26 vulnerabilities found in parental monitoring application
A new Citizen Lab report details results of two independent audits of the privacy and security of Smart Sheriff, a parental monitoring application that has been promoted by the South Korean government.
The researchers found 26 vulnerabilities that could compromise the privacy and security of minors and parents who use Smart Sheriff. The audits were conducted by researchers who collaborated at the 2015 Citizen Lab Summer Institute, and by the security audit firm Cure53.
“Parents worldwide have growing concerns about their children’s use of social media and mobile devices. However, this case shows precisely how good intentions can end up seriously wrong — in this case, a government-promoted parental monitoring application actually putting children at greater, rather than less, risk of harm.” — Ron Deibert, Director of the Citizen Lab, and Professor of Political Science at the University of Toronto.
The researchers notified the developers of vulnerabilities following a responsible disclosure process, and sought to have the issues addressed in a timely fashion. As of the date of publication, it is not clear whether the problems identified have been corrected.
In April 2015, a mandate proposed by the Korean Communications Commission (KCC) came into effect requiring South Korean telecommunications operators to provide the means to block harmful content on minors’ mobile phones. While a number of applications meet the requirements, Smart Sheriff, developed by the Korean Mobile Internet Business Association (MOIBA), received promotion and financial support from the KCC. Compared to other Korean-language parental parental-monitoring applications, it is widely used (between 100- and 500 thousand users), and has received substantial publicity from the KCC.
Smart Sheriff, which is available for Android and iPhone, allows parents to remotely block content and monitor and administer applications on their child’s mobile device, as well as schedule when the phone can be used.
The researchers identified 26 security vulnerabilities in recent versions of Smart Sheriff on Android (versions 1.7.5 and under). These vulnerabilities could be used by an attacker to disable Smart Sheriff accounts, tamper with data, and steal personal information, the report explains.
The Smart Sheriff versions analyzed by the researchers stored and transmitted user data insecurely, and did not properly implement industry-standard encryption. This insecurity makes it possible for attackers to monitor data, and impersonate both servers and apps to tamper with data.
The researchers also found that Smart Sheriff sends browsing data back to MOIBA servers, despite this functionality purportedly being disabled in May 2015 over privacy concerns.
The researchers found accounts can be registered and managed without proper validation or passwords, which could lead to the compromise and hijacking of user accounts. Attackers could even remotely disrupt some of the functions of phones that have Smart Sheriff installed. In addition, Smart Sheriff’s parental limits and controls can be easily disabled and circumvented.
The researchers found Smart Sheriff’s infrastructure is not properly maintained or protected. The servers are running outdated software, according to the report, and do not properly implement industry-standard security and encryption. In addition, the servers do not track or reject brute force attempts to collect user data or erroneous requests, which could lead to compromise of the service, and its users, at a large scale.
Legal and policy implications
“The problems with Smart Sheriff suggest that the application does not meet the requirements for data protection and information security established under Korean law.” – Sarah McKune, Senior Legal Advisor, The Citizen Lab
“This situation raises serious concerns under international human rights law, given the potential of this government-supported mobile application to compromise user privacy, and the widespread adoption of the app as a result of the government mandate.” – Sarah McKune, Senior Legal Advisor, The Citizen Lab