Korean Child Monitoring Applications: Insecure by Design

Nearly every day it seems, a friend asks about how to cope with a digital security risk.  Among those with the most acute concerns are parents of minor children, many of whom now carry with them mobile devices.  Parents ask how they can protect their children from inappropriate content, whether their child’s use of their mobile device exposes them to bullying, monitoring, or other threats, and what they can do to mitigate those risks.

These are legitimate concerns for which serious solutions are required.  

Unfortunately, as our new report shows, sometimes good intentions can lead to very bad outcomes — especially when bad public policy is combined with poor software design and engineering.

In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that block content deemed  “harmful.”   At the time, Korea’s telecommunications regulatory body, the Korean Communications Commission (KCC), funded and promoted an app called “Smart Sheriff,” produced by the Korean Mobile Internet Business Association (MOIBA).

Followers of the Citizen Lab may remember that, in collaboration with Cure53, we published a detailed security audit of Smart Sheriff in September 2015 that found the app contained more than 26 serious security vulnerabilities.   We disclosed these vulnerabilities to MOIBA, and eventually Smart Sheriff was withdrawn from the market in November 2015.   

Our latest report, done in collaboration again with Cure53 and our colleagues at OpenNet Korea, analyzes two other  child monitoring applications produced by MOIBA, called Cyber Security Zone and Smart Dream.

To say our findings are disturbing is an understatement.

To our astonishment, our analysis of “Cyber Security Zone” found that it was actually a rebranded version of Smart Sheriff, containing many of the same privacy and security vulnerabilities we identified back in September 2015.   In other words, rather than digest our detailed security audit and start from scratch with proper engineering design principles in mind, MOIBA simply changed the name and slapped on a new logo!

Smart Dream, also produced by MOIBA, is an application that allows concerned parents to monitor their children’s messaging and online history.  What we found is that the application’s poor design actually exposes those children to numerous serious security and privacy risks.

Among the problems we identified:

  • We found both applications were susceptible to a “man-in-the-middle” attack, meaning that someone with access to any network through which the application’s communications passes could easily intercept those communications and acquire passwords, login information, and other sensitive details of children or parents using the apps.  To give you a concrete example, this could be someone with malicious intent operating the local cafe’s wifi hotspot next to the child’s school.
  • Both applications were designed with poor encryption, which means they both leak highly sensitive user data, such as phone numbers, device IDs, and dates of birth of children.
  • If an attacker knew the phone number of a user (see above) we found that they could also insert fake content, making it appear that children were visiting websites or sending messages they were not. Imagine the cyber-bullying possibilities of that vulnerability?
  • We found a security vulnerability in Smart Dream that allows an attacker to collect every single text message and search query of every minor child using the application stored on the Smart Dream server.

In short, what we found was — rather than protecting minor children —  both applications actually put minor children, and their parents, at much greater risk than had they not used the applications in the first place.  

That MOIBA knew of the security vulnerabilities of Smart Sheriff going back to our 2015 report, and simply pushed out a rebranded version containing the same flaws, is grossly irresponsible.

The fact that the applications were funded by a Korean regulatory body and promoted by a respected Korean industry group only makes matters worse. Concerned Korean parents looking to protect their children and follow a law that makes installation of these type of applications mandatory, would naturally expect to receive honest and trustworthy advice from such institutions.  Unfortunately, they were deeply misled.  

We have communicated for weeks with MOIBA about our findings, working with them to ensure that the applications’ problems are fixed. However, given MOIBA’s track record we have no expectation that MOIBA will reform itself and begin undertaking application development with best security practices from the ground up.

We are releasing our report as part of our “NetAlert” series, which includes a cartoon developed by illustrator and designer Jason Li that nicely summarizes the findings and risks and makes recommendations to parents, policymakers, and developers in both English and Korean.  

Parents who are concerned about their children’s safety while using mobile devices may decide to install applications such as these.  If they do, it is critical that they use applications that are thoroughly audited to ensure they conform to secure engineering design principles.   In other words, do not use Smart Dream, Cyber Security Zone, or any other application developed by MOIBA.

Read the report here:   https://netalert.me/safer-without.html