Family Pet Trackers Open to MITM Attacks, Interception

Family pets are near and dear to us, so smart collars and other devices for animals that track their locations are becoming popular; a world without the need for lost-pet flyers is after all a wonderful thing. The problem, according to researchers, is that these devices can leak sensitive information, like phone numbers, the pet’s location or home network details.

After examining several well-reviewed models, including Kippy Vita, the Nuzzle Pet Activity and GPS Tracker and the Whistle 3 GPS Pet Tracker & Activity Monitor, testers at Kaspersky Lab found several issues that should be of concern for Rover’s owners.

Bluetooth Blues

One common problem found in some of the trackers examined comes down to the use of Bluetooth Low Energy (BLE), which is custom-made for low-power IoT sensor applications. BLE essentially connects the pet-trackers to the owner’s smartphone, but unlike the full implementation of the Bluetooth spec, BLE doesn’t require authentication in order to pair devices.

“Authentication depends entirely on the developers of the device, and experience shows that it is often neglected,” researchers Roman Unuchek and Roland Sako said in a posting outlining their research this week.

For instance, the Nuzzle device uses a SIM card to transmit the pet’s GPS coordinates, directly connecting to a smartphone via BLE – without any authorization or access control. That means that any smartphone can connect to the tracker to control it access the pet’s location, along with device status information like temperature and battery charge (CVE-2018-7043).

The Whistle 3 meanwhile has BLE connection problems too. The gadget can transfer GPS coordinates via its built-in SIM card, via WiFi to its server (if the owner provides a WiFi network password) or directly to the owner’s smartphone via BLE. On the latter point, the device waits for a certain sequence of actions to be performed before it pairs with a phone, but the sequence is simple for a third party to deduce and reproduce, thus gaining access to the device.

After that, the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them; a hacker could, for instance, ask for device coordinates.

An exception on the BLE front was the Link AKC tracker. While it monitors the pet’s location via GPS and transfers coordinates via a built-in SIM card to a phone directly via BLE, it makes use of a user ID to verify the rights of the mobile app to interface with the tracker. The tracker also checks the smartphone’s MAC address as another layer of user confirmation.

“The developers did everything right in terms of securing the connection to the smartphone,” the researchers said. “We couldn’t find any major problems, which is rare for devices with BLE support.”

Also, the Kippy Vita device does not interface directly with the smartphone at all, so the BLE issue was not in question, and, uniquely, it uses SSL pinning. Neither Tractive nor the Weenect WE301 communicate directly with a smartphone wither, but rather transfer pet coordinates to the server via a built-in SIM card. This helps the devices’ security postures immensely.

MITM Issues

Beyond the BLE pitfall, some of the trackers have shared flaws stemming from certificate handling and data-transfer mechanisms. Just one of the tested Android apps (the Weenect WE301) verifies the certificate of its server, making the rest vulnerable to man-in-the-middle (MITM) attacks.

On top of not verifying certificates, many of the apps (including Nuzzle, Link AKC and the Whistle 3) the either store unencrypted data, or transfer the unencrypted data to logcat files. That data can include the app’s authorization token, the pet’s location and user registration data (including name and email address). Thus, a hacker mounting a MITM offensive can intercept the data transfers or peer into files.

Kippy Vita’s Android app meanwhile encrypts important data before saving it to its own folder, but it does log the data that is transmitted to the server.

Two of the devices studied managed to avoid being assigned CVEs: Tractive and the Weenect WE301. However, here too, the Android apps don’t verify the server certificate and they store authentication tokens and pet movement data in unencrypted form.

The logging problem is somewhat mitigated given that in Android 4.1 and newer versions, only some system apps or apps with superuser rights can read the logs of other programs.

“It should be noted that this data is not so easy to steal, since other apps cannot read it,” the researchers said. “But there are trojans that can steal data from other apps by exploiting superuser rights.”

Other Problems

Two of the trackers can be disabled or hidden from owners.

For instance, it’s possible to install modified software on the Nuzzle tracker by simply changing the checksum in the DAT file – this can be used to cause the device to stop working. And perhaps worst of all, an attacker can conceal the location of the pet simply by connecting to the tracker using a smartphone.

“To save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE,” Unuchek and Saco said.

An attacker can also hide the Whistle 3 from the pet owner; if a hacker continuously transmits a command for the device location, the gadget will not send location data via the SIM card, since it will assume that such data has already been received directly. Also, it transmits data to the server without any authentication, so an attacker could substitute alternate pet coordinates.

Connected things are burrowing further and further into our everyday lives, with everything from thermostats to Amazon Echo to washer/dryer sets and beyond now offering convenience and safety apps for consumers to make their lives easier – and more hackable. The pet-tracker class of connected gadgets adds one more layer of vulnerability to the proceedings, but calling attention to the flaws could be a wake-up call to the manufacturers.

(Image courtesy of Link AKC)