Privacy

by Tim Cushing


Filed Under:
leaks, privacy, smart sheriff, south korea, spyware

Companies:
citizen lab



Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate

from the dysfunctional-by-design dept

A few months ago, the South Korean government strongly suggested parents load their children's cell phones up with government-approved spyware. It recommended an app called "Smart Sheriff." The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children's shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.

It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.

Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn't even live up to the government's own standards for data and information security.

Citizen Lab has uncovered a plethora of flaws that make Smart Sheriff even worse than it was when it was simply government-approved spyware.

We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.
Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child's gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can't be bothered to arrange for its safe travel?)

What comes through as plaintext is the user's browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they're addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.

Beyond that, the software's authentication process can be decrypted by reverse engineering or decompiling the app. There's layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.
The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.

For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.
Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The "do something" do-goodery we see in our own legislators is echoed here. In response, a "good enough" solution is mandated, even if it's not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes -- not even the company that made the app.
After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.
As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children's privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 22 Sep 2015 @ 7:52am

    On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

    1984 wasn't built overnight, was it?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 22 Sep 2015 @ 7:54am

    'Not our problem, now pick up that can'

    Do the security flaws affect government security, such that the citizens might be able to find out details of the private lives and/or dealings of government employees?

    If 'No', then obviously the government isn't going to care. It's not like they introduced mandatory spyware for the sake of the citizens after all.

    reply to this | link to this | view in chronology ]

    • icon
      Derek (profile), 22 Sep 2015 @ 10:05am

      Re: 'Not our problem, now pick up that can'

      It would only 'be a problem' if someone posted all the browsing history of some politician's kids. Then you might actually see some action.

      Right now it is a problem that happens to other people, and nothing for them to really pay attention to.

      reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 22 Sep 2015 @ 9:08am

    Smart Sheriff. Hmm. Why does this sound so familiar, a government agency promoting flawed software.

    Oh, right!
    https://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distribu ted-police-federal-agents-with-your-tax-dollars.shtml

    Perhaps it's time to stop putting "authority" words in software title to mislead the public's trust the product is actually good.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 9:57am

    Won't somebody think of the bureaucrats?

    They've got to eat!

    reply to this | link to this | view in chronology ]

  • icon
    Andrew (profile), 22 Sep 2015 @ 10:01am

    There was the same issue with ComputerCop as Violynne pointed out, even down to the claims put out by law enforcement (as you can see in this video where the EFF first revealed the issue while showing some of the footage - https://youtu.be/RRDhuHBk3gY?t=2m12s)

    We revisted it again somewhat in this year's followup panel 2 weeks ago https://www.youtube.com/watch?v=XfrHPmEhR1Q

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 22 Sep 2015 @ 10:19am

    Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    You're acclimated to that, barely notice, and when pointed out, just resent that! Fact is, government and corporations don't care beans about YOU or children. They gain power by taking your privacy, and the end goal is that you have zero privacy, so this is probably a plus. Just lie back and enjoy being googled. (Yes, Google not directly involved here: I'm still trying to get you lurbles to see the big pitcher of the total surveillance state that you're not opposing -- unless it stops anyone from viewing porn!)


    Ha, that ID and browser session was poisoned at 4th comment! Didn't exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. -- Again, don't tell me it's not deliberate targeted censorship! By the hundredth time now, it's just not credible.

    reply to this | link to this | view in chronology ]

    • icon
      Derek (profile), 22 Sep 2015 @ 10:47am

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it. If you don't like Google, there are lots of alternatives. If you don't like Facebook, don't use it.

      You can't just leave your home country.

      reply to this | link to this | view in chronology ]

      • icon
        tqk (profile), 23 Sep 2015 @ 8:01am

        Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

        There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it.

        True, I agree.
        If you don't like Google, there are lots of alternatives. If you don't like Facebook, don't use it.

        I'm not so sure that's true. I see my browser whispering to Google, Facebook, LinkedIn, et al all the time, yet I never consciously tell it to use any of them. Unless you use something like noscript, you're going to have server-side stuff going on in the background doing damned near anything.

        reply to this | link to this | view in chronology ]

    • icon
      AC Unknown (profile), 22 Sep 2015 @ 11:00am

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      Seriously, OOTB, nobody is "poisoning" your ID here.

      Also, you can OPT OUT of Google's data collection.

      reply to this | link to this | view in chronology ]

      • icon
        tqk (profile), 23 Sep 2015 @ 8:06am

        Whispering to the motherships.

        Also, you can OPT OUT of Google's data collection.

        How? By not using Google? Will that tell all the advertisements my browser runs to not talk to Google?

        Google's data is anonymised (in theory) so I don't much care about them taking it, but I have no illusions about them taking it. They are.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2015 @ 12:06pm

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      Ha, that ID and browser session was poisoned at 4th comment! Didn't exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. -- Again, don't tell me it's not deliberate targeted censorship! By the hundredth time now, it's just not credible.

      So then what you're saying is, despite the "censorship" and the "report button" and the constant pointing out by the replies from other commenters as to what an out of touch fucktard you are, you STILL can't take a hint?

      reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 22 Sep 2015 @ 12:09pm

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      unless it stops anyone from viewing porn!

      That would be the closest to a zombie apocalypse we'd get to.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2015 @ 12:26pm

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      No one cares about your stupid conspiracy theories.

      reply to this | link to this | view in chronology ]

    • identicon
      Just Another Anonymous Troll, 23 Sep 2015 @ 4:52am

      Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

      Sigh. That argument is a strawman, and a pretty beat up one at that.
      1. I choose to use Google. I don't choose to be surveilled.
      2. Google can't put me in google jail. The government can.

      Also, if you're getting a poisoned cookie then good for you. You can always make your own idiot blog where you say idiot things. This is Mike's platform, and part of HIS free speech rights allows him not to host your drivel.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Sep 2015 @ 6:23pm

        Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

        But he does allow his drivel. Witness the comment and replies to said comment.

        reply to this | link to this | view in chronology ]

  • icon
    btr1701 (profile), 22 Sep 2015 @ 12:31pm

    Nagware

    > And, if South Korean parents somehow felt the
    > government might be overstepping its bounds a bit,
    > cell phone providers were obliged to hassle parents
    > about underuse of the government-approved spy app.

    It seems like the best way to get around this law (especially the "nagware" part) is to just not tell the retailer you're buying the phone for your kid. Just say it's for yourself or your spouse or something, and then give it to your kid when you get home.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 1:15pm

    *gasp* Nobody could have predicted this

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 1:16pm

    Government-Mandated Software Leaking Data, lol who'd of thunk it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 1:22pm

    To fight North Korea we have to slowly become like North Korea

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 1:50pm

    Why lock it down in storage?

    > Why lock it down in storage if you can't be bothered to arrange for its safe travel?

    I just couldn't let that pass without comment.

    Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren't there to capture it, it is gone.

    That's why locking down storage is more important than encrypting it in transit. They are both important, but storage is more important.

    reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 23 Sep 2015 @ 8:12am

      Re: Why lock it down in storage?

      Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren't there to capture it, it is gone.

      But when it's in transit, it's in the open and lots of people who're already looking for it can get it. Since computers and processes never need to sleep, they can be ever vigilant, unlike the lone burglar who needs to bang his head on one specific wall to get in.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2015 @ 7:34pm

    What happened to (not easy to mess with filter programs, even by teenagers) to have your own policy at home? I know these exist still, they could be developed for smartphones couldn't they?

    South Korea is acting like Best Korea.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.