Device Security Basics

Is the WHISTLE™ secure? Here’s what you need to know

A lot of people are concerned about cyber security these days—and with good reason. We keep hearing about all kinds of data breaches, ransomware and other malware attacks, and other security incidents that can result in lost or stolen data.

Virtually anything that’s connected on a network can potentially be hacked by a cyber criminal. The key to ensuring the protection and privacy of data is to control who has access to the information, and encrypt any sensitive information so that if attackers are able to break into a network, they won’t be able to use the data in any meaningful or harmful way.

We have taken a number of steps to make sure that users of Whistle devices don’t need to be concerned about security issues and the safety of their data, and will continue to update our security capabilities as new methods of protecting data emerge.

Following is a quick primer in an FAQ format that describes how we’ve addressed a number of security issues and concerns, without affecting the performance of our technology:

Q. What is the company’s general philosophy toward cyber security, and how high a priority is customer data protection?

A. Protecting our customers and their pets is the number one priority for Whistle. This means building robust designs that ensure availability of critical services (like breach notifications, location tracking, etc) and securing user/pet critical data. We take great care in how we design our storage and transfer of sensitive information to ensure high security. We also partner with security specialists to regularly audit our security capabilities and make sure they are up to date.

Q. What sort of user access and authentication controls are in place for the technology?

A. We use a variety of access controls with our system. For app and user access we use OAuth 2, an authorization framework that allows applications to obtain limited access to user accounts on an Internet service. This is done via a stateless communications protocol, meaning no information is retained by either the sender or the receiver.

For device access we leverage TLS (Transport Layer Security) over WiFi connections. TLS is the standard security technology for establishing an encrypted link between a Web server and a browser. It ensures that all data passed between Whistle servers and clients remain private and secure. For device access via Bluetooth connections we selectively encrypt sensitive payloads, such as location.

Our hosted services and servers are all behind a private cloud that can only be accessed via a virtual private network (VPN) with regularly rotating authentication keys to ensure controlled access.

Q. Is there any possibility that someone could hack into the system, and if so what damage could result from that?

A. As with any connected system, there is always a risk that someone could hack in and access user data—despite all our efforts to prevent this from happening.

To mitigate the risk Whistle retains security partners to test and audit our systems security.

In case there is a security breach involving sensitive data, Whistle will inform any affected customers as soon as reasonably possible.

Q. How does the company leverage encryption technology to protect user data?

A. We encrypt sensitive data whenever it is transmitted by a user. Sensitive data primarily includes location data.

Q. Which data is not encrypted, and why is it not encrypted?

A.  Sensitive user information is always encrypted. In some cases non sensitive data such as hardware debugging and activity information is not encrypted. The reason for this is to ensure the best possible user experience, for setup of the system and battery life. We follow industry best practice for Bluetooth Low Energy (BLE), which is to use an unencrypted radio connection and secure the information “out of band.” It is in our proprietary out-of-band implementation that we encrypt sensitive data.

Q. Is there anything customers need to do in order to enhance the security of the system?

A. The best thing customers can do is ensure that their WiFi network is setup to use the latest security standards available (at time of writing this was Wi-Fi Protected Access II (WPA2), a security protocol and certification program).

Q. Is Whistle planning to add any new features that will strengthen the security of the system even more?

A. Yes, we are continuously evolving our encryption and authentication protocols, and will continue to partner with external security firms to audit our security controls.