SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
24 May 2018

Flaws in smart pet devices, apps could come back to bite owners

Fido might be man's best friend, but smart devices designed to track pets' movements and activity could be your worst enemy if attackers manage to capitalize on any of the dozen vulnerabilities researchers recently observed in them.

In a May 22 blog post, Kaspersky Lab researchers Roman Unuchek and Roland Sako warn that malicious hackers could exploit flaws found in these IoT products or their corresponding mobile apps to disable the devices' services, cause them to receive and execute commands from an unauthorized party, or perform man-in-middle attacks that intercept transmitted data.

The gadgets typically rely some combination of GPS, Wi-Fi and/or Bluetooth Low Energy (BLE), the latter of which Kaspersky identifies as a "weak spot in the device's protective armor," due to "lack of authentication and the availability of services and characteristics." Another major issue that surfaced was that, at the time of the research, only one of the Android apps used in conjunction with these devices verified the certificate of its server.

According to the blog post, the researchers reportedly discovered four vulnerabilities each in Nuzzle Pet Activity and GPS Tracker and Whistle 3 GPS Pet Tracker & Activity Monitor, two in TrackR's bravo and pixel devices, and one each in Kippy Vita and Link AKC Smart Dog Collar. (The Weenect WE301 and Tractive GPS Pet Tracker also reportedly had minor issues, but were not assigned any official CVE identifiers.)

Unuchek told SC Media in an email interview that Kaspersky "reported all discovered vulnerabilities to the appropriate vendors, and most vulnerabilities in apps were fixed before publication, although most vulnerabilities in Bluetooth Low Energy communications have not been fixed." Vendors were notified of the BLE flaws three-to-four months ago, while the app vulnerabilities were disclosed one-to-three months ago, he added.

In response to this article, a spokesperson for Tractive told SC Media the MITM issue was addressed in an update of its Android App back in February 2018. Link AKC also submitted a statement saying it is pleased that Kaspersky validated the security of the BLE component of its product. "We at LINK AKC take our customers' security very seriously, and appreciate Kaspersky's security recommendations. We have earmarked our next Android application release for further security enhancements in this area," the statement continues.

Observed flaws included apps transmitting sensitive data such as credentials and authentication tokens to the server or to logcat; apps failing to verify the server's HTTPS certificate; storing authorization tokens in unencrypted form; lack of authentication, authorization and access control; allowing the device to interface with any arbitrary smartphone, easily bypassed integrity control; and receiving and executing commands that do not contain a user ID.

Where possible, SC Media reached out to the pet smart device manufacturers for comment.

Tags:
information leaks surveillance GPS
Source:
SCMagazine
6421
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
17 May 2018 safeum news imgage US cell carriers are selling access to your real-time phone location data
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015