S. Korea-backed app puts children at risk: reports
By Youkyung Lee and Raphael Satter ,AP Tuesday, September 22, 2015, 12:00 am TWN
SEOUL -- Security researchers say they found critical weaknesses in a South Korean government-mandated child surveillance app — vulnerabilities that left the private lives of the country's youngest citizens open to hackers.
In separate reports released Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalog of worrying problems with "Smart Sheriff," the most popular of more than a dozen child monitoring programs that South Korea requires for new smartphones sold to minors.
"There was literally no security at all," Cure53 director Mario Heiderich said. "We've never seen anything that fundamentally broken."
Smart Sheriff's maker, an association of South Korean mobile operators called MOIBA, acknowledged making mistakes but said it had plugged the holes flagged by researchers and was now making daily security checks.
Smart Sheriff and its fellow surveillance apps are meant to serve as electronic baby sitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable websites and even alerting parents if their children send or receive messages with words like "bully" or "pregnancy."
In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app, which is free.
Sometime afterward, Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff's code. What they found was "really, really bad," Heiderich said.
Children's phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app's 380,000 users could be compromised at once.
MOIBA says it quickly fixed the app, but every security professional the AP spoke to was skeptical.
Ryu Jong-myeong, chief executive of security firm SoTIS, said the app did now appear to be encrypting its transmissions. But he was scathing about some of the other failures uncovered by Citizen Lab, giving Smart Sheriff's server infrastructure a security rating of zero out of 10. "People who made Smart Sheriff cared nothing about protecting private data," he said.
Many smartphone applications are unsafe, leaking private data or sending or storing it in risky ways.
But Citizen Lab Director Ronald Deibert said Smart Sheriff, a government-mandated program intended to monitor the intimate moments of so many children's lives, merited special scrutiny.
Park, the law professor, said the security flaws should push the government "to revisit the whole idea of requiring a personal communication device to be equipped with software that allows another person to monitor and control that device."
Some South Korean parents may soldier on with Smart Sheriff regardless. Lee Kyung-hwa, a mother of two who leads a parents' group that endorses child surveillance, says all the app needs is an upgrade.
But Kim Kha Yeun, a general counsel at libertarian-minded Open Net Korea, predicted that the revelations would turn parents against the technology.
MOST POPULAR OF THIS SECTION