Security researchers say they found critical weaknesses in a South Korean government-mandated child-surveillance app — vulnerabilities that left the private lives of the nation’s youngest citizens open to hackers.
In separate reports released on Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalog of worrying problems with “Smart Sheriff,” the most popular of more than a dozen child-monitoring programs that South Korea requires for new smartphones sold to minors.
“There was literally no security at all,” Cure53 director Mario Heiderich said. “We’ve never seen anything that fundamentally broken.”
Photo: AP
Smart Sheriff and its fellow surveillance apps are meant to serve as electronic baby sitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable Web sites and even alerting parents if their children send or receive messages with words like “bully” or “pregnancy.”
In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, Korea University law professor Park Kyung-sin said.
The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app.
Sometime afterward, Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff’s code.
What they found was “really, really bad,” Heiderich said.
A LOT OF FLAWS
Children’s telephone numbers, birth dates, Web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept.
Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents.
Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app’s 380,000 users could be compromised at once.
“Smart Sheriff is the kind of baby sitter that leaves the doors unlocked and throws a party where everyone is invited,” said Collin Anderson, an independent researcher who worked with Citizen Lab on its report.
Citizen Lab said it alerted MOIBA, the association of South Korean mobile operators that developed and operated the app, to the problems on Aug. 3.
When contacted on Friday, MOIBA said the vulnerabilities had been fixed.
“As soon as we received the e-mail in August, we immediately took action,” said Noh Yong-lae, a manager in charge of the Smart Sheriff app.
The researchers were skeptical.
“We suspect that very little of these measures taken actually remedy issues that we’ve flagged in the report,” Anderson said, adding that he believed at least one of MOIBA’s fixes had opened a new weakness in the program.
Independent experts were also not impressed with Smart Sheriff.
ZERO RATING
Ryu Jong-myeong, chief executive of security firm SoTIS, said the app did now appear to be encrypting its transmissions.
However, he was scathing about some of the other failures uncovered by Citizen Lab, giving the Smart Sheriff’s server infrastructure a security rating of zero out of 10.
“People who made Smart Sheriff cared nothing about protecting private data,” he said.
Kwon Seok-chul, chief executive of computer security firm Cuvepia, said the lingering weaknesses meant children’s data was still at risk.
“From a hacker’s point of view, [the door] stays open,” he said.
Many smartphone applications are unsafe, leaking private data or sending or storing it in risky ways.
However, Citizen Lab director Ronald Deibert said Smart Sheriff, a government-mandated program intended to monitor the intimate moments of so many children’s lives, merited special scrutiny.
“This is not just a fitness tracker,” Deibert said. “It’s an application meant to satiate parents’ concerns about their children’s use of mobile or social media, which is in fact putting them at more risk.”
Park said the security flaws should push the government “to revisit the whole idea of requiring a personal communication device to be equipped with software that allows another person to monitor and control that device.”
Some South Korean parents might soldier on with Smart Sheriff regardless.
PARENTS’ REACTIONS
Lee Kyung-hwa, a mother of two whose Cyber Parents Union On Net endorses child surveillance, said all the app needs is an upgrade.
“If mothers feel happy thanks to the app, it is still helpful,” she said.
However, Kim Kha-yeun, a general counsel at libertarian-minded Open Net Korea, predicted that the revelations would turn parents against the technology.
“If they knew that the apps infect and endanger their children, I don’t think any South Korean parents would want their children to have this monitoring app,” he said.
The research has already led one mother to say she was uninstalling Smart Sheriff.
Yoon Jiwon said she had previously been put off by the way in which the battery-hungry app kept sending her misleading alerts about her sons being bullied, prompting her to cross-examine them about each chat and text message, breeding frustration and mistrust.
She plans to uninstall the app after learning about the security weaknesses uncovered by Citizen Lab and now says Smart Sheriff was not a good way of interacting with her children.
“It’s just not right for a mom to snoop on everything,” she said.
China’s military news agency yesterday warned that Japanese militarism is infiltrating society through series such as Pokemon and Detective Conan, after recent controversies involving events at sensitive sites. In recent days, anime conventions throughout China have reportedly banned participants from dressing as characters from Pokemon or Detective Conan and prohibited sales of related products. China Military Online yesterday posted an article titled “Their schemes — beware the infiltration of Japanese militarism in culture and sports.” The article referenced recent controversies around the popular anime series Pokemon, Detective Conan and My Hero Academia, saying that “the evil influence of Japanese militarism lives on in
ANTI-SEMITISM: Some newsletters promote hateful ideas such as white supremacy and Holocaust denial, with one describing Adolf Hitler as ‘one of the greatest men of all time’ The global publishing platform Substack is generating revenue from newsletters that promote virulent Nazi ideology, white supremacy and anti-Semitism, a Guardian investigation has found. The platform, which says it has about 50 million users worldwide, allows members of the public to self-publish articles and charge for premium content. Substack takes about 10 percent of the revenue the newsletters make. About 5 million people pay for access to newsletters on its platform. Among them are newsletters that openly promote racist ideology. One, called NatSocToday, which has 2,800 subscribers, charges US$80 for an annual subscription, although most of its posts are available
GLORY FACADE: Residents are fighting the church’s plan to build a large flight of steps and a square that would entail destroying up to two blocks of homes Barcelona’s eternally unfinished Basilica de la Sagrada Familia has grown to become the world’s tallest church, but a conflict with residents threatens to delay the finish date for the monument designed more than 140 years ago. Swathed in scaffolding on a platform 54m above the ground, an enormous stone slab is being prepared to complete the cross of the central Jesus Christ tower. A huge yellow crane is to bring it up to the summit, which will stand at 172.5m and has snatched the record as the world’s tallest church from Germany’s Ulm Minster. The basilica’s peak will deliberately fall short of the
Venezuelan Nobel peace laureate Maria Corina Machado yesterday said that armed men “kidnapped” a close ally shortly after his release by authorities, following former Venezuelan president Nicolas Maduro’s capture. The country’s Public Prosecutor’s Office confirmed later yesterday that former National Assembly vice president Juan Pablo Guanipa, 61, was again taken into custody and was to be put under house arrest, arguing that he violated the conditions of his release. Guanipa would be placed under house arrest “in order to safeguard the criminal process,” the office said in a statement. The conditions of Guanipa’s release have yet to be made public. Machado claimed that
RSS