Tue, Sep 22, 2015 - Page 6 News List

South Korean surveillance apps put children at risk

UNSECURE SNOOPERS:Seoul requires phones sold to those under the age of 18 to have monitoring apps, but a lack of encryption makes them vulnerable

AP, SEOUL

South Korean high-school students play games on their smartphones on a sidewalk bench in Seoul on July 16.

Photo: AP

Security researchers say they found critical weaknesses in a South Korean government-mandated child-surveillance app — vulnerabilities that left the private lives of the nation’s youngest citizens open to hackers.

In separate reports released on Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalog of worrying problems with “Smart Sheriff,” the most popular of more than a dozen child-monitoring programs that South Korea requires for new smartphones sold to minors.

“There was literally no security at all,” Cure53 director Mario Heiderich said. “We’ve never seen anything that fundamentally broken.”

Smart Sheriff and its fellow surveillance apps are meant to serve as electronic baby sitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable Web sites and even alerting parents if their children send or receive messages with words like “bully” or “pregnancy.”

In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, Korea University law professor Park Kyung-sin said.

The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app.

Sometime afterward, Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff’s code.

What they found was “really, really bad,” Heiderich said.

A LOT OF FLAWS

Children’s telephone numbers, birth dates, Web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept.

Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents.

Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app’s 380,000 users could be compromised at once.

“Smart Sheriff is the kind of baby sitter that leaves the doors unlocked and throws a party where everyone is invited,” said Collin Anderson, an independent researcher who worked with Citizen Lab on its report.

Citizen Lab said it alerted MOIBA, the association of South Korean mobile operators that developed and operated the app, to the problems on Aug. 3.

When contacted on Friday, MOIBA said the vulnerabilities had been fixed.

“As soon as we received the e-mail in August, we immediately took action,” said Noh Yong-lae, a manager in charge of the Smart Sheriff app.

The researchers were skeptical.

“We suspect that very little of these measures taken actually remedy issues that we’ve flagged in the report,” Anderson said, adding that he believed at least one of MOIBA’s fixes had opened a new weakness in the program.

Independent experts were also not impressed with Smart Sheriff.

ZERO RATING

Ryu Jong-myeong, chief executive of security firm SoTIS, said the app did now appear to be encrypting its transmissions.

However, he was scathing about some of the other failures uncovered by Citizen Lab, giving the Smart Sheriff’s server infrastructure a security rating of zero out of 10.

“People who made Smart Sheriff cared nothing about protecting private data,” he said.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top