Hello and welcome to the Thursday, October 27, 2020 edition of the Sands and Storm Centers.

Stormcast, my name is Johannes Ulrich, and today I'm recording from Augusta, Georgia.

Today I wrote up a quick, a little bit fun observation of an IoT device I recently connected to my home network.

The device is a cat food dispenser and as many modern devices, well, it usually comes with

Wi-Fi connectivity and an app to control it.

Now, what drew my attention first was the fact that the dispenser calls out to Baidu, the Chinese search engine, every five minutes.

At least there is a DNS lookup for Baidu.

So far, I haven't actually seen the DNS feeder connect to the IP address that's being returned here.

The DNS lookup for BaidO. I've seen it in

similar devices before is typically linked to a library. I've seen them in Python. I've seen

them in JavaScript that check if internet connectivity is present. So I assume that's what's going on here.

These libraries are often, of course, written in China,

which means that Baidu is sort of the logical choice there.

Connecting to sites like Google may not work, first of all,

if the country-level censorship is blocking access

and may actually get people into trouble, which is also one reason why they may stick to

Baidu. In addition, the device suffers from a flaw that's actually sadly a little bit common

in IoT devices like this, and that it doesn't

randomize the query IDs for its DNS queries, doesn't even increment them, it just keeps

reusing the same query ID, which in this case is two, have seen it, use also query ID 3, which of course would make it trivial to spoof a response.

It also has an open telnet server.

So far, I haven't figured out using them in password.

...