"Russian hakersha" accidentally broke all feeders Xiaomi

  • Dec 24, 2019
click fraud protection

Programmer Anna Prosvetova bought a bird feeder Xiaomi Furrytail Pet Smart Feeder and I wanted to decouple it from the Chinese clouds, forcing controlled locally. During the study, Anna control protocol discovered a huge security hole, allowing remote control of all these feeders in the world.


Automatic feeder Xiaomi Furrytail Pet Smart Feeder is controlled by a mobile application and allows to pour into a bowl of dry food for cats and dogs from chetyrohlitrovogo container. The feed is carried out as a timer, and the application team.


To his great surprise, Anna found that she could gain access to all 10950 such feeders, operating in the world.

She wrote, "I have a screen running the logs from all existing feeders, I see data on vayfay networks of poor Chinese who have bought the device. Can a couple of clicks unexpectedly feed all the lions and dogs, and vice versa can deprive them of food, removing the schedule from the devices. I can see how someone in a bowl of food is now lying. "

But that's not the worst. Feeder supports firmware update "over the air", so if a hole is not found Russian lover seals, and an evil hacker, he could to fill in all the feeders firmware turns them into "bricks" (then restore the device could only take it apart, solder contacts to the programmer the controller and the bay firmware manually, though it is possible that would have to change the charge completely electronics).

instagram viewer

Fortunately, Anna did not want to become a world ruler seals, but simply to inform the manufacturer about the problem and how to eliminate it. In response, we wrote that "the vulnerability is fixed and its data is processed by technical experts," but at the moment the hole is not closed.

According to Anna, the problem only kacaetsya feeders and do not apply to other Xiaomi devices.

Most of the "smart devices" running through Chinese clouds and how well their software security issues resolved none other than the Chinese programmers do not know. A couple of years ago there was a big story with a cheap home security cameras that can be used with The default password, which made it possible for everyone to spy on those of their owners, who have not changed the password after purchases. There were even spying forums where they shared juicy screenshots and discussed personal life of unsuspecting owners cameras.

Number of smart devices in our homes is constantly growing. I have now "in the clouds" cornice and surveillance system home and at the cottage. I cover the potential hacking not only passwords but also physically disconnecting devices (cameras only work at home when I do not have, and the cornice only when I was there), but most users of "smart devices" to protect not I think.

P.S. Details of history with a trough Habré. There's also the very Anna replies to comments.

© 2019 Alex Nadozhin
The main theme of my blog - Equipment for human life. I write reviews, share experiences, talk about all sorts of interesting things. My second project -
lamptest.ru. I test LED lamps and help figure out which ones are good and which are not.