A Russian security researcher said she accidentally found a way to hack and take over all Xiaomi pet feeders located across the world.
In a series of messages published on her private Telegram channel last week, Anna Prosvetova, a security researcher from Saint Petersburg, Russia, said she identified vulnerabilities in the backend API and firmware of Xiaomi FurryTail smart pet feeders.
These are smart pet food containers that can be configured with the help of a mobile app to release small quantities of food at certain times of day.
Xiaomi FurryTail devices are specifically built to handle cat and dog food, and are often used when owners leave pets alone in houses or apartments while they leave for long trips.
Researcher locates 10,950 FurryTail feeders
Prosvetova said that while looking at a device she bought from AliExpress for only $80, she found that the API allowed her to see all other FurryTail devices active located across the world.
In total, she found 10,950 devices, on which the researcher claimed she could have changed feeding schedules without needing a password.
Furthermore, she found that the devices were also using an ESP8266 chipset for WiFi connectivity. She said that a vulnerability in this chipset would have allowed an attacker to download and install new firmware, and then reboot the feeders so the changes take hold.
Prosvetova said the vulnerabilities would have been ideal for hackers looking into hijacking the pet feeders into an IoT DDoS botnet, as the entire process could be easily automated and carried out at scale.
Xiaomi was notified last week
The researcher contacted Xiaomi via email last week and notified the Chinese vendor of the security flaws she discovered. In a follow-up message posted on her Telegram channel, she posted a screenshot of the vendor’s reply, which acknowleding the bugs and promised a fix.
A Xiaomi spokesperson did not return an email seeking details about the patches.
It is unclear if a fix has been deployed, but Prosvetova has refrained from posting exact details about the bugs she found, giving more time to the vendor to fix the issue. The Xiaomi rep also told the researcher she won’t be eligible for a bug bounty because the company doesn’t run a vulnerability rewards program (VRP), like most big tech companies do.