Kaspersky Lab discovers vulnerabilities in popular pet trackers
Vulnerabilities divulge pet’s location, its owner’s sensitive personal data and more
Woburn, MA – May 22, 2018 – To determine if pets are secure from cyberthreats, Kaspersky Lab researchers have studied several popular pet trackers and discovered vulnerabilities which allow cybercriminals to hack the trackers, identify a pet and its owner’s coordinates, replace these location coordinates and even steal sensitive personal data.
Trackers are used by pet owners to monitor the safety and location of their pets by sending GPS coordinates back to the owner’s app as often as once a minute. The possibility of someone else intercepting those coordinates means they may be able to identify where a pet is at any given moment, discover details about a pet’s daily routine and ultimately gain enough information about a pet’s movements and its owners’ habits.
During the study on pet trackers, Kaspersky Lab researchers discovered the following vulnerabilities across a number of popular pet tracking brands:
- Bluetooth capabilities that require no authentication for connection
- Trackers and apps transmitting sensitive data such as the owner’s name, email and coordinates
- Not checking server certificates for an HTTPS connection, making Man-in-the-Middle scenarios possible (when someone intercepts Wi-Fi traffic)
- Authorization tokens and coordinates can be stored on a device without encryption
- False firmware can be installed
- Commands can be sent to trackers without checking the user ID, meaning they could be sent by anyone, not just the owner
These findings show that even if pet trackers are not widely used for cybercrime today, they could be on par with other connected devices in the future, putting pets and their owners in danger. With over six billion IoT devices being used worldwide, and many of them falling victim to cybercrime, it’s important to consider how pet trackers can eventually become part of the IoT cyberthreat ecosystem, leading to additional entry points for hackers to gain access to personal data.
“The vulnerabilities in these apps and trackers certainly open up the possibility for criminals to more accurately locate people’s pets or send false coordinates to a server, for the purpose of kidnapping. In addition, the apps for the connected devices can be used to steal users’ personal data,” said Roman Unuchek, senior malware analyst, Kaspersky Lab. “We haven’t yet seen any examples of trackers and their apps being used to kidnap pets, but the information they transmit can still be used to access information about the owner, such as passwords or email addresses, which hold value for cybercriminals.”
Kaspersky Lab has reported all discovered vulnerabilities to the appropriate vendors, and many of them have already been patched. Kaspersky Lab recommends that consumers consider cybersecurity for all family members, including pets, in today’s modern, always connected world.
Read more about the vulnerabilities in pet trackers on Securelist.com.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com