A security researcher has discovered a serious flaw in Xiaomi pet feeders that could enable a malicious party to interfere with the feeding schedules of pets across the world.

The flaw, discovered by Russian security researcher Anna Prosvetova, concerned the Xiaomi FurryTail brand of smart pet feeders, which work with a mobile app to release limited quantities of pet food at pre-selected times of day.

According to ZDNet, Prosvetova found the flaw accidentally while looking at the API for the device, which she purchased from AliExpress for $80.

She discovered that the API allowed her to view all of the other Xiaomi FurryTail pet feeders that had been activated around the world, a total of 10,950 devices. With this access, she had the option to change the feeding schedules of all of these pets – something she did not do, but a malicious actor with the same access may have been tempted to act on.

Furthermore, she discovered the devices used a specific chipset to enable WiFi that could let a malicious actor to download and install new firmware.

A dedicated hacker could automate this process to download malicious content onto the devices at scale, and so create a vast internet of things botnet to perform DDoS attacks.

Flaw in Xiaomi pet feeders highlights need for security across the board

While ensuring security on a humble pet feeder may seem unimportant, the flaw underscores how important effective cybersecurity is on all devices – and how often such issues are ignored, particularly on consumer products.

“As we come to rely on software for more and more of our lives, we have reached a point where it’s crystal clear that all software development must be secure development,” said Jonathan Knudsen, senior security strategist at Synopsys.

“Even a basic security analysis of the design of the pet feeder system would have revealed its vulnerabilities and resulted a more robust, resilient design.”

Prosvetova did contact Xiaomi about the pet feeders flaw, and the technology giant has promised to develop a fix for the issue. However, a more robust development process would have avoided the incident altogether and so saved the company potential brand damage that it may now face.

“For a little extra effort, the manufacturer could have saved itself the embarrassment of this story and could have better protected the safety of customers’ pets,” added Knudsen.

“Using a Secure Development Life Cycle fulfills the old proverb, ‘a stitch in time saves nine’. For a little more effort up front, you are handsomely repaid in better products, happier customers, and reduced risk.”


Read more: Mikko Hyppönen: Smart devices are “IT asbestos”