Image: Xiaomi

A Russian security researcher said she accidentally found a way to hack and take over all FurryTail pet feeders located across the world.

In a series of messages published on her private Telegram channel last week, Anna Prosvetova, a security researcher from Saint Petersburg, Russia, said she identified vulnerabilities in the backend API and firmware of FurryTail smart pet feeders.

These are smart pet food containers that can be configured with the help of a mobile app to release small quantities of food at certain times of day.

FurryTail devices are specifically built to handle cat and dog food, and are often used when owners leave pets alone in houses or apartments while they leave for long trips.

Researcher locates 10,950 FurryTail feeders

Prosvetova said that while looking at a device she bought from AliExpress for only $80, she found that the API allowed her to see all other FurryTail devices active located across the world.

In total, she found 10,950 devices, on which the researcher claimed she could have changed feeding schedules without needing a password.

Furthermore, she found that the devices were also using an ESP8266 chipset for WiFi connectivity. She said that a vulnerability in this chipset would have allowed an attacker to download and install new firmware, and then reboot the feeders so the changes take hold.

Prosvetova said the vulnerabilities would have been ideal for hackers looking into hijacking the pet feeders into an IoT DDoS botnet, as the entire process could be easily automated and carried out at scale.

Xiaomi was notified last week, but not their problem



Initially, the Russian researcher contacted Xiaomi to notify the company about the bug. She reached out to Xiaomi because on various online marketplaces the FurryTail devices was being advertised as the Xiaomi FurryTail pet feeder.

Several Xiaomi spokespersons, including Xiaomi's security team, have told ZDNet this week that the FurryTail is not an official Xiaomi product, and that FurryTail was selling it under the Xiaomi brand without permission.

Prosvetova's initial decision to refrain from posting exact details about the security bugs has now paid dividends, as the issues are still exploitable.

Updated on October 31 to remove mentions of Xiaomi. A Xiaomi spokesperson told ZDNet FurryTail was selling the device under the Xiaomi brand without permission, and that this is not an official Xiaomi product.