Security researchers say they found critical vulnerabilities in a South Korean government-mandated child surveillance app that left user’s personal information an open target to hackers.
Internet watchdog group Citizen Lab and Cure53, a German software auditing firm, report that “Smart Sheriff,” the most popular of more than a dozen child monitoring apps required for new smartphones sold to minors in South Korea, was full of security holes.
“There was literally no security at all,” Cure53 director Mario Heiderich told AP. “We’ve never seen anything that fundamentally broken.”
The surveillance apps are required by the government to serve as electronic babysitters, by enabling parents to know how much time their children are spending with their phones, and what they are doing on them. The app can also alert parents when children send or receive messages containing words such as “bully” or “pregnancy.”
According to AP:
Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands — or even all — of the app’s 380,000 users could be compromised at once.
“Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited,” said Collin Anderson, an independent researcher who collaborated with Citizen Lab on its report.
Citizen Lab said it alerted MOIBA, the association of South Korean mobile operators that developed and operated the app, to the problems on Aug. 3. When contacted Friday, MOIBA said the vulnerabilities had been fixed.
“As soon as we received the email in August, we immediately took action,” said Noh Yong-lae, a manager in charge of the Smart Sheriff app.
The researchers were skeptical.
“We suspect that very little of these measures taken actually remedy issues that we’ve flagged in the report,” Anderson said, adding that he believed at least one of MOIBA’s fixes had opened a new weakness in the program.
You can read the entire AP report here.