I had first raised concerns about “Smart Sheriff” software back in May when I first heard about it, but now The Citizen Lab has investigated it more and issued a concerning report. Their press release, courtesy of a Canadian reader:
Toronto, Canada (20 September 2015) — Today, the Citizen Lab at the Munk School of Global Affairs, University of Toronto is releasing a new report, “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.” The report details results of two independent audits of the privacy and security of Smart Sheriff, a parental monitoring application that has been promoted by the South Korean government.
The researchers found 26 vulnerabilities that could compromise the privacy and security of minors and parents who use Smart Sheriff. The audits were conducted by researchers who collaborated at the 2015 Citizen Lab Summer Institute, and by the security audit firm Cure53.
“Parents worldwide have growing concerns about their children’s use of social media and mobile devices. However, this case shows precisely how good intentions can end up seriously wrong — in this case, a government-promoted parental monitoring application actually putting children at greater, rather than less, risk of harm.” — Ron Deibert, Director of the Citizen Lab, and Professor of Political Science at the University of Toronto.
The researchers notified the developers of vulnerabilities following a responsible disclosure process, and sought to have the issues addressed in a timely fashion. As of the date of publication, it is not clear whether the problems identified have been corrected.
In April 2015, a mandate proposed by the Korean Communications Commission (KCC) came into effect requiring South Korean telecommunications operators to provide the means to block harmful content on minors’ mobile phones. While a number of applications meet the requirements, Smart Sheriff, developed by the Korean Mobile Internet Business Association (MOIBA), received promotion and financial support from the KCC. Compared to other Korean-language parental parental-monitoring applications, it is widely used (between 100- and 500 thousand users), and has received substantial publicity from the KCC.
Smart Sheriff, which is available for Android and iPhone, allows parents to remotely block content and monitor and administer applications on their child’s mobile device, as well as schedule when the phone can be used.
The researchers identified 26 security vulnerabilities in recent versions of Smart Sheriff on Android (versions 1.7.5 and under). These vulnerabilities could be used by an attacker to disable Smart Sheriff accounts, tamper with data, and steal personal information, the report explains.
Privacy and Encryption Problems
The Smart Sheriff versions analyzed by the researchers stored and transmitted user data insecurely, and did not properly implement industry-standard encryption. This insecurity makes it possible for attackers to monitor data, and impersonate both servers and apps to tamper with data.
The researchers also found that Smart Sheriff sends browsing data back to MOIBA servers, despite this functionality purportedly being disabled in May 2015 over privacy concerns.
The researchers found accounts can be registered and managed without proper validation or passwords, which could lead to the compromise and hijacking of user accounts. Attackers could even remotely disrupt some of the functions of phones that have Smart Sheriff installed. In addition, Smart Sheriff’s parental limits and controls can be easily disabled and circumvented.
The researchers found Smart Sheriff’s infrastructure is not properly maintained or protected. The servers are running outdated software, according to the report, and do not properly implement industry-standard security and encryption. In addition, the servers do not track or reject brute force attempts to collect user data or erroneous requests, which could lead to compromise of the service, and its users, at a large scale.
“The technical issues that were discovered represent fundamental failures to follow commonplace practices for protecting user information and securing the Smart Sheriff application. With little effort, these vulnerabilities could allow children to bypass parental protections, allow malicious attackers to disrupt access to every user’s device, and interfere with the operations of the service. Such failures demonstrate an inattention to children’s security from the foundation of the application, and, even more concerning, have been open for exploitation for years.” – Collin Anderson, Independent Researcher
Legal and Policy Implications
“The problems with Smart Sheriff suggest that the application does not meet the requirements for data protection and information security established under Korean law.” – Sarah McKune, Senior Legal Advisor, The Citizen Lab
“This situation raises serious concerns under international human rights law, given the potential of this government-supported mobile application to compromise user privacy, and the widespread adoption of the app as a result of the government mandate.” – Sarah McKune, Senior Legal Advisor, The Citizen Lab
What should concerned users do?
Citizen Lab is releasing this report to advise current and potential users of the Smart Sheriff application, as well as Korea’s regulators, of the security and privacy concerns so that they can make their own informed choices about their data security.
Citizen Lab contacted MOIBA and shared the technical details of these findings, and gave them 45 days to address the issues before publishing their report. On August 5, a MOIBA representative replied, and provided an initial timeline for addressing 15 of the vulnerabilities. On August 6, MOIBA released an updated version of the application (v1.7.6) that supported HTTPS. A further update (v1.7.7) released on August 25 claimed to address additional vulnerabilities. However, the Citizen Lab researchers note that as of September 20, 2015, they had not independently verified whether the problems had been fixed.
The research team urges caution against further public use and promotion of the application until an independent and thorough audit of Smart Sheriff can be conducted.