Security researcher gets access to all Xiaomi pet feeders around the world

Denial of Service by Pet Feeder could be a feature of life on the internet. Seriously, internet connected devices need to gain some kind of basic safety certificate before you plug them in. Where’s the BSI kitemark for cyber?…:

[…] Prosvetova said that while looking at a device she bought from AliExpress for only $80, she found that the API allowed her to see all other FurryTail devices active located across the world.

In total, she found 10,950 devices, on which the researcher claimed she could have changed feeding schedules without needing a password.

Furthermore, she found that the devices were also using an ESP8266 chipset for WiFi connectivity. She said that a vulnerability in this chipset would have allowed an attacker to download and install new firmware, and then reboot the feeders so the changes take hold.

Prosvetova said the vulnerabilities would have been ideal for hackers looking into hijacking the pet feeders into an IoT DDoS botnet, as the entire process could be easily automated and carried out at scale.

[…]

Original Article