Endpoint

5/22/2018
11:45 AM
50%
50%

Pet Tracker Flaws Expose Pets and Their Owners to Cybercrime

Hackers can exploit vulnerabilities in popular pet trackers to intercept location coordinates and access owners' personal data.

In a future where everything is connected, cybercriminals may not need to target you to steal your personal data. They can hack your pets instead. 

Kaspersky Lab researchers today published the results of a study investigating vulnerabilities in popular pet trackers, which transfer GPS coordinates from pets to owners for safety and location monitoring. The flaws they discovered could let an attacker hack these devices, identify and replace the coordinates of a pet and its owner, and access owners' data.

In studying several brands of pet trackers, researchers found: Bluetooth capabilities that don't require authentication, authorization tokens and coordinates that can be stored sans encryption, trackers that don’t check server certificates for HTTPS connections, and trackers and apps that allow the installation of false firmware and transmit the name, email, and coordinates of the pet's owner.

It's another reason to worry about the implications of poor IoT security. If a hacker can intercept these coordinates, they can identify where a pet or owner is at any given time, learn their daily routines, and over time develop a pattern of owners' and animals' habits.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
5/22/2018 | 1:11:44 PM
If you use the internet to track something, so can anyone else - no news here
Your kids, your pets, your workouts... whatever; with breaches in even high security environments commonplace, why do people feel they have a justifiable expectation of security with their consumer devices and services?  I think we all know the answers: marketing which downplays or totally ignores security concerns (or overstates included security features), for IoT devices and services; to be followed by marketing of devices and services to secure your IoT. 
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...
CVE-2018-19352
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
CVE-2018-19353
PUBLISHED: 2018-11-18
The ansilove_ansi function in loaders/ansi.c in libansilove 1.0.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.