Security Researcher Gets Access To Thousands of Automatic Pet Feeders By Xiaomi
New submitter arkamax writes: A security researcher based in Russia discovered that her research (article in Russian, Google Translate) into API for a new automatic pet feeder manufactured by Xiaomi resulted in obtaining full control of approximately 10,950 of similar devices across the world. She found ways to access logs of those pet feeders, change their settings, invoke manual feeding or completely delete all feeding schedules. She mentioned that the feeder is based on a widely known ESP8266 embedded board, adding that “apparently one could send a remote request to the feeder to download a firmware update. An evil person could use that to reboot those devices and brick them afterwards. The only way to fix it would involve mechanical disassembly and a manual firmware update that requires connecting directly to the board. Explain THAT to poor kitties and puppies who eagerly wait for their owners to come back from a two-week vacation.” She then added that the “whole architecture is one epic fail and it’s hard to imagine a speedy fix.” The researcher chose to stick to the responsible disclosure guidelines and declined to disclose any details until the issues are fixed. Since then, the manufacturer was reported to have fixed a few critical issues but the bulk of the vulnerability still remains. Looks like S in “IoT” remains to stand for Security.
Read more of this story at Slashdot.