TL;DR
- Data from legitimate microchip databases may be leaking or being scraped
- Enumeration attacks, where chip ID numbers are guessed, expose owner contact details
- Vet and warden accounts often lack proper access controls or MFA
- A past data incident at Petlog may have seeded these problems
We were recently on BBC Morning Live talking about issues with pet microchip data, helping some pet owners understand how they were being billed for services which they didn’t recall signing up for. There was so much more to this piece though, so we’ve written up our findings in more detail here.
It’s a rabbit hole of leaky data, inconsistency and privacy nightmares. Some chip database operators are good, some less so.
Background
All cats and dogs in the UK must be microchipped and registered with a government approved database. If a stray is found, the chip can be read using a handheld reader and the pet reunited with its owner. Or at least that’s what’s supposed to happen…
Getting started
We had a call from BBC Morning Live asking for help understanding how some viewers thought they had been scammed by a web site called PetChip.info. They had been emailed to ask for a renewal payment for their pet microchip registration, together with all of the information held about their pet.
Having seen the emails and the pet data contained in them I can see why the viewers paid up. Surely the site was legitimate if it held so much data about them? Here’s an example email:
And here’s the related data available online by simply entering the pet chip ID into PetChip.info:
What raised our suspicions is that most of the government approved databases insist on only a one-off payment, with no renewal fees. They do ask for further payments if changes are made to the data though. The full list of UK Gov approved providers is here. Note that PetChip is not on the list.
How could PetChip have so much data about the viewers pets? Let’s go down that rabbit hole.
Initial theories
1: The viewers had previously erroneously signed up to the PetChip web site and were simply renewing.
After speaking to several of the viewers, we discounted this as all were adamant they had never done so and had no prior email or contact from PetChip.
2: Vet / dog wardens / police accounts being compromised and data being scraped.
Vet accounts have elevated access to customer data, to allow owner and pet to be reunited. We spoke to several vets who had access to these accounts and discovered that some databases were protected only with one username/password per practice and those credentials were shared around the vets’ practice. The same was apparently the case for dog wardens and police.
It would take little for those credentials to be stolen, perhaps through malware, or possibly through coercion of a vet / dog warden worker.
This could be mitigated with granular access controls and MFA, rate limiting, and similar, to prevent data being scraped. We feel there is a gap here that government needs to regulate better.
3: A data breach
This is where it got interesting. There is a suggestion of a ‘data incident’ (I won’t say breach) at Petlog, run by the Kennel Club, back in 2021. We found evidence that some pets who were registered with Petlog before 2021 were found in the PetChip database, but not those after 2021. This smells of a data breach, but we can’t currently prove it.
However, there was also some commonality of data from PetTrac- chipped pets in the PetChip dataset. Could both have been breached and the data used? Hard to prove or disprove.
4: Data scraping through enumeration
After asking everyone we know who has a pet to provide their pet microchip ID, we went further. We were rightly limited by the Computer Misuse Act (Section 1: Unauthorised access to computer material), but still made findings that suggest other types of data leakage.
Across our team we had pets registered with 5 of the 14 databases in the UK.
The first surprise was with Animal Tracker. Most pet microchip IDs are 15 digits long, following ISO 11784 and 11785, covering FDX-B.
A sample might look like this: 9922000000█████ – this is an Animal Tracker ID.
- If the first digit is a 9 this means the first 3 digits identifies the manufacturer. (Unless the first 3 digits are 900 then the first 6 digits identifies the manufacturer.)
- If the first digit is anything other than a 9 this means it’s showing the country code. This usually means the pet has been microchipped in that particular country. You can find a list of these here.
The number format got my spidey senses tingling: 992200000088687 An opening manufacturer ID (992 – (Smartrac Specialty GmbH)), a lot of zeros, then a low number.
We looked at some more of our pets who had Animal Tracker chips. All had a similar format. I’m now thinking ‘enumeration’ aka simply finding other chip IDs by iterating the number up and down.
I read my own dogs’ chips using a £15 reader from Amazon. One was with Animal Tracker, and the number was 9922000000█████. What attracted my attention were the last 5 digits. I found a colleague’s Animal Tracker ID and noticed that it was only a few thousand numbers behind in the series.
So, I entered my chip ID into the search at Animal Tracker to see what it came back with:
It was quite a surprise to find my wife’s phone number publicly disclosed. I guess we agreed to this when we signed up, but it seems quite a risk to disclose data, given the sequential format of chip IDs:
A colleague had an ID a few thousand numbers above mine, so with permission I used his ID and could retrieve his details, proving that enumeration of personal data was possible. I’m not sharing that data here, but it proved the point that pet owner’s details could be trivially mined from Animal Tracker through enumeration. As mentioned earlier, going any further at this point could breach the Computer Misuse Act, so I don’t recommend it!
Several of the other chip databases that colleagues supplied their chip IDs for also looked like they may be open to enumeration, but I’m not going down that path for obvious reasons.
Conclusion
I had never considered that my pets might have vulnerabilities!
There is clearly a lack of consistency and standards set by the UK government; whilst interoperability between databases is good, there is variability around what customer data is exposed at what point to whom. This has to change.
