Feeding schedules and safety of pets at risk if hackers exploit this vulnerability, as well as exploit it for IoT attacks.
The vulnerability found in the backend API and firmware of Xiaomi FurryTail smart pet feeders allowed Anna Prosvetova to see all other FurryTail devices active located across the world. In total, she found 10,950 devices, on which she claimed she could have changed feeding schedules without needing a password.
These smart pet food containers can be configured with the help of a mobile app to release small quantities of food at certain times of day. The flaw could also allow hackers to exploit the devices as the weakest link to IoT networks.
The security researcher from Saint Petersburg, Russia, said she found that the devices were using an ESP8266 chipset for WiFi connectivity. A vulnerability in this chipset would have been ideal for hackers looking to hijack the pet feeders into an IoT DDoS botnet, as the entire process could be easily automated and carried out at scale.
Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, commented: “As we come to rely on software for more and more of our lives, we have reached a point where it’s crystal clear that all software development must be secure development.”
Even a basic security analysis of the design of the pet feeder system would have revealed its vulnerabilities and resulted a more robust, resilient design, he pointed out. “For a little extra effort, the manufacturer could have saved itself the embarrassment of this story and could have better protected the safety of customers’ pets.”
Knudsen concluded: “Using a Secure Development Life Cycle fulfills the old proverb, ‘a stitch in time saves nine’. For a little more effort up front, you are handsomely repaid in better products, happier customers, and reduced risk.”