TORONTO – Canadian and German security researchers claim to have found a weakness in a child surveillance app that is required by law in South Korea for all new smartphones sold to minors.
In a report Sunday, researchers at Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, said they found 26 critical weaknesses in the program “Smart Sheriff,” the most popular child monitoring program in South Korea. The German software auditing company Cure53 also released a separate report Sunday detailing the same concerns.
The Smart Sheriff app, available for Android and iPhone, helps to let parents know how much time their children are spending on their phones, and remotely block content. The program also alerts parents if their children send or receive messages with words like “bully” or “pregnancy.”
“Parents worldwide have growing concerns about their children’s use of social media and mobile devices,” Ron Deibert, director of the Citizen Lab, said in a statement Sunday. “However, this case shows precisely how good intentions can end up seriously wrong — in this case, a government-promoted parental monitoring application actually putting children at greater, rather than less, risk of harm.”
South Korea passed a law last April requiring new smartphones sold to those under the age of 18 to be equipped with child monitoring software, according to the report.
The report found that children’s phone numbers, birth dates, browsing history and other personal data were being sent unencrypted, making it easier for an attacker to steal personal information. Researchers also found weaknesses in the authentication process meaning Smart Sheriff could easily be hacked, turned off entirely or reprogrammed to send alerts to parents.
“With little effort, these vulnerabilities could allow children to bypass parental protections, allow malicious attackers to disrupt access to every user’s device, and interfere with the operations of the service,” Collin Anderson, an independent researcher, said in a statement.
“Such failures demonstrate an inattention to children’s security from the foundation of the application, and, even more concerning, have been open for exploitation for years.”
According to the reports the several weaknesses could be exploited on a large scale, affecting thousands or all of the application’s 380,000 users at once.
Citizen Lab said it alerted the association of South Korean mobile operators that developed and operated the app, also known as MOIBA, to the problems on Aug. 3. In their report Citizen Lab said Sunday it was unclear whether the problems identified have been corrected.
The Associated Press reported that when contacted Friday MOIBA said the vulnerabilities had been fixed.
Researchers were skeptical about the government-mandated program and should require special scrutiny as it monitor the personal moments of young South Koreans.
“This situation raises serious concerns under international human rights law, given the potential of this government-supported mobile application to compromise user privacy, and the widespread adoption of the app as a result of the government mandate,” said Sarah McKune, a senior legal adviser, with The Citizen Lab