South Korea's Government-Mandated Child Surveillance App Smart Sheriff's Is Prone to Hacks Due to Its Weak Authentication System, Says Software Auditing Company Cure53
A mobile application called Smart Sheriff allows parents to monitor their sons and daughters' phone activities. The primary objective of the South Korea-backed surveillance app is to "block access to pornography and other offensive content online."
Associated Press reported May 15, 2015 that Smart Sheriff, along with more than a dozen monitoring applications, allows "parents to monitor how long their kids use their smartphones, how many times they use apps and which websites they visit."
"Some send a child's location data to parents and issue an alert when a child searches keywords such as 'suicide,' 'pregnancy' and 'bully' or receives messages with those words."
However, Internet watchdog group Citizen Lab and German software auditing company Cure53 reveal on Sunday that they have found problems with Smart Sheriff app.
"There was literally no security at all," says Cure53 director Mario Heiderich, US News reports Sunday. "We've never seen anything that fundamentally broken."
Smart Sheriff is considered the most popular among other monitoring apps in South Korea. Smartphones being sold to minors are required to have this monitoring app installed. Also, parents are obliged to have Smart Sheriff on their phones.
Citizen Lab and Cure53 disclose that "Smart Sheriff could be easily hijacked" because of its authentication weaknesses.
"Smart Sheriff is the kind of baby sitter that leaves the doors unlocked and throws a party where everyone is invited," says Collin Anderson, a researcher who teamed up with Citizen Lab.
Citizen Lab notified the developers and operators of Smart Sheriff in August about the problems with the app. MOIBA, the association of South Korean mobile operators, says "they immediately took action" on the matter, as per Smart Sheriff app manager-in-charge Noh Yong Lae.
On the other hand, researchers reportedly were "skeptical" on MOIBA's claim.
"We suspect that very little of these measures taken actually remedy issues that we've flagged in the report," says Anderson.
Security firm SoTIS chief executive Ryu Jong Myeong gives Smart Sheriff a security rating of zero.
"People who made Smart Sheriff cared nothing about protecting private data," he says.
Also, Kwon Seok Chul, chief executive of computer security firm Cuvepia Inc., says "[the door] stays open" for hackers which will put "the children's data at risk."