South Korea Shoots The (Smart) Sheriff; Pull Support For Mandated, Severely Flawed Cellphone Spyware App

from the will-just-need-to-find-better-spyware-to-mandate dept

The South Korean government's strong suggestion parents should install spyware in their kids' phones resulted in the the official blessing of Smart Sheriff -- a program that hoovered up communications and data and sent it all back to the MOIBA mothership with a minimum of security. Citizen Lab security researchers found numerous flaws in the spy app, ranging from the unencrypted transmission (and storage) of data to the circumvention of HTTPS protections in order to check sites against blacklists.

In response to the diclosure of these vulnerabilities, the South Korean government has put the Sheriff down.

Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that "Smart Sheriff" has been removed from the Play store, Google's software marketplace, and that existing users are being asked to switch to other programs.

The government plans to shut down the service to existing users "as soon as possible," he said.
In the meantime, Smart Sheriff will continue to barely protect the vast amount of data it's been entrusted with. A follow-up report by Citizen Lab notes that, despite being notified more than 90 days ago, the developer has yet to address many of the vulnerabilities reported to it by the researchers.
A second audit of the Smart Sheriff application reveals that there are numerous unresolved security vulnerabilities that put minor children and parental users of the application at serious risk.

MOIBA, the Korean industry consortium responsible for the Smart Sheriff application, has been slow to respond to the issues raised (of which it was notified more than 90 days ago); the fixes that have been applied do not adequately or effectively address the issues, especially for users; and MOIBA has not communicated transparently to the public about Smart Sheriff’s known risks.
Citizen Lab recommended the removal of the spy app from the market, with its recommendation arriving only a day ahead of the South Korean government's official announcement. The researchers still consider the app to be highly-exploitable, thanks to MOIBA's half-assed patch job. At this point -- with the app still in wide use -- the only thing not leaking information is MOIBA's PR team.
Smart Sheriff's maker, an association of South Korean mobile operators called MOIBA, declined comment.
MOIBA claims to have addressed the issues raised by Citizen Lab, but researchers point out most of the "solutions" were cosmetic. The underlying vulnerabilities remain.
Overall, while some changes have been made in response to the initial disclosure made by Citizen Lab to MOIBA, attackers still have most of the same opportunities to exploit vulnerabilities in the application as they did in previous versions. Many of the issues that were marked as high priority in the previous report, such as the lack of protections around sensitive private data, and transport security, remain effectively unaddressed.
That the government has made the move to kill the app and repeal its support is a positive step, but it's one that took place at several terrible decisions. Mandating spyware for phone users is already a problem, no matter the intent behind it. If parents want to spy on their kids' phone use, it should be up to the parents, not the government. That the government threw its weight behind an app whose developers couldn't even be bothered to implement halfway decent security measures until after researchers discovered the holes makes this even worse.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: filters, smart sheriff, south korea, spyware, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Nov 2015 @ 10:55am

    This is awesome news! Great example of why vulnerabilities need to be made public.

    link to this | view in chronology ]

    • icon
      tqk (profile), 6 Nov 2015 @ 2:23pm

      Re:

      Great example of why vulnerabilities need to be made public.

      Yes. I wonder if the NSA and Obama administration will learn anything from the example.

      link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 5 Nov 2015 @ 11:02am

    But did they shoot the Smart Deputy?

    link to this | view in chronology ]

    • identicon
      Michael, 5 Nov 2015 @ 11:17am

      Re:

      I'm pretty sure the smart deputy jumped ship from that awful developer long ago.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Nov 2015 @ 11:42am

        Re: Re:

        not sure there is any such thing as a smart deputy. They all know who they are working for.

        link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Nov 2015 @ 11:25am

    "Strong suggestion" was an awesome euphemism!

    I'd love to know if some kid got harmed because of their egregious security practices. This would add a lot of weight to a lot of activism out there...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Nov 2015 @ 11:29am

    I think that the South Koreans are MAD that someone else is peeling the data off and didn't invite them to the party and keep it hushed.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Nov 2015 @ 1:00pm

    keeping it in perspective

    While North Korea gets played as the perpetual bogeyman, something that virtually never gets mentioned in the US mainstream media is South Korea's sordid history as an undemocratic, totalitarian, and sometimes genocidal state. It's reality is a far cry from the sort of liberal, freedom-loving democracy that's generally presented with this US-occupied country.

    http://thediplomat.com/2014/08/south-koreas-own-history-problem/

    link to this | view in chronology ]

    • icon
      tqk (profile), 6 Nov 2015 @ 2:41pm

      Re: keeping it in perspective

      ... South Korea's sordid history as an undemocratic, totalitarian, and sometimes genocidal state.

      South Korea is a Cold War proxy puppet state of the west and is still in a state of war, and that's after surviving WWII Japanese occupation. That country has suffered through a century of crap landing on it from outside. It's not very surprising that it's since suffered under the rule of a few totalitarian dictatorships, but you've got to admit it's today a vast improvement over what it was when I was growing up. Brian Haig's "Mortal Allies" is an interesting (though fictional) take on the current situation from a modern (2002) point of view.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.