People's data hacked from their pet apps

To the world of pet tech now, and the fortunes some will spend to keep their furry friends safe and sound. From feline fitbits and doggy GPS devices, to automatic food dispensers and ball launchers, people are going for these gadgets in a big way: they let your pets in and out; they track where they go so you can get them back; they tell you where they’ve been and so on. But many of these devices have lax security, and unsurprisingly, may owners might not realise how lax. And the result is that they can open a cyber-criminal-sized catflap into your life, sharing personal details including where your pet - and hence you - live and when you are not at home for instance - because you’re out walking the dog! These gadgets are part of the rising trend known as the ‘Internet of Things’ - physical objects armed with sensors, software and internet access, which, convenient as they are, can expose you to scammers and cyber thieves, as Scott Harper explains to James Tytko…

Scott  - So these devices, they're obviously going to be collecting the pet data, so things like the pet's name and other information, pet photo. But in terms of the personal information that they collect, there's the information that the user will be directly inputting. So things like their address, their postcode, potentially their house number, their name, their phone number, email. But there's also the information that'll be captured less directly by the user. So not inputted by them, like their location with these GPS devices because they're tracking the users location. If they're alongside their pet, they can for instance, have their past route as well as potentially their routine.

James  - Mm. Yeah, I can see why that would be dangerous. And so is the security particularly worse in these pet apps than in other third party apps that you might download from whatever app store?

Scott  - It's possible that they're not being designed with the same security and privacy needs of other devices where human users are going to be in mind in the design process. So as we found in our study, there were vulnerable apps showing the users login details, but we also found that users were taking far fewer security precautions compared to their general security and privacy.

James  - That's interesting. What, what do you put that down to that people are less resistant to giving over their personal information when it comes to these pet apps?

Scott  - Yeah, so looking at the sort of advantages that we found from the users that they discussed, we think that maybe the users are more likely to focus on the safety, convenience or the peace of mind, sort of the advantages that these technologies can bring to their pet. So they're focused more on the safety of their pet with a GPS device as opposed to thinking about their own personal security or the privacy of their data.

James  - Right, so these products play on people's emotional attachment. Well, maybe, maybe that's a bit nefarious I'm thinking of. They're a bit more nefarious than they actually are, but people are less cautious because of their emotional attachment to their cats and dogs, whatever. And that's what might make them more vulnerable. So how are criminals then exploiting these vulnerabilities? Remind us talking in more general terms in cybersecurity, what the, what the risks are

Scott  - So the username and password. So in this case, if an attacker were to gain access to your username and password, they have access to obviously this application and any of your personal information that may be inside it, but also it may enable them to gain access to other applications where you're using the same username and password, although recommended against, I feel like a lot of people will be doing. And the apps we looked at also revealed additional user details in plain text. So the two examples we had were one being their exact address and the other, their estimated latitude and longitude on opening the app.

James  - So I suppose the advice here for all those dog owners who, who must have that gadget, automatic ball chucker, they must have it. How should they even be making sure that they're being safe?

Scott  - Yeah, so generally it's just to try to make sure you're following the same sort of security privacy practices you would with regular devices and devices more focused on yourself. So for example, some more general tips they could always try to use unique and secure passwords where possible check the settings of the Apple device and consider what data they are sharing and what data you want to share. So there are a few guides available such as Mozilla's Privacy Not Included project, which does actually have a pet technology specific section with a few different devices there. So there's an automatic feeder and activity monitor and it tells you whether their securities are up to standard and some of the data they collect and whether they share it with third parties.