Pet Trackers Open to MITM Attacks, Interception

Several well-rated pet trackers contain flaws stemming from the use of Bluetooth LE, poor certificate handling and more.

UPDATE

Family pets are near and dear to us, so smart collars and other devices for animals that track their locations are becoming popular; a world without the need for lost-pet flyers is after all a wonderful thing. The problem, according to researchers, is that these devices can leak sensitive information, like phone numbers, the pet’s location or home network details.

After examining several well-reviewed models, including Kippy Vita, the Nuzzle Pet Activity and GPS Tracker and the Whistle 3 GPS Pet Tracker & Activity Monitor, testers at Kaspersky Lab found several issues that should be of concern for Rover’s owners.

Bluetooth Blues

One common problem found in some of the trackers examined comes down to the use of Bluetooth Low Energy (BLE), which is custom-made for low-power IoT sensor applications. BLE essentially connects these pet-trackers to the owner’s smartphone, but unlike the full implementation of the Bluetooth spec, BLE doesn’t require authentication in order to pair devices.

“Authentication depends entirely on the developers of the device, and experience shows that it is often neglected,” researchers Roman Unuchek and Roland Sako said in a posting outlining their research this week.

For instance, the Nuzzle device uses a SIM card to transmit the pet’s GPS coordinates, directly connecting to a smartphone via BLE – without any authorization or access control. That means that any smartphone can connect to the tracker to control it and access the pet’s location, along with device status information like temperature and battery charge (CVE-2018-7043).

The Whistle 3 meanwhile has BLE connection problems too. The gadget can transfer GPS coordinates via its built-in SIM card, via Wi-Fi to its server (if the owner provides a Wi-Fi network password) or directly to the owner’s smartphone via BLE. On the latter point, the device waits for a certain sequence of actions to be performed before it pairs with a phone, but the sequence is simple for a third party to deduce and reproduce, thus gaining access to the device.

After that, the tracker is ready to receive and execute commands from anyone; and a hacker could, for instance, ask for device coordinates.

An exception on the BLE front is the Link AKC tracker. While it monitors the pet’s location via GPS and transfers coordinates via a built-in SIM card to a phone directly via BLE, it makes use of a user ID to verify the rights of the mobile app to interface with the tracker. The tracker also checks the smartphone’s MAC address as another layer of user confirmation.

“The developers did everything right in terms of securing the connection to the smartphone,” the researchers said. “We couldn’t find any major problems, which is rare for devices with BLE support.”

Also, the Kippy Vita device does not interface directly with the smartphone at all, so the BLE issue was not in question, and, uniquely, it uses SSL pinning. Neither Tractive nor the Weenect WE301 communicate directly with a smartphone either, but rather transfer pet coordinates to the server via a built-in SIM card. This helps the devices’ security postures immensely.

MITM Issues

Beyond the BLE pitfall, some of the trackers have shared flaws stemming from certificate handling and data-transfer mechanisms. Just one of the tested Android apps (the Weenect WE301) verifies the certificate of its server, and the rest are vulnerable to man-in-the-middle (MITM) attacks.

On top of not verifying certificates, many of the apps (including Nuzzle, Link AKC and the Whistle 3) the either store unencrypted data, or transfer the unencrypted data to logcat files. That data can include the app’s authorization token, the pet’s location and user registration data (including name and email address). Thus, a hacker mounting a MITM offensive can intercept the data transfers or peer into files.

Kippy Vita’s Android app meanwhile encrypts important data before saving it to its own folder, but it does log the data that is transmitted to the server.

Two of the devices studied managed to avoid being assigned CVEs: Tractive and the Weenect WE301. However, here too, the Android apps don’t verify the server certificate and they store authentication tokens and pet movement data in unencrypted form.

That said, the logging problem is somewhat mitigated given that in Android 4.1 and newer versions, only some system apps or apps with superuser rights can read the logs of other programs.

“It should be noted that this data is not so easy to steal, since other apps cannot read it,” the researchers said. “But there are trojans that can steal data from other apps by exploiting superuser rights.”

Other Problems

Meanwhile, two of the trackers can be disabled or hidden from owners.

For instance, it’s possible to install modified software on the Nuzzle tracker by changing the checksum in the DAT file – this can be used to cause the device to stop working. And perhaps worst of all, an attacker can conceal the location of the pet simply by connecting to the tracker using a smartphone.

“To save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE,” Unuchek and Saco said.

An attacker can also hide the Whistle 3 from the pet owner; if a hacker continuously transmits a command for the device location, the gadget will not send location data via the SIM card, since it will assume that such data has already been received directly. Also, it transmits data to the server without any authentication, so an attacker could substitute alternate pet coordinates.

Another Wake-up Call for IoT Security

Connected things are burrowing further and further into our everyday lives, with everything from thermostats to Amazon Echo to washer/dryer sets and beyond now offering convenience and safety apps for consumers to make their lives easier – and more hackable. The pet-tracker class of connected gadgets adds one more layer of vulnerability to the proceedings, but calling attention to the flaws could be a wake-up call to the manufacturers.

“Who knew that when Fido decided to go exploring on his own that his Bluetooth LE and cellular-enabled GPS collar could provide an entry point for cyberattackers. Implementing security on an IoT device requires a multilayered approach,” Chris Clark, principal security engineer at Synopsys, told Threatpost. “Encrypting traffic or enabling authentication is just one piece of a complex puzzle. In a rush to market, many of the nuances highlighted in this research are overlooked by developers. The work researchers provided showcase how important it is to build security competency within product development teams or work with a trusted partner that has the experience and capabilities to address security challenges before taking the product to market.”

While the focus of this research was on GPS and Bluetooth LE, the weaknesses in implementation are found in a wide range of products spanning multiple industries, he added.

“The research highlights a much greater challenge in the IoT space,” he said. “How do I produce a secure IoT device? While some of the devices took steps to address ‘security,’ the researchers still found data leakage and failures in other areas on every device. Finding the balance between robust security and usability will continue to be a challenge for embedded IoT products developers. In many of the cases, the use of static code analysis and fuzz testing could have found these vulnerabilities and ensured Fido’s safe return home.”

Paul Bischoff, privacy advocate at Comparitech.com, told us that this is particularly concerning given that for consumers, knowing the security status of their connected devices is a challenge. Unlike the web browsers on our phones and computers, there’s no green padlock to tell you whether your IoT device is connected to the proper server and whether the data being sent is encrypted. That means the average person cannot know whether a hacker is stealing information about the tracker’s location or other private information. For this reason, IoT manufacturers need to step up their game when it comes to security.”

This article was updated 5/29/2018 at 611 a.m. ET with comments from Synopsys and Comparitech.com surrounding IoT security struggles.

(Image courtesy of Link AKC)

Suggested articles

Using Fuzzing to Mine for Zero-Days

Infosec Insider Derek Manky discusses how new technologies and economic models are facilitating fuzzing in today’s security landscape.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.