New government mandated app puts children at risk
SEOUL, South Korea (AP):
Security researchers say they found critical weaknesses in a South Korean government-mandated child surveillance app - vulnerabilities that left the private lives of the country's youngest citizens open to hackers.
In separate reports released yesterday, Internet watchdog group Citizen Lab, and German software auditing company Cure53, said they found a catalogue of worrying problems with 'Smart Sheriff', the most popular of more than a dozen child-monitoring programs South Korea requires for new smartphones sold to minors.
"There was literally no security at all," Cure53 director Mario Heiderich said. "We've never seen anything that fundamentally broken."
Smart Sheriff and its fellow surveillance apps are meant to serve as electronic babysitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable websites, and even alerting parents if their children send or receive messages with words like 'bully' or 'pregnancy'.
In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software - a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app.
Sometime afterwards, Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff's code.
What they found was "really, really bad," Heiderich said.
Children's phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands - or even all - of the app's 380,000 users could be compromised at once.