Petlibro Smart Pet Feeder Improper Access Control Vulnerability Allowing Unauthorized Device Manipulation

A vulnerability exists in the Petlibro Smart Pet Feeder Platform in versions through 1.7.31, allowing improper access control that enables unauthorized manipulation of devices. The issue arises because the platform's device control APIs accept arbitrary serial numbers without verifying ownership. This flaw allows attackers to control any connected device by sending its serial number to the API, bypassing authorization checks. Exploitation of this vulnerability could lead to unauthorized changes in feeding schedules, manual feeding activations, access to camera feeds, and modifications of device settings.

Impact

Exploitation of this vulnerability allows for unauthorized control of pet feeders, including changes to feeding schedules, activation of manual feeds, access to camera feeds, and modification of device settings. Additionally, it enables access to private audio recordings intended for pets and the ability to hijack any connected device by exploiting the lack of ownership verification.

Reproduction

The vulnerability can be reproduced by sending a request to the device control APIs with an arbitrary serial number. The APIs will accept the serial number without any authorization checks, allowing for unauthorized manipulation of the device. This can include changing feeding schedules, triggering manual feeds, accessing camera feeds, and modifying device settings. The vulnerability also allows for unauthorized access to private audio recordings by assigning any recorded message to any device.

Remediation

Users are advised to update to the latest version of the Petlibro Smart Pet Feeder Platform, as the vulnerability has been addressed in the most recent update.