Endpoint Security , Governance & Risk Management , Internet of Things Security

Not the Cat's Meow: Petnet and the Perils of Consumer IoT

Small IoT Makers Need to Specify Support Terms for Cloud-Enabled Devices
Not the Cat's Meow: Petnet and the Perils of Consumer IoT
Petnet's SmartFeeder (Photo: Petnet)

When enterprises enter a contract for a cloud service, service-level agreements dictate the expectations, such as for availability and what happens when something goes wrong.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

If something does go wrong, the SLAs clearly describe how the service provider is supposed to act as well as the penalties for noncompliance. SLAs are a critical part of trust in the enterprise landscape and a way to hold a service provider's feet to the fire.

But for internet-connected consumer devices, expectations for dealing with problems are not nearly as transparent, nor are the problems easy to remediate. And the case of Petnet offers a great example of the risks associated with consumer IoT.

Petnet's saga has been chronicled in stories by Ars Technica, The Wall Street Journal and others. But it's a cautionary tale that is worth retelling because it points to a rising concern around internet-connected consumer devices: How long should a device be supported, and what recourse do consumers have when it's not?

Going Hungry

To summarize, Petnet sold an automatic pet feeder, the SmartFeeder, which was linked to a cloud service. The cloud service powered the Petnet App, which enabled owners to control when and how much food is dispensed. The SmartFeeder was also compatible with the indoor Nest Cam, which enabled users to remotely watch their cats eat.

The device had a backup battery and a timer, which allowed for feedings to take place if the power went out or internet access went down. That backup lasted seven hours.

Petnet's feeders first went offline in February for about a week before coming back, according to Ars Technica. Another outage happened in March; Petnet blamed it on a third-party supplier. Several weeks later, Petnet said its funding had dried up and it had furloughed its staff, with the apparent exception of CEO Carlos Herrera.

By the end of May, Petnet reported the results of a poll of its customers, whom the company said supported a subscription model of $4 a month or $30 a year. Some customers, eager to get their feeder running again, paid. The service appeared to work for a bit, but ultimately didn't become fully functional, and users had trouble reaching Petnet support, Ars Technica reported.

Petnet's last tweet on June 11 indicated a problem had been fixed, but users still nonetheless reported issues.

My efforts to reach Herrera and Petnet's co-founder and CTO, Christopher Diebner, and former chief operating officer, Anu Saptharishi, were unsuccessful.

Petnet's feeder retailed for $149, so it wasn't a trivial investment. There certainly is enough competition in this market to get a cheaper feeder; a gravity-fed one absent a timer or other features costs about $4. It's unclear if Petnet plans to compensate customers. But because the company has already indicated it's broke, that seems unlikely.

Service Guarantees

The larger question is this: How can consumers avoid getting into this situation in the first place?

Cloud services are easy to spin up - and just as quick to vanish. People take for granted that something just works until it doesn't. Behind the scenes, software and services need near constant monitoring, tweaking and maintenance, including security updates (see: Smart Devices: How Long Will Security Updates Be Issued?).

As The Wall Street Journal story mentions, there have been recommendations that connected devices be sold with an expiration date, similar to food. The idea is that a company and manufacturer will pledge to support a device until a certain point in time (see: IoT Privacy and Security: Will Product Labels Help Buyers?).

Microsoft already does this, telling customers years in advance how long support or extended support will be available for its operating systems. But small companies, such as Petnet, aren't in the same financial position as a behemoth like Microsoft.

But even small companies should have to plan for the future. When a company creates a device, it needs to ensure that the cloud service portion of it will be funded for, say, at least three years. Think of it as a type of SLA, with legal recourse, for consumer-connected devices. Such an SLA should include all-important security updates - lest the automatic cat feeder become a node in a botnet or bricked by malicious attackers who, for some reason, don't like pets.

Naysayers will argue that such a requirement would invariably increase expenses for startup companies. But it would also force greater responsibility on the part of companies as well as broadly bolster consumer confidence in the growing connected device industry.

In theory, consumer protection laws should provide some recourse for devices that are just a few months old but no longer function. But pursuing legal avenues can take years, and regulators may not have the resources to chase down small companies.

Until this gets sorted out, perhaps a $4 gravity feeder is a better option.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.