The Russian security researcher Anna Prosvetova, from Saint Petersburg, has accidentally discovered API and firmware issues that allowed her to take over all Xiaomi
Last week, Prosvetova revealed on her private Telegram channel (@theyforcedme) to have discovered the flaw in the Xiaomi
“While studying the feeder API, I discovered some records that run on the screen of any of these devices, as well as data on the WiFi networks of the people who bought them.” explained the experts. “After a couple of clicks I was able to feed any dog or cat, although it also has a malicious use, as it is possible to delete the schedules programmed by the user, which would leave the pets without food.”
The researcher explained that the devices were exposed online without authentication, she was able to change feeding schedules. The expert also discovered that the devices were also using the Wi-Fi ESP8266 chipset that is affected by a flaw that could be exploited by an attacker to download and install new firmware, and reboot Xiaomi
Attackers could abuse the issue to carry out various malicious activities, including DoS and DDoS attacks.
“At first she only found 800 of these devices online, although soon after this figure increased to 6, 500, to finish its count in almost 11 thousand feeders. Fortunately, Prosvetova claims that she would be unable to use these devices to negatively impact any cat or dog.” reads the post published by SecurityNewspaper.
The researcher notified Xiaomi of the security vulnerabilities she discovered that