SNHACK Attack: How Hackers Could Turn Your Smart Pet Feeder into an All-You-Can-Eat Buffet

Recently a Smart Pet Feeder landed in my home. Out of curiosity, I have decided to check how secure this IoT device is and also extended this “research” to another brand and model. So far, I have checked the following ones that were purchased on Amazon and got some interesting results...

As you can see from the images above the DUTs are the so-called BALIMO LENA and the PETLIBRO remotely-controlled IoT Pet Feeders. Both have an embedded camera, speaker and microphone. 

Looking at the FCC database we can clearly see its internal PCB: https://fcc.report/FCC-ID/2A3DE-PLAF203 and therefore we can already see what SoC is installed (i.e. a classic Anyka used in many IoT Cameras) and potential pins for UART and JTAG!

Both DUTs do rely on mobile apps for controlling them remotely: BALIMO relies on the official TUYA App called SmartLife (which has remained out of my scope for now), meanwhile the PETLIBRO relies in its PETLIBRO and PETLIBRO LITE apps.

Since my investigation was more focused on the hardware side… I did not spend any time looking at the APKs nor the cloud APIs (which usually are still an interested target to check. Just saying ;) ). However, out of curiosity I did ran a quick scan with MobSF and here you can see the results… Overall no big red flags…

Leave a Comment