Xiaomi Furrytail Feeder in crowdfunding, the smart food distributor allows us to feed our pets remotley with schedule, using Internet Of Things IoT Technology. A Russian security researcher was able to view and control around 11,000 devices worldwide via API.

So much for things like this were only happening in the movies, Now it is getting real.

Xiaomi’s Furrytail smart pet food station can automatically feed pets at certain times, such as when the pet owner is away from home. The devices are however badly secured. By accident, Russian security researcher Anna Prosvetova found that she had access to over 10,000 furrytail devices. In addition to the feed rations, the security researcher could also have changed the firmware of the devices. Although the feed station Furrytail comes from the same manufacturer, it is sold under the brand Xiaomi. First it was reported in the Russian blog Habr.

The approximately $ 80 Furrytail feeding station is suitable for dogs and cats. You can set the amount of feed and times per app. Through the device API, Prosvetova was able to see 10,950 active furrytails worldwide. She could have fed the pets of the app owners at the touch of a button or could change the feed rations, said the security researcher. A password would not have needed it. In addition, it would be possible to play a modified firmware on the devices and thus take over permanently. These can then be misused for example for DDoS attacks.

The security researcher initially did not want to post more details about the vulnerabilities to give the manufacturer the ability to shut them down. She reported the gaps about a week ago. According to an e-mail published by Prosvetova, Furrytail has announced an update. However, the security researcher does not receive a bug bounty, the e-mail states. So far, the manufacturer has not set up a corresponding program.

One thing is interesting here that Xiaomi as the manufacturer of the Furrytail, the feed station is indeed sold under the brand Xiaomi, but the device is manufactured by Furrytail. Xiaomi said: “The smart animal feed station Furrytail does not belong to Xiaomis product plate, but comes from a third party manufacturer”. The security researcher had also turned not to Xiaomi, but to the furrytail manufacturer. Xiaomi has been operating a bug bounty program since 2013.

Amram David

Senior Contributor at DFI Club
Amram is a technical analyst and partner at DFI Club Research, a high-tech research and advisory firm .He has over 10 years of technical and business experience with leading high-tech companies including Huawei,Nokia,Ericsson on ICT, Semiconductor, Microelectronics Systems and embedded systems.Amram focuses on the business critical points where new technologies drive innovations.
Amram David