feeder manufactured by Xiaomi resulted in obtaining full control of approximately 10,950 of similar devices across the world. She found ways to access logs of those pet feeders, change their settings, invoke manual feeding or completely delete all feeding schedules. She mentioned that the feeder is based on a widely known ESP8266 embedded board, adding that "apparently one could send a remote request to the feeder to download a firmware update. An evil person could use that to reboot those devices and brick them afterwards. The only way to fix it would involve mechanical disassembly and a manual firmware update that requires connecting directly to the board. Explain THAT to poor kitties and puppies who eagerly wait for their owners to come back from a two-week vacation." She then added that the "whole architecture is one epic fail and it's hard to imagine a speedy fix." The researcher chose to stick to the responsible disclosure guidelines and declined to disclose any details until the issues are fixed. Since then, the manufacturer was reported to have fixed a few critical issues but the bulk of the vulnerability still remains. Looks like S in "IoT" remains to stand for Security.
This discussion has been archived. No new comments can be posted.

Security Researcher Gets Access To Thousands of Automatic Pet Feeders By Xiaomi

Comments Filter:
  • ...more Chinese junk. I guess they weren't able to steal the plans for an American feeder.

    • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Indeed. The only thing really "great" the US has is its delusions. Nothing of relevance in the high-tech sector is made in the US these days, and if it is designed in the US, the design teams will be more foreigners than US citizens.

    • by mtjs18 ( 6340362 )
      While I recognize some of the problems, I don't share your negative perspective on China. In 2011, my friends and I toured the country. In rural villages, poor farmers would invite us into their house, though we were perfect strangers, and serve us their best food. We sat in their house, eating rice and pork with chopsticks. It was hospitality they could probably barely afford. I will never forget their kindness. I have a dream that we avoid ethnocentrism while still being willing to talk about issues that
      • by Corbets ( 169101 )

        I have a dream that we avoid ethnocentrism while still being willing to talk about issues that should be addressed.

        You’re talking to people whose social interaction ability is left of zero, who rarely even leave mom’s basement, and you’re hoping for balanced, rational discussion about people not in their tribe? Good luck!

    • ...more Chinese junk. I guess they weren't able to steal the plans for an American feeder.

      Are you under the extreme delusion that location of manufacture makes IoT devices secure? Can we suggest you a psychiatrist?

      Or maybe you think American companies don't use Chinese IoT platforms like the ESP8266 created by the Chiense based Expressif? That same psychiatrist may be able to help with that too.

    • by gweihir ( 88907 )

      You think Americans would have done better? What world do you live in? Because it certainly is not this one...

      • Yes, I do think Americans could do better.

        Specifically, using the HomeKit IoT protocol (which no longer requires dedicated hardware). That system was invented in the U.S.

        AFAICT, no breach of a HomeKit device has ever occurred.

  • What moron is allowing WAN access to IoT devices in their home? It's easy enough to keep it locked away on a VLAN and access it by VPN when needed. If you don't know how to do that you shouldn't be doing IoT.
    • by koteeq ( 6341178 )
      Ok, here am I, the researcher, to explain this in detail. First, I completely agree. I keep all my IoT devices locked out of WAN. The problem of this device is that you never connect to it locally nor from outside. There is only one way to control this feeder: to use mobile app that communicates with Chinese HTTP API. The feeder itself connects to another Chinese API to report statuses and get commands to execute. It means that you have NO WAY to keep it secure and have control simultaneously with origin
      • I have returned every "WiFi" thermostat I've ever purchased for operating the same way. "WiFi" enabled means it can connect to my LAN using WiFi, not installing a Trojan horse on my LAN for the manufacturer to manipulate remotely at will (maybe even when I don't want them to). California has already proposed legislation allowing your electric utility to "hack" WiFi thermostats without your consent when they want to reduce grid power demand. No way in hell am I installing any such device in my home. Good on
  • Seriously, security problems aside for a moment, what kind of asshole fucks up a pet feeder, potentially starving a trapped (in someone's home) animal potentially to the point of death? It's not like Rover or Morris have bitcoin to ransom their food with.
    • She was concerned about someone else locking up those feeders, and I think that's why (in part) she refused to publish the details until fixes are in. Also she mentioned that it was her intention to have her own app developed for the feeder so that she can lock it down in her LAN, so she went on to sniff and study the API - it was then when she found issues described.
      • by koteeq ( 6341178 )
        Actually, keeping cats and dogs safe and alive is the first and main reason why I didn't disclose details or break anything. Not liking to go to jail is the second reason.
    • by gweihir ( 88907 )

      Probably the same assholes that attack hospitals with malware and do other despicable acts: People that only care about themselves and what they think they can get away with. Incidentally, the US has its fair share of those and many, many have managed to get into positions of power.

    • by koteeq ( 6341178 )
      Hahah. Looks like that story became Chinese whispers (no pun intended) so I'm here to explain my original intentions. When I stumbled this vulnerability, I did two things. At first, I published the fact the vulnerability exists on my Telegram channel. I never published anything that could lead to disclosure. Secondly, I notified Furrytail manufacturer about the vulnerability and I gave them COMPLETE and detailed description of what is happening. I even gave them some tips that could help them fixing this br
      • by koteeq ( 6341178 )

        Looks like that story became Chinese whispers

        But yeah, I agree that these titles sound awful. "Russian hacker bricked all the pet feeders and could starve all cats to death". Boo! Such a monster! Hah. The main thing I got from my 22 y.o. life is that I love cats more than people because they always love you back and never hurt you. Precious creatures.

    • 61 69 6c 65 72 6f 6e 20 68 6f 6d 65 62 72 65 77 20 6c 61 62 72 61 64 6f 72 20 6c 61 75 6e 64 72 79 20 63 68 69 63 6b 65

      You left off 6E at the end.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...