Google Scholar

Harper, Mehrnezhad, Leach, STaR-IoT: International Workshop on Socio-technical Cybersecurity and Resilience, workshop in the ACMInternet of Things, 2022

Abstract: An expanding variety of technologies are being offered to aid with the care of pets. These pet technologies (pet tech) are a rapidly growing industry, introducing new security, privacy, and safety risks to their users. Despite these risks, the security and privacy evaluation of these devices, and their users’ concerns regarding these issues, remain an under-researched field. In this work, we perform a user study of 593 participants across 3 different countries (UK, USA, Germany) to gain an understanding of what technologies are in use, incidents that have occurred or participants believe may occur, and the methods used by participants to protect their online security and privacy and whether they apply these to their pet tech. Our findings highlight that participants do believe that a range of attacks may occur targeting their pet tech. Despite this, they take few precautions to protect themselves and their pets from the possible risks and harms of these technologies.

We conducted a study of pet owners across three different countries.

We wanted to learn about the technologies used by pet owners, as well as incidents involving these devices that have occurred or they believe may occur. We also looked at the methods used by participants to protect both their general security and privacy and when they use pet technologies.

We use Prolific, a user study distribution platform, to distribute our survey to the participants. This allowed for the pre-screening of only pet owners.

A variety of technologies were mentioned as being used by the participants, including those in this table.

We performed quantitative and some qualitative (thematic) analyses of the participants' results.

Although not many participants had experienced an incident, many believed that one may occur.

Despite believing an incident may occur, there was a significant difference in the number of protective actions taken for their general online security and privacy compared to those taken for the pet technologies they use (as seen in this figure).

2022 IEEE Euro S&P Workshop (SSR): Are Our Animals Leaking Information About Us? Security and Privacy Evaluation of Animal-related Apps

Harper, Mehrnezhad, Leach, Security Standardisation Research, co-located with IEEE Euro Security & Privacy, 2022.

Abstract: Novel technologies are increasingly being applied to farm and companion animals, and are proving popular with those who keep animals. Although this rapidly growing industry is introducing cybersecurity risks to both animals and their owners, it remains an under-researched field. In this study, we have identified multiple security and privacy vulnerabilities by evaluating 40 popular Android apps for farm and companion animals. We demonstrated that several of these applications are putting their users at risk by exposing their login details. The apps also perform poorly in terms of protecting the users' privacy with over half of the apps communicating with a tracker before the user can consent, violating the General Data Protection Regulation (GDPR). Accordingly, only 4 of the apps explicitly informed the user of their privacy policy and obtain consent. Our findings are important since they highlight the poor privacy practices present in animal-based applications, as well as the easily preventable security vulnerabilities that were reported to the companies responsible.

We looked at 40 animal-based apps (20 pet and 20 farm), which were selected, where possible, from the app sets of previous works. The remaining apps were selected based on popularity and the ability to create a login.

We performed a review of top-ranking legislation, looking for mention of these technologies, or security/privacy relating to animal data.

For the security and privacy analysis, we performed: static, dynamic, network traffic, and privacy notice analysis on the selected apps.

We used the following tools: Privacy International's data interception environment (network traffic), Lumen (dynamic), and Exodus (static).

The amount of tracking software communicated with, as well as the permissions requested, for each app, can be seen in this table.

Very concerningly, three of the applications studied had the user's login details visible in plain text within non-secure HTTP traffic.

Two of these apps, also revealed additional user account information, with one revealing their address and door number. The second app revealed the user's latitude and longitude, again revealing their location and potentially endangering them.

We communicated these issues with the companies responsible. Two got back to us to find out more about the vulnerability and on retest the vulnerability was no longer present. The app that did not respond continued to have this vulnerability on retest.