Hole in the bowl: smart pet feeder springs a leak

Smart feeders were invented to make life easier for pet owners; however, their vulnerabilities threaten not only owners’ privacy, but also the health of their pets.

Case study: smart pet feeder vulnerabilities

All animal owners love their pets. And what do pets love above all else? TLC and food, of course. Or vice versa: food first, tummy-rub second.

Today’s smart feeders are designed to make sure your pet won’t go hungry or get bored while you’re away. But what’s the score cybersecurity-wise? Not great…

Smart feeder for furry friends

Smart feeders are becoming a popular choice for pet owners who can’t stay at home all day. It’s hard to explain to a cat or dog why you need to leave the house every morning instead of staying home to feed and walk/play with them, but at least with a smart feeder — they don’t go hungry.

The earliest smart feeders were offline timer-controlled devices that simply measured out food portions. But, as smart-home systems caught on, feeders became more complicated and acquired extra features. Now, not only can you set a food-dispensing schedule, but also monitor and even communicate remotely with your pet using the built-in microphone, speaker and camera; many also support voice control via external devices such as Amazon Alexa. For this, they connect to your home Wi-Fi and are managed through an app on your phone.

As you can guess, if a smart-home device has camera, microphone and internet access, it’s of great interest to hackers. As regards IP camera security (or lack thereof), we’ve already used up a lot of digital ink; hackers can hijack online baby monitors to harass babysitters and frighten kids; robot vacuum cleaners can leak racy photos of owners or a layout of their home; and even smart light bulbs (!) have been used for attacks on home networks.

Now it’s smart feeders’ turn.

Leaky bowl

Our experts studied the popular Dogness smart feeder and found many vulnerabilities in it that allow an attacker to alter the feeding schedule — potentially endangering the health of your pet, or even to turn the feeder into a spying device. Some of the more frustrating security issues include the use of hard-coded credentials, communication with the cloud in cleartext, and an insecure firmware update process. These vulnerabilities can be leveraged to gain unauthorized access to the smart feeder and use it as a launching pad to attack other devices on the home network. For details about the research methodology, see our in-depth report on Securelist. Here though, we’ll just touch on what holes were found and the risks they pose.

The root of the problem

The main vulnerability in the Dogness smart feeder is the Telnet server allowing remote root access through the default port. At the same time, the superuser password is hard-coded in the firmware and cannot be changed, meaning that an attacker who extracts the firmware can easily recover the password and gain full access to the device — and in fact any device of the same model, since they all have the same root password. All they have to do is buy the same model of feeder and tinker around with it.

By logging in remotely via Telnet (for this the hacker needs to gain remote access to your home network) with root access, an intruder can execute any code on the device, change the settings and steal sensitive data, including video footage transferred from the feeder camera to the cloud. Thus, the feeder can readily be transformed into a snooping device with a wide-angle camera and a good microphone.

Encryption anyone?

In addition to the root password being both embedded in the firmware and common for all devices, we discovered a no less serious vulnerability: the feeder communicates with the cloud without any encryption. Authentication data is likewise transmitted in unencrypted form, which means a malicious actor doesn’t even have to bother scraping the root password from the firmware: it suffices to intercept the traffic between the feeder and the cloud, gain access to the device, then attack other devices on the same network through it — which puts the entire home infrastructure at risk.

Alexa, bark!

But despite the holes, the bowl is still full of surprises. The Dogness feeder can connect to Amazon Alexa for voice control. Handy, right? Just say “Feed!” to Alexa. You don’t even need to get your phone out.

Once again, as you can imagine, such lax security on the part of the developers has consequences. The device receives commands from Alexa via MQTT (Message Queuing Telemetry Transport), and the login credentials are again written in cleartext directly in the executable file. Which again means they’re the same for all devices on the market — that is, once you connect your feeder to Alexa for voice control, it’s not really your feeder anymore.

By connecting to the MQTT server, a hacker can quickly collect the identifiers of all similar devices connected to the server – that is, all those feeders whose owners decided to use the voice control. After that, the cybercriminal can send any of the commands available via voice control from the MQTT server to any Alexa-connected Dogness feeder with a known identifier.

A cybercriminal would be able to send it commands to change the feeding schedule and amounts of measured-out food (granting your pet either a feast fit for a king or a Jesus-like fast). Another side-effect is that an attacker could send specially formed commands to the feeder repeatedly, thereby rendering the voice command interface inoperable.

Streaming — whether you want it or not

As the study progressed, new surprises awaited us regarding the uploading of video to the cloud, from where you can stream it back to your phone. Although the mobile app connects to the server using the secure HTTPS protocol, it turned out that the feeder itself transmits data to the cloud without any encryption at all — via bad old HTTP. What’s more, both the device ID and the upload key (which is hardcoded into the binary) are transmitted to the server in cleartext.

Given that the feeder camera is designed to continuously record and transmit video to the server, this vulnerability allows attackers to see and hear everything that goes on in the camera’s field of view.

Not-so-firm ware

Finally, the icing on the cake; rather — the cream that the cat got: the firmware update process — the means by which to fix the above issues — is itself insecure! To update, the feeder downloads an archive file with new firmware from the update server via the unsafe HTTP. Yes, the archive is password-protected, but, as you’ve probably already guessed, this password is written in cleartext in one of the update scripts. And the URL from which the latest firmware version is downloaded is generated based on the response received from the update server, whose address is, that’s right, stitched into the existing firmware.

There are no digital signatures, and no other methods of verifying the firmware: the device downloads the archive with the new firmware over an unencrypted channel, unzips it using the embedded (and common to all devices) password, and promptly installs it. This means that an attacker can potentially modify the firmware and upload anything they wish to the device — adding unexpected and unwanted features.

How to stay safe?

In an ideal world, all these security flaws would have been remedied by the feeder manufacturer through a timely firmware update — before hackers got to know about them. Back in the real world, we’ve repeatedly reported the flaws to said manufacturer, but have had no response — since October 2022. Meanwhile, all the vulnerabilities we found are still there in the Dogness smart feeders that are being sold to the public. And this poses a serious threat to pets’ well-being and owners’ privacy.

We recommend reading our detailed guide to setting up smart-home security. Most of the advice there applies equally to the smart-feeder issues described above. In any case, here are some simple tips specifically for owners of Dogness feeders:

  • Check regularly for firmware updates.
  • Don’t use Amazon Alexa to control your Dogness feeder.
  • Either turn off video streaming to the cloud, or position the feeder in your home so that the camera can’t capture anything private.
  • Set up a secure VPN connection to access the internet using a router that supports your home network — this will greatly reduce the risk of attacks via the insecure HTTP protocol.
  • If your router doesn’t have VPN support, create a guest Wi-Fi network on it and connect the feeder (and other insecure smart-home devices) to it. This will prevent attacks on other parts of your home network if an insecure smart device gets hacked.
  • Use a reliable security solution on all devices in your home. We recommend a Kaspersky Premium subscription for comprehensive protection of all devices in your home and monitoring of changes on your home network to detect and reject unauthorized connections.