Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate

from the dysfunctional-by-design dept

A few months ago, the South Korean government strongly suggested parents load their children’s cell phones up with government-approved spyware. It recommended an app called “Smart Sheriff.” The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children’s shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.

It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.

Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn’t even live up to the government’s own standards for data and information security.

Citizen Lab has uncovered a plethora of flaws that make Smart Sheriff even worse than it was when it was simply government-approved spyware.

We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.

Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child’s gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can’t be bothered to arrange for its safe travel?)

What comes through as plaintext is the user’s browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they’re addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.

Beyond that, the software’s authentication process can be decrypted by reverse engineering or decompiling the app. There’s layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.

The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.

For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.

Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The “do something” do-goodery we see in our own legislators is echoed here. In response, a “good enough” solution is mandated, even if it’s not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes — not even the company that made the app.

After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.

As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children’s privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children’s cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

Filed Under: , , , ,
Companies: citizen lab

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate”

Subscribe: RSS Leave a comment
25 Comments
That One Guy (profile) says:

'Not our problem, now pick up that can'

Do the security flaws affect government security, such that the citizens might be able to find out details of the private lives and/or dealings of government employees?

If ‘No’, then obviously the government isn’t going to care. It’s not like they introduced mandatory spyware for the sake of the citizens after all.

Violynne (profile) says:

Smart Sheriff. Hmm. Why does this sound so familiar, a government agency promoting flawed software.

Oh, right!
https://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distributed-police-federal-agents-with-your-tax-dollars.shtml

Perhaps it’s time to stop putting “authority” words in software title to mislead the public’s trust the product is actually good.

Andrew (profile) says:

There was the same issue with ComputerCop as Violynne pointed out, even down to the claims put out by law enforcement (as you can see in this video where the EFF first revealed the issue while showing some of the footage – https://youtu.be/RRDhuHBk3gY?t=2m12s)

We revisted it again somewhat in this year’s followup panel 2 weeks ago https://www.youtube.com/watch?v=XfrHPmEhR1Q

Anonymous Coward says:

Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

You’re acclimated to that, barely notice, and when pointed out, just resent that! Fact is, government and corporations don’t care beans about YOU or children. They gain power by taking your privacy, and the end goal is that you have zero privacy, so this is probably a plus. Just lie back and enjoy being googled. (Yes, Google not directly involved here: I’m still trying to get you lurbles to see the big pitcher of the total surveillance state that you’re not opposing — unless it stops anyone from viewing porn!)


Ha, that ID and browser session was poisoned at 4th comment! Didn’t exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. — Again, don’t tell me it’s not deliberate targeted censorship! By the hundredth time now, it’s just not credible.

Derek (profile) says:

Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it. If you don’t like Google, there are lots of alternatives. If you don’t like Facebook, don’t use it.

You can’t just leave your home country.

tqk (profile) says:

Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it.

True, I agree.

If you don’t like Google, there are lots of alternatives. If you don’t like Facebook, don’t use it.

I’m not so sure that’s true. I see my browser whispering to Google, Facebook, LinkedIn, et al all the time, yet I never consciously tell it to use any of them. Unless you use something like noscript, you’re going to have server-side stuff going on in the background doing damned near anything.

Anonymous Coward says:

Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

Ha, that ID and browser session was poisoned at 4th comment! Didn’t exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. — Again, don’t tell me it’s not deliberate targeted censorship! By the hundredth time now, it’s just not credible.

So then what you’re saying is, despite the “censorship” and the “report button” and the constant pointing out by the replies from other commenters as to what an out of touch fucktard you are, you STILL can’t take a hint?

Just Another Anonymous Troll says:

Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

Sigh. That argument is a strawman, and a pretty beat up one at that.
1. I choose to use Google. I don’t choose to be surveilled.
2. Google can’t put me in google jail. The government can.

Also, if you’re getting a poisoned cookie then good for you. You can always make your own idiot blog where you say idiot things. This is Mike’s platform, and part of HIS free speech rights allows him not to host your drivel.

btr1701 (profile) says:

Nagware

> And, if South Korean parents somehow felt the
> government might be overstepping its bounds a bit,
> cell phone providers were obliged to hassle parents
> about underuse of the government-approved spy app.

It seems like the best way to get around this law (especially the “nagware” part) is to just not tell the retailer you’re buying the phone for your kid. Just say it’s for yourself or your spouse or something, and then give it to your kid when you get home.

Anonymous Coward says:

Why lock it down in storage?

> Why lock it down in storage if you can’t be bothered to arrange for its safe travel?

I just couldn’t let that pass without comment.

Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren’t there to capture it, it is gone.

That’s why locking down storage is more important than encrypting it in transit. They are both important, but storage is more important.

tqk (profile) says:

Re: Why lock it down in storage?

Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren’t there to capture it, it is gone.

But when it’s in transit, it’s in the open and lots of people who’re already looking for it can get it. Since computers and processes never need to sleep, they can be ever vigilant, unlike the lone burglar who needs to bang his head on one specific wall to get in.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...