Security Researcher Gets Access To Thousands of Automatic Pet Feeders By Xiaomi

New submitter arkamax writes: A security researcher based in Russia discovered that her research (article in Russian, Google Translate) into API for a new automatic pet feeder manufactured by Xiaomi resulted in obtaining full control of approximately 10,950 of similar devices across the world. She found ways to access logs of those pet feeders, change their settings, invoke manual feeding or completely delete all feeding schedules. She mentioned that the feeder is based on a widely known ESP8266 embedded board, adding that "apparently one could send a remote request to the feeder to download a firmware update. An evil person could use that to reboot those devices and brick them afterwards. The only way to fix it would involve mechanical disassembly and a manual firmware update that requires connecting directly to the board. Explain THAT to poor kitties and puppies who eagerly wait for their owners to come back from a two-week vacation." She then added that the "whole architecture is one epic fail and it's hard to imagine a speedy fix." The researcher chose to stick to the responsible disclosure guidelines and declined to disclose any details until the issues are fixed. Since then, the manufacturer was reported to have fixed a few critical issues but the bulk of the vulnerability still remains. Looks like S in "IoT" remains to stand for Security.

Another day...

[Rick Zeman]

...more Chinese junk. I guess they weren't able to steal the plans for an American feeder.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Waffle Iron]

Cell phones were invented by Soviet scientist.

Wait a minute... I thought that cell phones were invented by Hedy Lamarr.

Re:

[I am not a Bicycle]

At most Hedy Lamarr provided the theory, just as Arthur C Clarke is sometimes "credited" with inventing the communications satellite. The actual grunt work is most likely done by some team of mostly nameless researchers. But it's nice for the lonely genius model of scientific and technological progress. Only a Darwin or an Einstein can come up with the theories of evolution or relativity.

Re:

[HiThere]

The thing is, a breakthrough theory will need to be created by someone in particular, or at most some very small group. My guess would be that 5 would be about the maximum.

This is creation, not development. And the reason is that a breakthrough theory will not be accepted by the current holders of authority until there's LOTS of evidence. Also because communication is a difficult parallel processing problem, and when you're kicking over accepted assumptions you need LOTS of communication. IIRC Einstein

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[retchdog]

yeah, it's a mobile phone, but tbh we basically had equivalent functionality for military purposes; it's not like your average soviet citizen had a Kupriyanovich phone in their pocket.

it's worth noting that it couldn't hand off calls across cells, which is a pretty big problem for commercial deployment (though then again i guess that wouldn't have been a problem if the commies had won). it's definitely not a cell phone in terms of the capabilities we take for granted now. it was a mobile phone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[pslytely psycho]

"Snap quiz: Who was the first person to fly across the Atlantic and who was the 19th?"

Damned interesting question! I assumed (incorrectly) that it would of been "Lucky Lindy" Charles Lindbergh. Turns out he was your 19th, however he was the first to do it solo in 1927.

John Alcock and Arthur Brown get the credit for the first in a modified world war one Vickers Vimy bomber fitted with extra fuel tanks in place of the bomb racks in 1919.

Kudos on an interesting historical query!

Re:

[pslytely psycho]

https://www.loc.gov/rr/scitech/mysteries/auto.html

BZZZZT!
The history of the automobile is not so easily defined. with examples of self-propelled steam powered vehicles dating as far back as far as Nicolas-Joseph Cugnot invention of a military tractor in 1769.

The first true automobile is credited to Karl Friedrich Benz in 1885. It was a gasoline automobile powered by an internal combustion engine: three wheeled, four cycle, engine and chassis forming a single unit.
So Germany gets the golden ring on that one.

Re:

[gweihir]

Indeed. The only thing really "great" the US has is its delusions. Nothing of relevance in the high-tech sector is made in the US these days, and if it is designed in the US, the design teams will be more foreigners than US citizens.

Re:

[mtjs18]

While I recognize some of the problems, I don't share your negative perspective on China. In 2011, my friends and I toured the country. In rural villages, poor farmers would invite us into their house, though we were perfect strangers, and serve us their best food. We sat in their house, eating rice and pork with chopsticks. It was hospitality they could probably barely afford. I will never forget their kindness. I have a dream that we avoid ethnocentrism while still being willing to talk about issues that

Re:

[Corbets]

I have a dream that we avoid ethnocentrism while still being willing to talk about issues that should be addressed.

You’re talking to people whose social interaction ability is left of zero, who rarely even leave mom’s basement, and you’re hoping for balanced, rational discussion about people not in their tribe? Good luck!

Re:

[thegarbz]

...more Chinese junk. I guess they weren't able to steal the plans for an American feeder.

Are you under the extreme delusion that location of manufacture makes IoT devices secure? Can we suggest you a psychiatrist?

Or maybe you think American companies don't use Chinese IoT platforms like the ESP8266 created by the Chiense based Expressif? That same psychiatrist may be able to help with that too.

Re:

[gweihir]

You think Americans would have done better? What world do you live in? Because it certainly is not this one...

Re: Another day...

[NoMoreACs]

Yes, I do think Americans could do better.

Specifically, using the HomeKit IoT protocol (which no longer requires dedicated hardware). That system was invented in the U.S.

AFAICT, no breach of a HomeKit device has ever occurred.

Idiots

[OcCbXntZLeOg]

What moron is allowing WAN access to IoT devices in their home? It's easy enough to keep it locked away on a VLAN and access it by VPN when needed. If you don't know how to do that you shouldn't be doing IoT.

Re:

[koteeq]

Ok, here am I, the researcher, to explain this in detail. First, I completely agree. I keep all my IoT devices locked out of WAN. The problem of this device is that you never connect to it locally nor from outside. There is only one way to control this feeder: to use mobile app that communicates with Chinese HTTP API. The feeder itself connects to another Chinese API to report statuses and get commands to execute. It means that you have NO WAY to keep it secure and have control simultaneously with origin

Re:

[OcCbXntZLeOg]

I have returned every "WiFi" thermostat I've ever purchased for operating the same way. "WiFi" enabled means it can connect to my LAN using WiFi, not installing a Trojan horse on my LAN for the manufacturer to manipulate remotely at will (maybe even when I don't want them to). California has already proposed legislation allowing your electric utility to "hack" WiFi thermostats without your consent when they want to reduce grid power demand. No way in hell am I installing any such device in my home. Good on

What kind of bastard bricks a pet feeder?

[Rick Schumann]

Seriously, security problems aside for a moment, what kind of asshole fucks up a pet feeder, potentially starving a trapped (in someone's home) animal potentially to the point of death? It's not like Rover or Morris have bitcoin to ransom their food with.

Re:

[arkamax]

She was concerned about someone else locking up those feeders, and I think that's why (in part) she refused to publish the details until fixes are in. Also she mentioned that it was her intention to have her own app developed for the feeder so that she can lock it down in her LAN, so she went on to sniff and study the API - it was then when she found issues described.

Re:

[koteeq]

Actually, keeping cats and dogs safe and alive is the first and main reason why I didn't disclose details or break anything. Not liking to go to jail is the second reason.

Re:

[gweihir]

Probably the same assholes that attack hospitals with malware and do other despicable acts: People that only care about themselves and what they think they can get away with. Incidentally, the US has its fair share of those and many, many have managed to get into positions of power.

Re:

[koteeq]

Hahah. Looks like that story became Chinese whispers (no pun intended) so I'm here to explain my original intentions. When I stumbled this vulnerability, I did two things. At first, I published the fact the vulnerability exists on my Telegram channel. I never published anything that could lead to disclosure. Secondly, I notified Furrytail manufacturer about the vulnerability and I gave them COMPLETE and detailed description of what is happening. I even gave them some tips that could help them fixing this br

Re:

[koteeq]

Looks like that story became Chinese whispers

But yeah, I agree that these titles sound awful. "Russian hacker bricked all the pet feeders and could starve all cats to death". Boo! Such a monster! Hah. The main thing I got from my 22 y.o. life is that I love cats more than people because they always love you back and never hurt you. Precious creatures.

Re:

[OcCbXntZLeOg]

61 69 6c 65 72 6f 6e 20 68 6f 6d 65 62 72 65 77 20 6c 61 62 72 61 64 6f 72 20 6c 61 75 6e 64 72 79 20 63 68 69 63 6b 65

You left off 6E at the end.