{"id":21264,"date":"2023-06-20T08:19:08","date_gmt":"2023-06-20T12:19:08","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/pet-feeders-vulnerabilities\/21264\/"},"modified":"2023-06-20T19:55:36","modified_gmt":"2023-06-20T15:55:36","slug":"pet-feeders-vulnerabilities","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/pet-feeders-vulnerabilities\/21264\/","title":{"rendered":"Hole in the bowl: smart pet feeder springs a leak"},"content":{"rendered":"

All animal owners love their pets. And what do pets love above all else? TLC and food, of course. Or vice versa: food first, tummy-rub second.<\/p>\n

Today\u2019s smart feeders are designed to make sure your pet won\u2019t go hungry or get bored while you\u2019re away. But what\u2019s the score cybersecurity-wise? Not great\u2026<\/p>\n

Smart feeder for furry friends<\/h2>\n

Smart feeders are becoming a popular choice for pet owners who can\u2019t stay at home all day. It\u2019s hard to explain to a cat or dog why you need to leave the house every morning instead of staying home to feed and walk\/play with them, but at least with a smart feeder \u2014 they don\u2019t go hungry.<\/p>\n

The earliest smart feeders were offline timer-controlled devices that simply measured out food portions. But, as smart-home systems caught on, feeders became more complicated and acquired extra features. Now, not only can you set a food-dispensing schedule, but also monitor and even communicate remotely with your pet using the built-in microphone, speaker and camera; many also support voice control via external devices such as Amazon Alexa. For this, they connect to your home Wi-Fi and are managed through an app on your phone.<\/p>\n

As you can guess, if a smart-home device has camera, microphone and internet access, it\u2019s of great interest to hackers. As regards IP camera security (or lack thereof), we\u2019ve already used up a lot of digital ink;<\/a>\u00a0hackers can hijack online baby monitors to harass babysitters and frighten kids<\/a>; robot vacuum cleaners can leak racy photos of owners<\/a> or a layout of their home; and even smart light bulbs (!) have been used for attacks on home networks<\/a>.<\/p>\n

Now it\u2019s smart feeders\u2019 turn.<\/p>\n

Leaky bowl<\/h2>\n

Our experts studied the popular Dogness smart feeder<\/a> and found many vulnerabilities in it that allow an attacker to alter the feeding schedule \u2014 potentially endangering the health of your pet, or even to turn the feeder into a spying device. Some of the more frustrating security issues include the use of hard-coded credentials, communication with the cloud in cleartext, and an insecure firmware update process. These vulnerabilities can be leveraged to gain unauthorized access to the smart feeder and use it as a launching pad to attack other devices on the home network. For details about the research methodology, see our in-depth report<\/a> on Securelist. Here though, we\u2019ll just touch on what holes were found and the risks they pose.<\/p>\n

The root of the problem<\/h2>\n

The main vulnerability in the Dogness smart feeder is the Telnet server allowing remote root access through the default port. At the same time, the superuser password<\/a> is hard-coded in the firmware and cannot be changed, meaning that an attacker who extracts the firmware can easily recover the password and gain full access to the device\u00a0\u2014 and in fact any<\/em> device of the same model, since they all have the same root password. All they have to do is buy the same model of feeder and tinker around with it.<\/p>\n

By logging in remotely via Telnet (for this the hacker needs to gain remote access to your home network) with root access, an intruder can execute any code on the device, change the settings and steal sensitive data, including video footage transferred from the feeder camera to the cloud. Thus, the feeder can readily be transformed into a snooping device with a wide-angle camera and a good microphone.<\/p>\n

Encryption anyone?<\/h2>\n

In addition to the root password being both embedded in the firmware and common for all devices, we discovered a no less serious vulnerability: the feeder communicates with the cloud without any encryption. Authentication data is likewise transmitted in unencrypted form, which means a malicious actor doesn\u2019t even have to bother scraping the root password from the firmware: it suffices to intercept the traffic between the feeder and the cloud, gain access to the device, then attack other devices on the same network through it \u2014 which puts the entire home infrastructure at risk.<\/p>\n

Alexa, bark!<\/h2>\n

But despite the holes, the bowl is still full of surprises. The Dogness feeder can connect to Amazon Alexa for voice control. Handy, right? Just say \u201cFeed!\u201d to Alexa. You don\u2019t even need to get your phone out.<\/p>\n

Once again, as you can imagine, such lax security on the part of the developers has consequences. The device receives commands from Alexa via MQTT (Message Queuing Telemetry Transport), and the login credentials are again written in cleartext directly in the executable file. Which again means they\u2019re the same for all devices on the market \u2014 that is, once you connect your feeder to Alexa for voice control, it\u2019s not really your<\/em> feeder anymore.<\/p>\n

By connecting to the MQTT server, a hacker can quickly collect the identifiers of all similar devices connected to the server \u2013 that is, all those feeders whose owners decided to use the voice control. After that, the cybercriminal can send any of the commands available via voice control from the MQTT server to any Alexa-connected Dogness feeder with a known identifier.<\/p>\n

A cybercriminal would be able to send it commands to change the feeding schedule and amounts of measured-out food (granting your pet either a feast fit for a king or a Jesus-like fast). Another side-effect is that an attacker could send specially formed commands to the feeder repeatedly, thereby rendering the voice command interface inoperable.<\/p>\n

Streaming \u2014 whether you want it or not<\/h2>\n

As the study progressed, new surprises awaited us regarding the uploading of video to the cloud, from where you can stream it back to your phone. Although the mobile app connects to the server using the secure HTTPS protocol, it turned out that the feeder itself transmits data to the cloud without any encryption at all \u2014 via bad old HTTP. What\u2019s more, both the device ID and the upload key (which is hardcoded into the binary) are transmitted to the server in cleartext.<\/p>\n

Given that the feeder camera is designed to continuously record and transmit video to the server, this vulnerability allows attackers to see and hear everything that goes on in the camera\u2019s field of view.<\/p>\n

Not-so-firm ware<\/h2>\n

Finally, the icing on the cake; rather \u2014 the cream that the cat got: the firmware update process \u2014 the means by which to fix the above issues \u2014 is itself insecure! To update, the feeder downloads an archive file with new firmware from the update server via the unsafe HTTP. Yes, the archive is password-protected, but, as you\u2019ve probably already guessed, this password is written in cleartext in one of the update scripts. And the URL from which the latest firmware version is downloaded is generated based on the response received from the update server, whose address is, that\u2019s right, stitched into the existing firmware.<\/p>\n

There are no digital signatures, and no other methods of verifying the firmware: the device downloads the archive with the new firmware over an unencrypted channel, unzips it using the embedded (and common to all devices) password, and promptly installs it. This means that an attacker can potentially modify the firmware and upload anything they wish to the device \u2014 adding unexpected and unwanted features.<\/p>\n

How to stay safe?<\/h2>\n

In an ideal world, all these security flaws would have been remedied by the feeder manufacturer through a timely firmware update \u2014 before hackers got to know about them. Back in the real world, we\u2019ve repeatedly reported the flaws to said manufacturer, but have had no response \u2014 since October 2022. Meanwhile, all the vulnerabilities we found are still there in the Dogness smart feeders that are being sold to the public. And this poses a serious threat to pets\u2019 well-being and owners\u2019 privacy.<\/p>\n

We recommend reading our detailed guide to setting up smart-home security<\/a>. Most of the advice there applies equally to the smart-feeder issues described above. In any case, here are some simple tips specifically for owners of Dogness feeders:<\/p>\n