Fido might be man's best friend, but smart devices designed to track pets' movements and activity could be your worst enemy if attackers manage to capitalise on any of the dozen vulnerabilities researchers recently observed in them.
In a 22 May blog post, Kaspersky Lab researchers Roman Unuchek and Roland Sako warn that malicious hackers could exploit flaws found in these IoT products or their corresponding mobile apps to disable the devices' services, cause them to receive and execute commands from an unauthorised party, or perform man-in-middle attacks that intercept transmitted data.
The gadgets typically rely some combination of GPS, Wi-Fi and/or Bluetooth Low Energy (BLE), the latter of which Kaspersky identifies as a "weak spot in the device's protective armour," due to "lack of authentication and the availability of services and characteristics." Another major issue that surfaced was that, at the time of the research, only one of the Android apps used in conjunction with these devices verified the certificate of its server.
According to the blog post, the researchers reportedly discovered four vulnerabilities each in Nuzzle Pet Activity and GPS Tracker and Whistle 3 GPS Pet Tracker & Activity Monitor, two in TrackR's bravo and pixel devices, and one each in Kippy Vita and Link AKC Smart Dog Collar. (The Weenect WE301 and Tractive GPS Pet Tracker also reportedly had minor issues, but were not assigned any official CVE identifiers.)
Unuchek told SC Media in an email interview that Kaspersky "reported all discovered vulnerabilities to the appropriate vendors, and most vulnerabilities in apps were fixed before publication, although most vulnerabilities in Bluetooth Low Energy communications have not been fixed." Vendors were notified of the BLE flaws three-to-four months ago, while the app vulnerabilities were disclosed one-to-three months ago, he added.
In response to this article, a spokesperson for Tractive told SC Media the MITM issue was addressed in an update of its Android App back in February 2018. Link AKC also submitted a statement saying it is pleased that Kaspersky validated the security of the BLE component of its product. "We at LINK AKC take our customers' security very seriously, and appreciate Kaspersky's security recommendations. We have earmarked our next Android application release for further security enhancements in this area," the statement continues.
Observed flaws included apps transmitting sensitive data such as credentials and authentication tokens to the server or to logcat; apps failing to verify the server's HTTPS certificate; storing authorisation tokens in unencrypted form; lack of authentication, authorisation and access control; allowing the device to interface with any arbitrary smartphone, easily bypassed integrity control; and receiving and executing commands that do not contain a user ID.
Where possible, SC Media reached out to the pet smart device manufacturers for comment.