RISK: South Korean child surveillance app open to hackers

"There was literally no security at all."

Security researchers say they found critical weaknesses in a South Korean government-mandated child surveillance app that left the private lives of the country’s youngest citizens open to hackers.

In separate reports released Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalogue of worrying problems with “Smart Sheriff,” the most popular of more than a dozen child monitoring programs South Korea requires for new smartphones sold to minors.

Read: South Korean apps monitor kids’ smartphone activity, infringe on privacy

“There was literally no security at all,” Cure53 director Mario Heiderich said. “We’ve never seen anything that fundamentally broken.”

Smart Sheriff and its fellow surveillance apps are meant to serve as electronic baby sitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable websites and even alerting parents if their children send or receive messages with words like “bully” or “pregnancy.”

In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software–a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app.

Read: Surveillance company loses control of spy software after cyber breach

Sometime afterward, Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff’s code.

What they found was “really, really bad,” Heiderich said.

Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands–or even all–of the app’s 380,000 users could be compromised at once.

“Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited,” said Collin Anderson, an independent researcher who collaborated with Citizen Lab on its report.

Citizen Lab said it alerted MOIBA, the association of South Korean mobile operators that developed and operated the app, to the problems on Aug. 3. When contacted Friday, MOIBA said the vulnerabilities had been fixed.

“As soon as we received the email in August, we immediately took action,” said Noh Yong-lae, a manager in charge of the Smart Sheriff app.

Read: Stolen medical identities

The researchers were skeptical.

“We suspect that very little of these measures taken actually remedy issues that we’ve flagged in the report,” Anderson said, adding that he believed at least one of MOIBA’s fixes had opened a new weakness in the program.

Independent experts also weren’t impressed with Smart Sheriff.

Ryu Jong-myeong, chief executive of security firm SoTIS, said the app did now appear to be encrypting its transmissions. But he was scathing about some of the other failures uncovered by Citizen Lab, giving the Smart Sheriff’s server infrastructure a security rating of zero out of 10.

“People who made Smart Sheriff cared nothing about protecting private data,” he said.

Kwon Seok-chul, chief executive of computer security firm Cuvepia Inc., said the lingering weaknesses meant children’s data was still at risk.

“From a hacker’s point of view, (the door) stays open,” he said.

 

Copyright © 2017 Transcontinental Media G.P.
Transcontinental Media G.P.