New Citizen Lab Report: Are the Kids Alright?

Today, the Citizen Lab is releasing a new report, entitled: “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.”   South Korea is unique among all countries in having a legal mandate that requires parents whose minor children have mobile phone subscriptions to install a parental content filtering application.  A powerful industry consortium, the Korean Mobile Internet Business Association (MOIBA), had just such an application in hand ready prior to the law being introduced, called “Smart Sheriff.” Smart Sheriff provided a lot more than just content filtering: it went beyond the legal mandate to allow parents to monitor their minor children’s use and receive notifications if their minor children did anything to try and disable the application.

Earlier this summer, a group of researchers who participated at the 2015 Citizen Lab Summer Institute, as well as the European security company Cure53, got together and collaborated on an independent analysis of the application.  What we found was alarming: at least 26 different security vulnerabilities, including lack of industry-standard encryption, outdated software running on servers, and a lack of proper validation or passwords required to register and manage accounts.  All of these represent fundamental failures to follow standard practices for protecting user information and could seriously put minor children at risk.  

We engaged in a process of responsible disclosure to the manufacturers of the application, giving them 45 days to patch the vulnerabilities before we released our report.  At this point, however, we are not confident that the problems have been fixed and we are urging South Koreans to cease using the application until an independent audit can be undertaken.

The research and the report are part of a larger interest we at the Citizen Lab have in understanding the privacy and security implications of mobile applications.

Our press release is here:

The full report can be found here: