As tech-focused products and services designed for pets continue to evolve, companies need to start investing more time and money on protecting their users’ data and privacy. Much of what is being developed under the umbrella of PetTech would be considered IoT devices, and as we’ve seen with the over 36 billion IoT devices currently installed worldwide in 2021, they are a continued target for cybercrime. With products including location and fitness trackers, in-house cameras and speakers, as well as online telemedicine platforms dealing with sensitive video and audio calls, it’s important that security is brought to the forefront.
Back in 2018 Kapersky Labs released one of the most thoroughly-investigated pieces comparing a handful of different popular pet location trackers including Tractive, Whistle 3 and Kippy Vita. The team of researchers treated the devices the same way a cyber criminal would, applying pressure on various security elements. Their findings included the following faults across some or all of the devices:
- Bluetooth that required no connection authentication
- Transmission of sensitive data including the user’s name, email and coordinates
- Unchecked server certificates for an HTTPS connection thus allowing man-in-the-middle scenarios
- Authorisation tokens and coordinates being stored without encryption
- Possibilities of installing false firmwares
- Possibilities to send commands to trackers without checking users IDs, therefore allowing them to be sent by anyone, not just the user
These vulnerabilities showed the worrying potential of pet trackers joining the IoT cyberthreat ecosystem, due to the multitude of new entry points to access information about the victim outlined above. One of the perhaps most concerning issues is the possible ability for unwanted users being able to locate not just the pets, but the humans themselves, as in most cases, pets are never too far away from their owners. Roman Unuchek, senior malware analyst at Kaspersky Lab confirms; “These apps and trackers certainly open up the possibility for criminals to more accurately locate people’s pets or send false coordinates to a server, for the purpose of kidnapping. In addition, the apps for the connected devices can be used to steal users’ personal data.” He does however add; “We haven’t yet seen any examples of trackers and their apps being used to kidnap pets, but the information they transmit can still be used to access information about the owner, such as passwords or email addresses, which hold value for cybercriminals.”
Another similar study was conducted in 2019 through a collaboration by University of Bristol’s Cyber Security Group and Israel’s Haifa University. They compared 19 different devices, with their focus being on how much data was being captured on the pet owners themselves, as opposed to the pets. Perhaps unsurprisingly at this point, their key findings concluded that data captured on the pet owner is four times higher than that captured on the pet, and that there is a lack of clarity on the type of data that is stored. Lead researcher, Dr Dirk van der Linden, said; “The consumer’s desire to provide the best care for their pets combined with the marketing of the device may lull them into a false sense of security. It is the owner who is the actual user of the product, and the data collected from the pet wearable has privacy implications for the humans.” Indeed, one of the key recommendations from the paper was clearer marketing of the devices and explicitly marking pet activity data as personal data to ensure more transparency for users. Van der Linden continues: “Access to pet activity data could be used to build profiles on pet owners, with implications ranging from burglars knowing when to approach a home, to insurance companies inferring health profiles of pet owners via their dog’s activity.”
While we are unaware of any reported malicious cyberattacks on pet trackers thus far, the at-home pet camera sector hasn’t quite been as lucky. In November 2021, there were many reports that a St. Louis woman, Angela Cuniberti, who had been using a Furbo pet camera for 6 years had become a victim. “I was walking and I heard a man’s voice say, “hey beautiful,” Cuniberti said. “I basically freaked out. I thought somebody came into my house. My dogs started barking like crazy.” According to security experts investigaing the matter, once hackers connect to your camera, they can access your internet router and your computer.
Earlier in the year in April, Somerset Recon, a small team of experts who claim to be “absolutely obsessed with security” made up of diverse backgrounds including academia, military, big e-commerce, and the underground hacker world, released a piece outlining vulnerabilities in Furbo’s firmware. Upon successful exploitation, the attacker was able to execute code as root and take full control of the Furbo 2. There were many features that could be utilised from the command line including, but not limited to, recording audio and video, playing custom sounds, shooting out treats, and obtaining the RTSP password for live video streaming.
Furbo may be the only pet camera so far that has confirmed reports of hackings, but in-house cameras, including Amazon’s ‘Ring’ camera, have long been targeted. In 2020 Amazon was subject to a class action lawsuit in the USA claiming they had failed to take basic security precautions. This came following a number of cyber attacks where hackers gained access to families’ cameras, with one case even involving the perpetrators yelling racial slurs at an 8-year-old child. It is still unclear whether these incidents were caused by Amazon employees who had fraudulently received access to users’ cameras, or by external users who had hacked through the firmware’s security systems. Regardless, any unauthorised access to one’s private in-house cameras is a concern for any user.
Petcube, another manufacturer of pet cameras, claims to put extra focus on security protocols. Andrey Klen, co-founder and CMO, explains; "Engineers are following the vulnerability reports and new versions of the software components used in our products, and they are updated regularly. [We’re] also performing planned security audits by independent companies with extensive expertise in the domain. Generally we do our best to protect our users' security and privacy and constantly look for ways to improve these practises." According to their site they also ensure that none of their employees have access to data without a user’s consent, as it is protected by a unique token, hosted on a server with restricted access. If access is desired, a token can be created by the user, and the employee is given access.
It is certainly comforting to hear that some PetTech companies are starting to work with third-party security assessors, who can put their firmware under the same scrutiny that cyberattackers would, thus exposing all the areas to focus security efforts on. According to Chris Romeo CEO at Security Journey: “Developers of IoT must embrace security and security user stories. They must understand encryption and ensure that it is utilised. They must track their open-source software and ensure that it is properly updated. They must write admin interfaces that are not riddled with problems identified in the OWASP Top Ten.”
The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software. OWASP operates under an ‘open community’ model; in short, it is a repository of all things web-application-security, backed by the extensive knowledge and experience of its open community contributors. Their ‘Top 10’ is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. It is put together by a team of security experts from all over the world, and they recommend all companies incorporate the findings into their processes in order to minimise and/or mitigate security risks. While comprehensive and up-to-date, realistically, these guidelines provide the mere basic foundation for security. If PetTech startups want to be at the forefront of security, they must work with third party security auditors and assessors on a longterm basis, while of course staying up to date with all vulnerability reports and software updates for all/any components used.
At MyPetGo, a Rhino Ventures Asia company, security has been at the forefront since conception. Being a full-service pet ecosystem featuring a hardware device tracking pet health vital signs and location, as well as numerous online services from insurance to telemedicine, encryption was absolutely vital. Matt Keyes, COO at MyPetGo, explained: “We’re working with top security consultants to help us adapt to the ever-changing environment to ensure our customer’s data and privacy is handled with due care and attention, using methods adopted by the world’s leading corporations.”