Don't release any IoT products you wouldn't trust with your own loved ones
In October 2019, news broke of a Russian researcher who was able to hack into thousands of FurryTail pet feeders due to API and firmware vulnerabilities she discovered. Anna Prosvetova, a security researcher from Saint Petersburg, claimed to have purchased the smart pet feeder on AliExpress for $80. After examining the device, she reported accidentally discovering a vulnerability she could exploit in order to take control of all of the devices on the market around the world – all 10,950 of them.
It all started on the researcher’s Telegram channel
Prosvetova first came public with her findings on her Telegram channel:
“While studying the feeder API, I discovered some records that run on the screen of any of these devices, as well as data on the Wi-Fi networks of people who bought them. After a couple of clicks, I was able to feed any dog or cat, although it has malicious use as it is possible to delete schedules programmed by the user, which would leave the pets without food.”
FurryTail smart pet feeders are, as the name suggests, devices that allow pet owners to control when food is automatically dispensed for their pets. The device has a storage unit for dry kibble and allows users to set schedules and control the device from their app. Prosvetova initially found 800 devices online, although she stated it quickly increased to 6500 and then nearly 11 thousand. This not only allowed her to erase feeding schedules without a password, which could endanger pets, it also granted her access to private information of thousands of device owners, enabled her to download and install new firmware, and reboot the devices.
The cybersecurity researcher notified Xiaomi of the API and firmware bugs, as the FurryTail devices are marketed on various places online as “Xiaomi FurryTail” pet feeders. According to ZDNet, however, Xiaomi spokesperson and their security team claim that it is not an official Xiaomi product and their brand name was being used without permission. When the flaw was reported to the manufacturers, they announced that a security patch will be added to the app, however, this has not been done as of yet. Consumers with the device are advised to disconnect them from the internet until an official update is announced and made available by the company.
Multiple vulnerabilities allowed this to happen
In a post on her Telegram account, Prosvetova said that she identified vulnerabilities in the backend API and firmware of the devices, which allowed her to see and access all of the devices located anywhere in the world. According to Prosvetova, the devices were using a Wi-Fi ESP8266 chipset for connectivity. ESP8266 is a low-power and low-cost Wi-Fi microchip manufactured by Espressif Systems. It is associated with three registered CVEs (common vulnerabilities and exposures) made public in 2019: CVE-2019-12588, CVE-2019-12587, and CVE-2019-12586. She stated that vulnerabilities in this chip could potentially enable hackers to install fake firmware and reboot the devices for the changes to take hold. This would allow for formatting, botnet integration, and DoS and DDoS attacks which could easily be automated and carried out at scale.
What’s the worst that could happen?
This is one example of how one vulnerability in the firmware or API of a connected device can be exploited to generate an attack at a scale that could affect thousands and even millions of people worldwide. Luckily, this incident was reported by a cybersecurity researcher, or white-hat hacker, whose only intent was to expose the vulnerability so that it is addressed by the manufacturer. The next hacker might not be so benign, and while hungry pets is a terrible thing, the next device could cause much greater damage. Imagine if connected devices used in offices, hospitals, and factories were controlled by criminals – affecting the safety of thousands because of one flaw.
Can the risk be mitigated?
IoT is taking hold of our lives thanks to the convenience it offers, but it has numerous risks as a result of its inherent connectivity. That being said, the solution is not to avoid connected devices – they can improve our lives in too many ways to ignore. It is the responsibility of companies that manufacture these devices to ensure their consumers are safe, even when vulnerabilities are exposed in elements provided by third-party manufacturers – as is the case with the Espressif chip in the FurryTail device.
By employing an “eye in the sky” view to monitor the devices and their activity, companies can detect and stop malicious activity without having to recall devices and install additional “security by design” solutions. Firedome’s platform is cloud-based and provides an eagle-view approach to detect behavioral anomalies that might indicate an attack taking place. Had FurryTail implemented such a solution, here’s what would have happened when Prosvetova tried to hack the devices:
This way, the attack is stopped before it can reach a phase that compromises private data and endangers consumers and pets. Too bad the Firedome platform still cannot protect against owners who forget to program their pets’ meals 🙂