The story begins early January 2018.
After month of Gluttony after I've had Newton neutralized; I decided to separate the Human/Food factor in the head of my cat.
He's cute, but having him craving for food all the time and only asking for it wasn't really fulfilling my dreams of petting him.
Plus, I was convinced that having him to have more small portions along the whole day instead of big meals two times a day.

That's why I bought a connected pet feeder machine : HoneyGuaridan S25

My experience with the machine is fairly good. I can now plan up to 10 meals a day, with reasonably small portions; and I can also trigger extra meal at any moment with an App.
This very same App is also used to configure the meal plan, and check the machine status.
But something is bothering me a bit: the #iOS App is bad designed, and totally bugged.

Biggest bug was a cell reuse bug on the feeding plan form. Come on guys!

But I'm like "Hey, it's a simple App, I can do that as long as I know how the Rest API works".
So I plugged a proxy to intercept the app requests…

First red flag: the Api domains:
fr.dev.alnpet.com and us1.dev.alnpet.com
What?
I'm communicating with dev servers … from a production app?
Does production servers exists?
And who is AlnPet? Since I buyed a HoneyGuardan machine!

Second red flag: Calls are being made over HTTP.
Why bother with TLS? Come on, it's 2018 already, like Let's Encrypt is 4 years old already.
My password, and anything like authentication token or session could leak or be intercepted by an attacker.

Then ... something else started bothering me…

Something very weird was occurring in the requests I was intercepting:
There was no sign whatsoever of an authentication token of any sort … or a session cookie…
That's right … there is NO authentication in my requests…
That cannot be right …
So I try to load a random profile by injecting a random ID.
It printed an email ; and a feeder ID.
I triggered a meal on that feeder ID.

It printed "OK". I guess a cat or a dog somewhere was happy with my gift 😜

At this moment, I kinda panicked.
I opened the app ; replaced my email by a dummy one ; made sure my password was unique (it was).
And right after, I unplugged my feeder machine.

I wasn't sure about how to remove the setting Wi-Fi of the machine yet.
Before plugging it again, I wanted to know a little bit more about how it worked ; and if possible, control the way it would behave with my network.
I needed to understand exactly what I had plugged to my Network.

As my network uses #PiHole it was easy enough to find what DNS the Feeder Machine was resolving in my logs.
It was requesting only one DNS at all, just one: alnpet.net and it was resolving to the 47.90.203.137.
It's the same domain than the app API was using.

So I took my first resolution to protect myself on my network: banning the IP:

I let the script run for a day, with timestamps in the logs.
And turns out it goes from 9da1060105a0 to 9da106010000.

5a0 converts to 1440 = 24 x 60.
So the websocket provide the time … every ten seconds … with a precision of a minute 😬

I connect a very simple NodeJS code to mimic this behavior ; and convert the hour to hexa.
And now my machine stopped shifting into time. OK, progress 😝

With more back and forth, and using the original app to trigger some orders to the machine,
I was able to identify all the message sent by the socket to the machine, and the responses the machine would send to specific orders.
Feeding, Setting plan, Meal button was pressed, etc…

I understood that the machine was sending identification message, with it's internal ID.
And the answer was the time, in Toronto Timezone.
When sending an order, the machine would answer back with its ID and a suffix.