Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate

from the dysfunctional-by-design dept

A few months ago, the South Korean government strongly suggested parents load their children's cell phones up with government-approved spyware. It recommended an app called "Smart Sheriff." The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children's shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.

It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.

Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn't even live up to the government's own standards for data and information security.

Citizen Lab has uncovered a plethora of flaws that make Smart Sheriff even worse than it was when it was simply government-approved spyware.

We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.
Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child's gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can't be bothered to arrange for its safe travel?)

What comes through as plaintext is the user's browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they're addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.

Beyond that, the software's authentication process can be decrypted by reverse engineering or decompiling the app. There's layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.
The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.

For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.
Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The "do something" do-goodery we see in our own legislators is echoed here. In response, a "good enough" solution is mandated, even if it's not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes -- not even the company that made the app.
After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.
As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children's privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: leaks, privacy, smart sheriff, south korea, spyware
Companies: citizen lab


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 22 Sep 2015 @ 7:52am

    On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

    1984 wasn't built overnight, was it?

    link to this | view in thread ]

  2. icon
    That One Guy (profile), 22 Sep 2015 @ 7:54am

    'Not our problem, now pick up that can'

    Do the security flaws affect government security, such that the citizens might be able to find out details of the private lives and/or dealings of government employees?

    If 'No', then obviously the government isn't going to care. It's not like they introduced mandatory spyware for the sake of the citizens after all.

    link to this | view in thread ]

  3. icon
    Violynne (profile), 22 Sep 2015 @ 9:08am

    Smart Sheriff. Hmm. Why does this sound so familiar, a government agency promoting flawed software.

    Oh, right!
    https://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distribu ted-police-federal-agents-with-your-tax-dollars.shtml

    Perhaps it's time to stop putting "authority" words in software title to mislead the public's trust the product is actually good.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 22 Sep 2015 @ 9:57am

    Won't somebody think of the bureaucrats?

    They've got to eat!

    link to this | view in thread ]

  5. icon
    Andrew (profile), 22 Sep 2015 @ 10:01am

    There was the same issue with ComputerCop as Violynne pointed out, even down to the claims put out by law enforcement (as you can see in this video where the EFF first revealed the issue while showing some of the footage - https://youtu.be/RRDhuHBk3gY?t=2m12s)

    We revisted it again somewhat in this year's followup panel 2 weeks ago https://www.youtube.com/watch?v=XfrHPmEhR1Q

    link to this | view in thread ]

  6. icon
    Derek (profile), 22 Sep 2015 @ 10:05am

    Re: 'Not our problem, now pick up that can'

    It would only 'be a problem' if someone posted all the browsing history of some politician's kids. Then you might actually see some action.

    Right now it is a problem that happens to other people, and nothing for them to really pay attention to.

    link to this | view in thread ]

  7. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 22 Sep 2015 @ 10:19am

    Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    You're acclimated to that, barely notice, and when pointed out, just resent that! Fact is, government and corporations don't care beans about YOU or children. They gain power by taking your privacy, and the end goal is that you have zero privacy, so this is probably a plus. Just lie back and enjoy being googled. (Yes, Google not directly involved here: I'm still trying to get you lurbles to see the big pitcher of the total surveillance state that you're not opposing -- unless it stops anyone from viewing porn!)


    Ha, that ID and browser session was poisoned at 4th comment! Didn't exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. -- Again, don't tell me it's not deliberate targeted censorship! By the hundredth time now, it's just not credible.

    link to this | view in thread ]

  8. icon
    Derek (profile), 22 Sep 2015 @ 10:47am

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it. If you don't like Google, there are lots of alternatives. If you don't like Facebook, don't use it.

    You can't just leave your home country.

    link to this | view in thread ]

  9. icon
    AC Unknown (profile), 22 Sep 2015 @ 11:00am

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    Seriously, OOTB, nobody is "poisoning" your ID here.

    Also, you can OPT OUT of Google's data collection.

    link to this | view in thread ]

  10. icon
    Blackfiredragon13 (profile), 22 Sep 2015 @ 11:25am

    Re: Re: 'Not our problem, now pick up that can'

    By action you mean going after the entities who posted it.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 22 Sep 2015 @ 12:06pm

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    Ha, that ID and browser session was poisoned at 4th comment! Didn't exit, should have had its approved cookie and address, right? Only lasts a few minutes, like an admin noticed WHO is commenting (especially on Google Fiber!) and poisoned the ID. -- Again, don't tell me it's not deliberate targeted censorship! By the hundredth time now, it's just not credible.

    So then what you're saying is, despite the "censorship" and the "report button" and the constant pointing out by the replies from other commenters as to what an out of touch fucktard you are, you STILL can't take a hint?

    link to this | view in thread ]

  12. icon
    Ninja (profile), 22 Sep 2015 @ 12:09pm

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    unless it stops anyone from viewing porn!

    That would be the closest to a zombie apocalypse we'd get to.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 22 Sep 2015 @ 12:26pm

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    No one cares about your stupid conspiracy theories.

    link to this | view in thread ]

  14. icon
    btr1701 (profile), 22 Sep 2015 @ 12:31pm

    Nagware

    > And, if South Korean parents somehow felt the
    > government might be overstepping its bounds a bit,
    > cell phone providers were obliged to hassle parents
    > about underuse of the government-approved spy app.

    It seems like the best way to get around this law (especially the "nagware" part) is to just not tell the retailer you're buying the phone for your kid. Just say it's for yourself or your spouse or something, and then give it to your kid when you get home.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 22 Sep 2015 @ 1:15pm

    *gasp* Nobody could have predicted this

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 22 Sep 2015 @ 1:16pm

    Government-Mandated Software Leaking Data, lol who'd of thunk it.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 22 Sep 2015 @ 1:22pm

    To fight North Korea we have to slowly become like North Korea

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 22 Sep 2015 @ 1:50pm

    Why lock it down in storage?

    > Why lock it down in storage if you can't be bothered to arrange for its safe travel?

    I just couldn't let that pass without comment.

    Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren't there to capture it, it is gone.

    That's why locking down storage is more important than encrypting it in transit. They are both important, but storage is more important.

    link to this | view in thread ]

  19. identicon
    PRMan, 22 Sep 2015 @ 3:47pm

    Re:

    No it was 31 years ago! I mean, basic math... ;)

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 22 Sep 2015 @ 7:34pm

    What happened to (not easy to mess with filter programs, even by teenagers) to have your own policy at home? I know these exist still, they could be developed for smartphones couldn't they?

    South Korea is acting like Best Korea.

    link to this | view in thread ]

  21. identicon
    Just Another Anonymous Troll, 23 Sep 2015 @ 4:52am

    Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    Sigh. That argument is a strawman, and a pretty beat up one at that.
    1. I choose to use Google. I don't choose to be surveilled.
    2. Google can't put me in google jail. The government can.

    Also, if you're getting a poisoned cookie then good for you. You can always make your own idiot blog where you say idiot things. This is Mike's platform, and part of HIS free speech rights allows him not to host your drivel.

    link to this | view in thread ]

  22. icon
    tqk (profile), 23 Sep 2015 @ 8:01am

    Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    There is a big difference between voluntarily giving Google or Facebook data, and the government (any government) just taking it.

    True, I agree.
    If you don't like Google, there are lots of alternatives. If you don't like Facebook, don't use it.

    I'm not so sure that's true. I see my browser whispering to Google, Facebook, LinkedIn, et al all the time, yet I never consciously tell it to use any of them. Unless you use something like noscript, you're going to have server-side stuff going on in the background doing damned near anything.

    link to this | view in thread ]

  23. icon
    tqk (profile), 23 Sep 2015 @ 8:06am

    Whispering to the motherships.

    Also, you can OPT OUT of Google's data collection.

    How? By not using Google? Will that tell all the advertisements my browser runs to not talk to Google?

    Google's data is anonymised (in theory) so I don't much care about them taking it, but I have no illusions about them taking it. They are.

    link to this | view in thread ]

  24. icon
    tqk (profile), 23 Sep 2015 @ 8:12am

    Re: Why lock it down in storage?

    Storage is a long-term target, attackers can come raid it anytime. At least when data is in transit, if you aren't there to capture it, it is gone.

    But when it's in transit, it's in the open and lots of people who're already looking for it can get it. Since computers and processes never need to sleep, they can be ever vigilant, unlike the lone burglar who needs to bang his head on one specific wall to get in.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 23 Sep 2015 @ 6:23pm

    Re: Re: Just one tiny part of the total surveillance state that's looming! Meanwhile, you're okay with Google's spying!

    But he does allow his drivel. Witness the comment and replies to said comment.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.