In South Korea, a child-monitoring app is raising security concerns. Why?
A government-backed app called Smart Sheriff, which is now required on all smartphones sold to minors, is highly vulnerable to hacking, two new reports say.
In many countries, apps that let parents track how their children use smartphones are regarded as a parenting tool that can prevent bullying or a method of tracking what kids do online.
But in South Korea, a leading platform endorsed by the government called Smart Sheriff has critical security weaknesses, leaving personal information about parents and children vulnerable to hacking, researchers said in two reports released on Sunday.
Child-monitoring apps let parents watch over their children’s shoulders online, blocking websites they don’t want their children to see and even receiving automatic alerts when messages sent from phones with the software installed contain words like “bully” or “pregnancy.”
Korean parents and children have little choice about whether to use such software. In April, the government began requiring all smartphones sold to people 18 and under to include child-monitoring apps, as well as aggressively promoting Smart Sheriff in collaboration with local schools, the Associated Press reports.
The mandate, required by the Korean Communications Corporation and backed by a large group of mobile phone operators, who developed Smart Sheriff, can be avoided by continuing to use an older phone.
But the app’s security flaws, first identified by researchers at the University of Toronto’s Citizen Lab and German software auditing company Cure53 this summer, have raised concerns for families about how their information may be used.
Phone numbers, emails, children’s birthdates, and their web browsing history were not properly encrypted, the researchers found, meaning they could be used by a third party. Other vulnerabilities could allow an malicious actor to inject their own code into the app, the researchers noted.
There were also several design problems, which permitted children to easily bypass limits their parents had set on particular websites and transmitted improperly secured web browsing histories – which could be used a third party – to MOIBA, the phone operators’ group which developed the app.
“Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited," Collin Anderson, an independent researcher who collaborated with Citizen Lab on its report, told The Associated Press (AP).
MOIBA told the wire service they have responded to several of the bugs identified by researchers at Citizens Lab and Cure 53. But, the researchers say, few of the issues raised by the report have actually been remedied, noting that one of the developers’ fixes may have actually created a new issue with the Smart Sheriff software.
One parent who began using the app became increasingly concerned after it repeatedly sent her misleading alerts saying her sons were being bullied. After she began questioning them about each chat and text message they sent, they became angry and mistrustful, the parent, Yoon Jiwoon, told the AP.
"It's just not right for a mom to snoop on everything,” Ms. Yoon said, adding that after learning about the security concerns around the app, she plans to uninstall it.
But others say they feel the app's benefits for parents are most important. Lee Kyung-hwa, a mother of two whose Cyber Parents Union On Net endorses child surveillance, told the AP. Smart Sheriff is simply in need of an upgrade.
"If mothers feel happy thanks to the app, it is still helpful," she says.
The government’s mandate that all new smartphones carry the software has also drawn concern from watchdog groups in South Korea.
“The Decree is unconstitutional as it infringes on children’s privacy and parental rights, increases the risk of data breach, and overburdens both the business and the parents,” Open Net Korea, an activist group focused on Internet policy said in a statement in April.
Because apps like Smart Sheriff repeatedly pass information from a minor’s phone to the app developer and then to a mobile phone company before reaching the parent, there are several points where that data can be stolen, the group says.
Beyond Korea’s child monitoring mandate, smartphone monitoring apps required by employers and used by suspicious spouses to catch their significant others cheating have also drawn concerns internationally, with some skeptics calling them “stalker apps,” the BBC reports.
In the US, the FBI has successfully prosecuted one man, fining him $500,000 for selling an app called StealthGenie which could intercept emails and texts and record phone calls, the broadcaster notes. In court, prosecutors noted that it had been marked as “undetectable” and could be used by “stalkers and domestic abusers.”
Phone-monitoring apps have also been used in more unusual ways in South Korea, such as tracking illness, reports NPR.
This summer, the government quarantined 105 people in Jangduk village in the country's south after a woman in the village was diagnosed with the MERS virus, using smartphones to track the movements of the village's residents.
The government’s health ministry told NPR it obtained the villagers consent before beginning to track their movements to ensure they didn’t leave the village. But under South Korean law, the government can obtain the data directly from telecommunications companies without a person’s consent in an emergency situation such as a large scale health risk, the station reports.
Besides more Orwellian concerns about how information collecting by monitoring apps can be used, the researchers argued that security failures in a government-mandated program that focused on observing children were particularly alarming.
“This is not just a fitness tracker," Ronald Deibert, Citizen Lab’s director, told the AP. "It's an application meant to satiate parents' concerns about their children's use of mobile or social media, which is in fact putting them at more risk.