A South Korean child monitoring app is so fraught with vulnerabilities that security researchers warn it could lead to the compromise of users’ accounts, disclosure of minors’ information, and a smattering of other issues.
Researchers with the Canadian watchdog group Citizen Lab discovered 26 vulnerabilities and design flaws in Smart Sheriff, a children’s monitoring app that gained popularity this summer when its use was essentially mandated by the Korean government.
Upwards to half a million South Koreans use the app to keep tabs on their children, how often they use their phone, what websites they’re visiting, and so on.
Citizen Lab said it notified the group that distributed the app, the Korean Mobile Internet Business Association, or MOIBA, of the vulnerabilities in early August. While it addressed several of the issues, it’s unclear exactly how many have been fixed to date. According to a timeline provided to Citizen Lab by the association, fixes for at least 20 of the issues should have been in place yesterday, but Citizen Lab hasn’t verified this and MOIBA has stopped corresponding with the group.
Perhaps the app’s biggest problem is that it fails to encrypt any of its user data. This means that names of minors and parents, dates of birth, mobile device information, gender, and telephone numbers could all be intercepted if an attacker gained control of the network it was on. As Citizen Lab points out, the way Smart Sheriff goes about sending information to its own servers not only goes against best practices, but also Korean law.
The app suffers from inconsistent and insufficient authentication Citizen Lab claims as well. The app accepts requests without verifying the person sending it even owns the account, meaning that if an attacker had a user’s phone number, they could retrieve information, modify accounts, and disable devices, it warns.
The infrastructure of MOIBA, which oversees the app, suffers from shoddy transport encryption, as well.
“Their servers fail to meet common security standards,” Citizen Lab writes, “The deployment is based on obsolete and insecure protocols that are vulnerable to attacks that could lead to the interception and impersonation of MOIBA’s servers.”
On top of all these vulnerabilities Citizen Lab is also warning that the software behind the app is so hopelessly out of date – in some instances two years old – that makes it even more susceptible to error and compromise.
When combined, all the issues leave the door open for a total compromise, researchers with Citizen Lab warn.
“Combinations of the identified vulnerabilities could lead to mass compromise of accounts or service disruption. An attacker with the resources to run a high volume of queries against Smart Sheriff could potentially identify all of Smart Sheriff’s users, and then use the vulnerabilities we identified to systematically disrupt all subscribers’ devices or the service itself,” the researchers write.
Boasting close to 500,000 users, Smart Sheriff is one of several apps that fulfills a mandate passed in April that requires South Korean telecom operators to block harmful content on the mobile phones of minors. The fact that a regulatory body, the Korean Communications Commission (KCC) helped develop and promote the app in April this year, has prompted discussion in the sovereign state around human rights law as it pertains to children’s privacy and mobile devices.
Both Citizen Lab, which is based at the University of Toronto’s Munk Centre for International Studies, and Cure53, a German pen testing service, carried out audits on Smart Sheriff and released reports about the app simultaneously on Sunday.
In Cure53’s writeup (.PDF) researchers claimed the apps “tremendously lack security in every imaginable aspect and that “obligatory utilization of this app for each and every mobile user below a certain age threshold should clearly be considered feckless.”