Why Is My Cat Using Baidu? And Other IoT DNS Oddities

Long-time Slashdot reader UnderAttack writes: IoT devices are often stitched together from various odd libraries and features. The SANS Internet Storm Center has a story about a cat feeder that not only appears to reach out to Baidu.com every five minutes but also uses a vulnerable DNS library that uses repeating query ids allowing for simple spoofing not seen since the early dark years of DNS
The article, by a SANS.edu dean of research, concludes that "Some networking libraries use 'baidu.com' for internet connectivity checks. Even if the DNS lookup succeeds, there is no actual outbound connection in this case. The device is happy as long as an IP address is returned."

Cat feeder

[Retired Chemist]

Why on earth would anyone need an internet connected cat feeder. With a dog, I could almost understand it, since they will eat until they are sick if you let them. Cats just eat when they are hungry. This seems a clear example of attaching things to the internet just because you can and incidentally probably creating a backdoor into your home system.

Re:

[stabiesoft]

Probably NTP if nothing else. Does anybody know what time it is as Chicago would say.

Re:Cat feeder

[uncqual]

The article explains that the reason that the cat feeder is being used is to limit the food intake of a cat which "has gained an unhealthy amount of weight". So, the cat feeder is explicitly being used to prevent the cat from eating unlimited amounts until they are no longer hungry.

It also explains that the feeder has a camera which, presumably, is intended so the cat's owner can see the cat or the food bowl or something like that from a remote location. This is a feature that some people might want. If I had a cat and had such a feeder, I actually might want to have remote notification of errors and anomalous conditions - such as "feeder jammed" or "feed hopper empty".

The author of the article points out that because the device has internet connectivity, "it was immediately moved to our "IoT" network. The IoT network is pretty much locked down and closely monitored" so, presumably, in this case the author has isolated it from their home network -- which is not to say that one's great grandmother would be likely to take the same precautions.

Re:

[93 Escort Wagon]

I've always heard cat lovers declare (as the GP did) that cats "will only eat what they need". But then, in the real world, I've also come across numerous people's overly fat cats. Apparently some cats "need" more than others? Do these cats have an innate "need" to be round?

Re:

[quonset]

I've always heard cat lovers declare (as the GP did) that cats "will only eat what they need". But then, in the real world, I've also come across numerous people's overly fat cats. Apparently some cats "need" more than others? Do these cats have an innate "need" to be round?

Every cat (and dog) is different. There are generalizations about every breed but, like humans, there will always be outliers.

Re:Cat feeder

[vadim_t]

I have two cats.

One was bought from a shop, and is very timid, fussy with her food and only eats what she needs. She likes cat food of one particular brand, and almost nothing else. She'll even ignore meat and fish.

The other one was picked up from the street after his mother died. He's obviously felt real hunger. He'll eat almost anything: cheese, pasta, avocado, bread and other pasty, meat, fish, milk, the other cat's food even if his bowl is full, cooking oil... and he'll spend a lot of time and effort ripping up any packaging that might be in his way, and insistently stick his head in any plate of food anybody is eating. He'll eat until he vomits and then start again.

The first can be fed by just refilling the bowl once in a while, the second needs constant management.

I've had multiple cats and most of mine have been far more like the first. The second is a new experience and a quite extreme one probably caused by a hard life.

Re: Cat feeder

[trogdor8667]

Iâ(TM)d never thought about it, but our cat that we found when she was a few hours old never overate. The one who we found starving at 6 months old always overate.

Re: Cat feeder

[arglebargle_xiv]

Don't worry, as a dog person I think all cats are overated, not just your two.

Re:

[larwe]

This applies to people, also. My maternal grandparents, who were slave laborers in occupied Europe during WW2, always criticized me any time I spent my pocket-money on toys, books, drawing materials, etc. If I used that money to buy food, they would nod approvingly.

Re:

[thomn8r]

I've always heard cat lovers declare (as the GP did) that cats "will only eat what they need".

We have one that will not walk away from a bowl until it is empty. If it's too much, he'll step back, barf, and then dig right back in again.

Re:

[93 Escort Wagon]

We have one that will not walk away from a bowl until it is empty. If it's too much, he'll step back, barf, and then dig right back in again.

To be completely fair to cat lovers... you've described just about every dog I've ever owned. Our current pups eat so fast that, when their dishes are empty, the second thing they do is let out a loud belch because they've swallowed so much air (the first thing is to frantically explore each other's dishes, hoping the other has missed something). If given the chance, they'd might actually do a real life, dog-themed version of the Monty Python "Mr. Creosote" sketch.

(and actually I do like cats; I just prefer

Re:

[Nrrqshrr]

It's a known behavior in cats who were once stray or did not have enough food as tiny kittens. They will eat till they're full, and then some more, since they have an ingrained fear of food-insecurity. Of course, it could also be anything, for example bored or stressed cats will eat too much as well just to occupy themselves.
The solution is to schedule food and to make sure that they get their fill, and not more. But it's an interesting problem for anyone picking up a stray to deal with.

Re:

[uncqual]

Having had some cats running around the house at various times...

At the same time we had a couple cats. One was very smart, one was less so.

However, another big difference was how they viewed food.

The smart one was very food focused -- he would eat and eat if given the opportunity and, unfortunately, would often then regurgitate some of that (thank the manufacturing gods for wet-and-dry shop vacs!). He had no specific health problems for most of his life -- but given the opportunity he would eat so much tha

Re:

[CaptainOfSpray]

"Do these cats have an innate "need" to be round?"

That cat has met a physicist who has told them that to achieve their full feline powers (temporal and spatial displacement), they need to be spherical.

Our Bonny could move from upstairs, asleep, to standing by her bowl downstairs without any noise of her passage, and in a time interval too short to measure. We consider it a done deal that cats can travel through hyperspace at warp speed. Although we also consider it entirely likely that Bonnie, who was

Re:

[quonset]

The article explains that the reason that the cat feeder is being used is to limit the food intake of a cat which "has gained an unhealthy amount of weight".

Which didn't answer the OP's question. Why is this automatic cat feeder connected to the internet? There are plenty of such feeders which do not rely on internet connectivity. The only part which makes any sense is the camera portion, but even then if the feeder would malfunction, what is the person going to do? Rush home? If the cat is overweight f

Re:

[Moryath]

The only part which makes any sense is the camera portion, but even then if the feeder would malfunction, what is the person going to do? Rush home?

A number of scenarios come to mind. For instance, if the owner has left the cat home while traveling, they might contact a friend/neighbor/relative to swing by and check on things.

If the cat is overweight from too much eating not having food for a few hours will not kill it.

A few hours perhaps not. Multiple days - in a scenario where the automatic feeder

Re:Cat feeder

[rworne]

I have such a device.

It's a pet feeder with a camera that shows the food bowl, and anything in the vicinity of the feeders bowl. It does notify if:
1. Food level drops less than 25%
2. Food bowl is full, or there is a jam, filling the chute to the bowl.
3. Notifications that food was dispensed at the proper schedule.

My cat tends to eat quickly then drinks and pukes it up. The feeder allows me to feed him in small quantities every 2 hours or so, minimizing this behavior. This way I can make sure he gets fed the right amounts even when away at work or when asleep. If, for some reason, it shorts a feeding, another will come in not too long. I always have the ability to view it on my phone at work and can manually feed (and watch it dispense) when I am not at home. At home, I can easily hear or see it dump food at the scheduled times. The cat will let me know if he's dissatisfied with the food quantity.

Re:

[larwe]

Camera can also show, in a multipet household, who was eating there. Actually it can also show if a single cat has visited the bowl multiple times - i.e. "is he eating his entire ration at once, or is he snacking/browsing?". Lots of valid use cases for a camera on a feeder. I have motion cameras pointed at my pet bowls so I know, while traveling, that they are hydrating regularly.

to bad that isps are pushing / forcing you to rent

[Joe_Dragon]

to bad that isps are pushing / forcing you to rent there hardware.
Comcast you can use your own but you get slower uploads and have to pay for the unlimited add on.

Re:

[gweihir]

Completely agree. Do not connect things to the internet that do not need it, much less IoT crap.

Re:Cat feeder

[rtkluttz]

Completely wrong question. Why the fuck does anyone use cloud hosted devices? I want connected devices. I work in IT my whole life, so I'm not a luddite, but it is 100% unacceptable to have any device in my home behind my own firewall that requires me to authenticate and ask permission of someone elses servers to control something that is also behind my firewall. That is security and privacy lunacy and that shit will never be in my home. I want devices that connect to my my home network that make ABSOLUTELY FUCKING ZERO outbound connections. I want devices that I have to VPN in and control via a 100% local web interface or API. I will not ask permission from someone else to control devices in my own space. That is analogous to buying a house and your realtor keeping the keys and saying call us every time you want in or out and we'll control also what you can do in your house and when.

Re: Cat feeder

[Anonymouse Cowtard]

That is analogous to buying a house and...

... drinking tap water. This is what happens when they put fluoride in the water. The only option is to install a tank and harvest off your roof. Charcoal filter and a bit of chlorine or sulphites, salt and minerals.

Re:

[Anonymous Coward]

The only option is to install a tank and harvest off your roof.

Actually, its not the only option. First, in some western states, it's illegal to store or use the water that falls on your roof without a permit. https://worldpopulationreview.... [worldpopul...review.com]

Second, you only need non-floridated water for consumption so it's not needed for washing clothes, operating toilets, watering the lawn, washing the car, and for most people, washing dishes. Normally, people that prefer non-floridated water are only concerned with drinking water and sometimes creating ice. Typically this can b

Re:

[Nrrqshrr]

>I work in IT my whole life, so I'm not a luddite

That's the irony of it all. The more time you spend with tech, the more of a luddite you become. The people against IoT are probably the only ones who can build safeguards to keep their devices in check. The ones who love IoT and the target audience for it probably use "123456" as their default password for everything.

Re:

[WarlockD]

Nailed it on the head right there. There is no such system to self host the various IoT devices in your house. I have the knowledge to set up a Radius server and set up the devices that support it so that I can use a centralized password system. However, could you also do the same with the various cloud services that rely on Google/Facebook session keys? The reason all these companies use cloud services is that there IS no good solution for self hosting. No one sells a magic box you can plug in your wa

Re:

[uncqual]

We don't use cloud hosted devices in our home (and we are not a luddites either). But I can see the value in them for some scenarios. One is reliability of remote access without having to cobble something together and the other is simplicity.

Not understanding why people use cloud hosted devices is a little like not understanding why some people liked automatic transmissions back when manual transmissions give better gas mileage and cost less. Ease of use, lower learning curve, etc. can trump "maximum effici

Re:

[rtkluttz]

Plain and simple, anyone who uses cloud hosted devices behind their firewall is an idiot. Anyone who understands the loss of privacy and can build things that do the same thing in a way that doesn't give a company the keys to your kingdom does so. It really is bad enough that there should be regulation against it. Idiots who don't understand or don't care need to be protected from themselves.

Re:

[uncqual]

Ah, yes. The "everything is binary" and "everyone is like me" argument!

Very compelling.

Re:

[JaredOfEuropa]

Why? Convenience. At home my IoT stuff lives on an isolated vlan, I do not use stuff that requires a cloud service. My “smart” doorbell offers a choice between the company’s cloud service or your own setup, with open standards for audio, video and signalling. It’s great but a pain to set up.

There’s also a few properties that I monitor remotely. I just got a bunch of DLink cameras for those. Why? Because any idiot can set up those cameras in under a minute. Install the app,

Re:

[joe_frisch]

You say " want devices that connect to my my home network that make ABSOLUTELY FUCKING ZERO outbound connections." So do I, but wanting doesn't mean you or I get to have it.

I could spend a huge amount of time researching devices, testing them etc to make sure they really don't try to connect outside - but in the end its a losing game. Similarly I could refuse to carry a smart phone, not use the internet, etc, and live pretty much surveillance-free, but also cut off from a lot of modern technology.

Re: Cat feeder

[orlanz]

Well, most of the consumer base isn't like you. In your example, most people don't know how to use keys and don't want to. But still want to live in a house.

Re:

[thegarbz]

Why the fuck does anyone use cloud hosted devices? I want connected devices.

Your UID is low so it's probably your fault. We were here at the beginning and didn't stop it. We let IP addresses get exhausted. We put ever device on our network behind a NAT. We put that NAT behind a CgNAT.

You want connected devices? Good luck pay for a business account. Your grandmother wants connected devices? Tough, get an IT degree and learn how networking works in incredible detail just to get a connection.

Or... Let the device reach out to a central service and bypass everything.

Everyone wants conne

Re:

[AmiMoJo]

Some cats do develop poor eating habits, and need their human to help moderate their intake.

It also gives the human some peace of mind to know that their cat is eating when away from home.

It doesn't always work though, sometimes the cat just spends all day attacking the machine, trying to get food out of it. Because it occasionally dispenses food while they are smashing it up, they think they pummeling it makes the food come out.

Re:

[Gabest]

We have a second house 100km away, with a few stray cats. These feeders keep them alive. One major problem, they like the feeder more than us.

Re:

[larwe]

I can vouch for the fact that cats do NOT self-regulate their food input. If my eldest cat is permitted to free-feed, he will eat until he pukes, nap, eat some more. The vet gave us strict rationing instructions about how much and how often to feed him.

Re:

[thegarbz]

With a dog, I could almost understand it, since they will eat until they are sick if you let them. Cats just eat when they are hungry.

My cat got under the fishtank one day where we keep the bag of cat food. Tore it open, and ate herself so silly she passed out in the food.

Animals are like people. Some eat sensibly, some engorge themselves to the limits of their body and then pass out.

Re:

[BoogieChile]

Yes, because nobody has ever seen an overweight cat, right?

Re:

[DarkOx]

Cats just eat when they are hungry.

Many cats absolutely will overeat though. "free feeding" ie just keeping the bowl full - really isn't a good practice for most domestic cats. While if its probably okay to do occasionally if you going to miss a scheduled feeding to just put out extra food, its not something you should generally daily.

obesity leads to a lot of health problems in the later lives of cats, and its very difficult take weight off a cat safely. Its really worth talking to your vet about how much to feed your cat and when if you w

Re:

[greylion3]

Oh, hah! I thought "cat feeder" referred to some kind of entrepreneurial equipment.
That's a bit less worrisome.

You need to ...

[PPH]

... warn your cat about what happens to cats [pinimg.com] when Chinese restaurants find them.

This would be appropriate

[quonset]

Not everything needs connected to the internet [imgur.com].

Re:

[No Longer an AC]

I haven't laughed that hard at a Seinfeld episode since the '90s.

Just like early MS products

[fermion]

When you amateurs building a computer, bad things happen. Remember exposing your entire had drive to the internet. Or how up until like 2000 an e-mail in outlook could crash a network, even if not opened?

Re: Just like early MS products

[Anonymouse Cowtard]

Remember when amateurs allowed you to access anyone's HoTMaiL account? Fun times.

Remember the amateurs that made the firmware that left printers and security cameras accessible to all? And they changed the manager's default printer to the admin office right as she was drafting those performance reviews.

Being a whitey, I just printed the link to the firmware update with a smiley and called it a day.

Why not?

[nospam007]

My cat has been buying stuff on Amazon and eBay for me for years now.

This stuff pisses me off.

[aaarrrgggh]

I bought a weather station, and it pulls the same crap. It is set to upload to a local server only, but it still tries to connect to baidu, a host in Taiwan, and a handful of Amazon buckets. Without being able to reach them it disqualifies the wifi. I've tried DNS redirection to a local machine, but no luck.

My IoT vlan allows NTP traffic only to the outside (known NTP servers are generally just responded to by the local time server, but hard-coded IPs will get through). I'll need to get a honeypot serve

The device is happy as long as an IP address is...

[misnohmer]

The device is happy as long as an IP address is returned

Not necessarily. I have one such IoT device which is actually least happy when IP address is returned but baidu.com cannot be reached - it literally crashes and eventually reboots. This has a weird side effect for anyone who has a caching DNS server on-site and that site loses internet access - the IoT device goes into constant reboot loop until internet access is restored. Same happens if you put it on a restricted IoT subnet with no access to baidu.com IP's but access to DNS. Disallowing it access to any

Sloppy development practices

[scourfish]

The cat feeder is probably using overpowered hardware for the task, and sloppy code work meant they used a 900 pound gorilla for the task. The whole thing could have been done with a low power micro, WITH wifi capability, at both a fraction of the cost, and increased security.