Posted on October 28, 2019 at 5:28 PM
Some things just happen unexpectedly. Some things are not planned, or even thought possible, and occur by sheer coincidence. Anna Prosvetova, a Russian security researcher from Saint Petersburg, managed to hack and take control of 10950 Xiaomi FurryTail brand smart pet feeders. Not even Anna expected to have this happen, but happen it did.
Through a series of messages sent via her private Telegram channel, Prosvetova stated that she had accidentally discovered a way to both hack and control every active Xiaomi pet feeder across the globe. She explained that it was possible via vulnerabilities within the backend API and the firmware of the devices.
These devices are internet-capable food containers, capable of being configured via an app to release small amounts of its food payloads throughout the day. The Xiaomi Furrytail was designed for handling the cat and dog food, often being used by pet owners when they leave their little companions alone for long trips.
Possible Botnet of 10950 Devices
Prosvetova was casually examining the API of the Furrytail device, as Security Researchers do, and discovered a vulnerability within it. She discovered she could see every other FurryTail device that was active across the world.
The total was 10 950 devices, devices that Prosvetova claimed she could alter feeding schedules on without as much as a password. To add fuel to the fire, these devices happened to use an ESP8266 chipset to enable its WiFi connectivity. Prosvetova explained that there was a vulnerability on this chipset, one that would make a prospective attacker able to download and install new firmware. By rebooting the feeders afterward, they’re capable of making the changes permanent.
These vulnerabilities are the bread and butter of prospective botnet creators. For just $80 that one pet feeder cost, it was possible to access an entire network of devices and use them as an IoT Botnet. The most famous use of something like this would undoubtedly be to facilitate DDoS attacks. Prosvetova noted that it would be an easy task to automate the entire process, from downloading the new firmware to connecting it to the botnet. It could be carried out to scale with ease, leaving a hacker with a massive amount of processing power for little effort.
Xiaomi Notified, But Declined Compensation
Prosvetova had notified Xiaomi by email about the vulnerability in their network. The Chinese vendor sent a reply where Xiaomi simply acknowledged the vulnerability and promised to fix it.
While it’s obvious the devices were hackable, it’s unclear whether or not they’ve been patched yet. Prosvetova had refrained from giving the exact details of the vulnerabilities, making it clear that there was a hole, just not where it was exactly.
The Xiaomi representative that replied to Postretova told the researcher that she wasn’t eligible for the so-called bug bounty. The reason for this is simple: Xiaomi doesn’t give bug bounties because they don’t have any form of vulnerability rewards program (VRP). Most tech companies that are big enough to have that be a problem, typically create one of their own initiatives. It’s an effective way to ensure that unexpected holes in your system get plugged without there having to be a massive hack to facilitate it. Security researchers can rely on this, as an excellent way to make money out of hacking systems and still having it be legal.
This new era of The Internet of Things is something of concern and excitement. While it may be true that it’s led to just under 11 thousand pet feeders to be capable of being part of a botnet, it’s also allowed an immeasurable amount of seamless technologies to work flawlessly.
However, as the so-called “growing pains” of this new form of technology starts to happen, things can go wrong. The most obvious of these things would be the Mirai Botnet, where one hacker managed to take control of an extensive network of systems. Someone managed to create a crippling DDoS attack through TV cameras and routers.
It’s a strange concept, but it’s the one that our current world allows. Security firms have already started to take steps to secure this newfound frontier of vulnerable devices.