Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate
from the dysfunctional-by-design dept
A few months ago, the South Korean government strongly suggested parents load their children's cell phones up with government-approved spyware. It recommended an app called "Smart Sheriff." The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children's shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.
It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.
Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn't even live up to the government's own standards for data and information security.
Citizen Lab has uncovered a plethora of flaws that make Smart Sheriff even worse than it was when it was simply government-approved spyware.
We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child's gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can't be bothered to arrange for its safe travel?)
What comes through as plaintext is the user's browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they're addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.
Beyond that, the software's authentication process can be decrypted by reverse engineering or decompiling the app. There's layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.
The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The "do something" do-goodery we see in our own legislators is echoed here. In response, a "good enough" solution is mandated, even if it's not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes -- not even the company that made the app.
For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.
After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children's privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: leaks, privacy, smart sheriff, south korea, spyware
Companies: citizen lab
Reader Comments
Subscribe: RSS
View by: Time | Thread
1984 wasn't built overnight, was it?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
'Not our problem, now pick up that can'
If 'No', then obviously the government isn't going to care. It's not like they introduced mandatory spyware for the sake of the citizens after all.
[ link to this | view in chronology ]
Re: 'Not our problem, now pick up that can'
Right now it is a problem that happens to other people, and nothing for them to really pay attention to.
[ link to this | view in chronology ]
Re: Re: 'Not our problem, now pick up that can'
[ link to this | view in chronology ]
Oh, right!
https://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distribu ted-police-federal-agents-with-your-tax-dollars.shtml
Perhaps it's time to stop putting "authority" words in software title to mislead the public's trust the product is actually good.
[ link to this | view in chronology ]
Won't somebody think of the bureaucrats?
[ link to this | view in chronology ]
We revisted it again somewhat in this year's followup panel 2 weeks ago https://www.youtube.com/watch?v=XfrHPmEhR1Q
[ link to this | view in chronology ]
Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
Ha, that ID and browser session was poisoned at 4th comment! Didn't exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. -- Again, don't tell me it's not deliberate targeted censorship! By the hundredth time now, it's just not credible.
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
You can't just leave your home country.
[ link to this | view in chronology ]
Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
True, I agree.
I'm not so sure that's true. I see my browser whispering to Google, Facebook, LinkedIn, et al all the time, yet I never consciously tell it to use any of them. Unless you use something like noscript, you're going to have server-side stuff going on in the background doing damned near anything.
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
Also, you can OPT OUT of Google's data collection.
[ link to this | view in chronology ]
Whispering to the motherships.
How? By not using Google? Will that tell all the advertisements my browser runs to not talk to Google?
Google's data is anonymised (in theory) so I don't much care about them taking it, but I have no illusions about them taking it. They are.
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
So then what you're saying is, despite the "censorship" and the "report button" and the constant pointing out by the replies from other commenters as to what an out of touch fucktard you are, you STILL can't take a hint?
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
That would be the closest to a zombie apocalypse we'd get to.
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
[ link to this | view in chronology ]
Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
1. I choose to use Google. I don't choose to be surveilled.
2. Google can't put me in google jail. The government can.
Also, if you're getting a poisoned cookie then good for you. You can always make your own idiot blog where you say idiot things. This is Mike's platform, and part of HIS free speech rights allows him not to host your drivel.
[ link to this | view in chronology ]
Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!
[ link to this | view in chronology ]
Nagware
> government might be overstepping its bounds a bit,
> cell phone providers were obliged to hassle parents
> about underuse of the government-approved spy app.
It seems like the best way to get around this law (especially the "nagware" part) is to just not tell the retailer you're buying the phone for your kid. Just say it's for yourself or your spouse or something, and then give it to your kid when you get home.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why lock it down in storage?
I just couldn't let that pass without comment.
Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren't there to capture it, it is gone.
That's why locking down storage is more important than encrypting it in transit. They are both important, but storage is more important.
[ link to this | view in chronology ]
Re: Why lock it down in storage?
But when it's in transit, it's in the open and lots of people who're already looking for it can get it. Since computers and processes never need to sleep, they can be ever vigilant, unlike the lone burglar who needs to bang his head on one specific wall to get in.
[ link to this | view in chronology ]
South Korea is acting like Best Korea.
[ link to this | view in chronology ]