Animal trackers in the soup as cats and dogs leak human data
Researchers from Newcastle University and Royal Holloway, University of London, have uncovered multiple security and privacy issues with popular Android apps for pets, farm animals, and other companion animals and warn apps are exposing their humans’ login and location details, putting them at risk of cyberattacks.
Scott Harper, the lead author of the study presented at the 2022 IEEE European Symposium on Security and Privacy Workshops conference, warned that the rapidly growing pet tech industry brings new security, privacy, and safety risks to pet owners.
“While owners might use these apps for peace of mind about the health of their dog or where their cat is, they may not be happy to find out about the risks the apps hold for their own cybersecurity,” says Harper, a PhD student at Newcastle University's School of Computing.
“We would urge anyone using these apps to take the time to ensure they are using a unique password, check the settings and ensure that they consider how much data they are sharing or willing to share.”
The pet care industry is experiencing a rapid expansion of technology aimed at enhancing the health, wellbeing, and quality of life of pets. Pet tech includes various products such as GPS trackers, automatic feeders, and pet cameras.
Wearable devices capable of monitoring activity levels, heart rate, and sleep patterns are also part of this new wave of pet tech, alongside smart feeding systems that dispense food on a predetermined schedule or based on the animal's behaviour. Additionally, there are apps and platforms available that allow pet owners to track and manage their pets' health records, as well as connect with veterinary professionals.
“We are using modern technologies to improve several aspects of our lives,” says co-author Dr Maryam Mehrnezhad, from the Department of Information Security at Royal Holloway, University of London. “However, some of these often cheap technologies come at the price of our privacy, security, and safety.
“Animal technologies can create complex risks and harms that are not easy to recognise and address,” she says. “In this interdisciplinary project, we are working on solutions to mitigate such risks and allow the animal owners to use such technologies without risk or fear.”
Privacy violated as animals and users tracked
The study evaluated 40 popular Android apps and revealed that password vulnerability was one of the major areas of concern. Three applications had their user's login details visible in plain text within non-secure HTTP traffic. This makes it possible for anyone to observe the internet traffic of someone using these apps and find their login information. Additionally, two apps showed user details, such as their location, which could enable someone to access their devices and risk a cyber-attack.
The study also found that all but four apps featured some form of tracking software. These trackers gather information on the user, how they use the application, or on the smartphone being used. The researchers also noted that the apps perform very poorly in notifying the user of their privacy policy. Their analysis showed that 21 apps track the user in some way before the user even has a chance to consent, violating current data protection regulations.
In addition, the research team surveyed almost 600 participants from the UK, USA and Germany, asking questions about the technologies used, incidents that have occurred or participants believe may occur, and the methods used by participants to protect their online security and privacy and whether they apply these to their pet tech. The findings show that despite believing that a range of attacks may occur targeting their pet tech, participants take few precautions to protect themselves and their pets from the possible risks and harms of these technologies.
The researchers warn users of pet tech should take precautions such as using a unique password for each app, checking the settings and considering what data they are sharing. They advise being cautious about any new IoT devices brought into the home, downloading apps from known app stores and constantly checking the permissions of such apps and revoking any unnecessary permission. Guides such as Mozilla's *Privacy Not Included project are available to help inform consumers about the potential security and privacy risks.
“We would urge those developing these technologies to increase the security of these devices and applications to reduce risk of their personal information or location being shared,” says co-author Dr Matt Leach, Director of Comparative Biology Centre, Newcastle University.