This report is Part 2 of a series on Korean child monitoring and filtering apps.
Part 2: The Kids are Still at Risk: Update to Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report
Part 3: Safer Without: Korean Child Monitoring and Filtering Apps
Part 4: Still Safer Without: Another look at Korean Child Monitoring and Filtering Apps
Summary
- A second audit of the Smart Sheriff application reveals that there are numerous unresolved security vulnerabilities that put minor children and parental users of the application at serious risk.
- MOIBA, the Korean industry consortium responsible for the Smart Sheriff application, has been slow to respond to the issues raised (of which it was notified more than 90 days ago); the fixes that have been applied do not adequately or effectively address the issues, especially for users; and MOIBA has not communicated transparently to the public about Smart Sheriff’s known risks.
- The Citizen Lab recommends immediate withdrawal of Smart Sheriff from the public market, and that existing users discontinue their use of the application.
NOTE: On October 31, 2015, Citizen Lab learned that MOIBA removed the Smart Sheriff application from the Google Play Store. However, the Smart Sheriff API remains available and therefore constitutes a continued security risk to users. Additionally, MOIBA appears to have republished Smart Sheriff under another name (사이버안심존 – translated as “Cyber Safety Zone”) on the Google Play store. A brief inspection of version 1.7.8 indicates that, beyond cosmetic changes, the application is functionally the same as Smart Sheriff 1.7.7 – which we analyze here. This new program inherits all the same security concerns as the original application.
UPDATE (November 6, 2015): On November 4 2015, MOIBA released a statement explaining that since October, South Korean telecommunication companies have begun to provide Internet filtering software to users for free, and to avoid overlap with these companies Smart Sheriff will no longer be available for new users beginning on November 1 2015. Existing users will be transferred to filtering applications provided by South Korea Telecom, Korea Telecom, or LGU+. This statement makes no reference to the security issues we disclosed and presents the concern of not competing with the free applications as the the motivation for pulling Smart Sheriff from the market. This statement shows MOIBA is not being transparent with its users and the Korean public. We urge the providers of the alternative applications to ensure their products are secure and follow transparent and accountable processes with their users.
Background
On 20 September 2015, the Citizen Lab at the Munk School of Global Affairs, University of Toronto, released a report, “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.” The report detailed results of two independent audits of the privacy and security problems of Smart Sheriff, a parental monitoring application promoted by the South Korean government. In total, 26 security vulnerabilities that could compromise the privacy and security of minors and parents who use the Smart Sheriff application were found in the audits conducted by the Citizen Lab and Cure53, a German-based security audit firm. The vulnerabilities that were identified could be used by an attacker to disable Smart Sheriff accounts, tamper with data, and steal personal information for the application’s entire user base. We also noted several legal and policy issues related to the Smart Sheriff application. Detailed technical [pdf] and legal and policy [pdf] appendices were attached to our report. The first Cure53 audit, undertaken in August 2015, can be found here [pdf].
While researching the report, we undertook a process of responsible disclosure to MOIBA, the Korean industry consortium responsible for the development of Smart Sheriff. At that time, we requested MOIBA to suspend services or offer a complete timeframe for addressing the application’s issues. MOIBA chose not to shut down the application, and assured us that the issues would be fully addressed by the end of September. The issues documented by these audits were verified by MOIBA during this process, and no part of the report was disputed. The Citizen Lab and MOIBA exchanged communications several times concerning the vulnerabilities and discussed a reasonable timetable for MOIBA to address the vulnerabilities. In multiple exchanges MOIBA disclosed that they were not the original developers of the application, and were wholly reliant on a third-party contractor for all development on Smart Sheriff, with no in-house development capacity to address Citizen Lab’s concerns.
Lacking any further correspondence from MOIBA after several attempts on our part to communicate with them, we moved forward with our publication on 20 September 2015. We noted that “MOIBA has not fully apprised us of the manner in which the vulnerabilities were addressed.” We also urged “caution against further public use and promotion of the application until an independent and thorough audit of Smart Sheriff can be conducted.” In press coverage related to the release of our report, MOIBA claimed to have “immediately taken action,” creating an impression that the vulnerabilities of Smart Sheriff had been properly addressed.
The Follow-Up Audit
Cure53 undertook a second audit of the Smart Sheriff application in early October 2015. This audit looked at version 1.7.7 downloaded from Google Play. This second audit raised several very concerning findings, which overall suggest that serious problems remain with the Smart Sheriff application and call into question MOIBA’s efforts to address the vulnerabilities.
Below is a list of general risks that remain related to the Smart Sheriff application:
- If an attacker knows the mobile number of a minor they are still able to get the minor’s date of birth, a list of all apps on the minor’s phone, and all blocking rules.
- An attacker can still arbitrarily change blocking rules and registration settings on a minor’s phone, enabling an attacker to shut out access to their device.
- Attackers are still able to retrieve a parent’s Smart Sheriff application password, and the parental phone number associated with a minor’s account.
- Newer versions of Smart Sheriff implement encryption on all their API request data, but this encryption is done with a static, symmetric key. An attacker can easily find this key by decompiling the source code, rendering the protections of this encryption useless.
- Newer versions of Smart Sheriff use HTTPS to communicate with MOIBA servers, but there is still no verification of the validity of the given certificate — a problem we repeatedly raised in communications with MOIBA. This problem means that the application is still vulnerable to a “man-in-the-middle” attack, as outlined in the initial report.
Current Status of Issues Originally Identified as High Priority
| Issue Number | Issue Summary | Current Status; | Issue Still Exploitable? |
|---|---|---|---|
| 1.1 | No transport security used from app to MOIBA servers. | HTTPS was added but no certificate verification occurs rendering this fix insufficient. | Yes |
| 1.2 | Man in the middle via insecure web view. | Man-in-the-middle still possible because issue 1.1 remains. | Yes |
| 1.3 | Disclosure of user traffic in clear text. | Use of static AES key means that although user traffic is not as easy to read to casual observers, information is disclosed for any determined attacker. | Yes |
| 2.2 | Parent password disclosure. | Fixes were implemented to obscure password but these fixes can be easily circumvented. | Yes |
| 3.1 | Identification to API based on predictable identifiers. | Identifiers remain, requests are encrypted but issue 1.3 means determined attacker can still find these. | Yes |
| 3.2 | API queries don’t have authentication. | Issue remains unchanged since original report. | Yes |
| 3.3 | Arbitrary users can change protection settings. | Issue remains unchanged since original report. | Yes |
| 3.5 | Arbitrary users can claim arbitrary phone numbers. | Issue was untested. | Indeterminate |
| 3.9 | Parental control Web UI allows device control and leaks personal information. | Pages that returned PII previously now return 404. | No |
| 3.10 | Parental control web UI allows attackers to change account settings. | Pages that returned PII previously now return 404. | No |
Overall, while some changes have been made in response to the initial disclosure made by Citizen Lab to MOIBA, attackers still have most of the same opportunities to exploit vulnerabilities in the application as they did in previous versions. Many of the issues that were marked as high priority in the previous report, such as the lack of protections around sensitive private data, and transport security, remain effectively unaddressed. One of the problems successfully addressed related to vulnerabilities that allowed a minor to bypass web filtering (such as issue 2.1 referenced in our technical appendix). Systemic issues remain, such as the lack of authentication for API requests. Attempts to address other issues, such as transport security, have been poorly implemented, nullifying any security benefit.
In sum, it appears that MOIBA has attempted to address a select few of the server issues and back-end vulnerabilities that could affect its networks, but has not yet adequately addressed the vulnerabilities that directly affect the privacy and security of the users of its application.
Next Steps
Cure53’s follow-up audit, published on October 31, 2015, is here. We will be monitoring the steps MOIBA takes after the report, and whether the security issues in Smart Sheriff 1.7.7 are addressed in any updates.
Meanwhile, the Citizen Lab and Cure53 recommend immediate withdrawal of Smart Sheriff from the public market, and that existing users discontinue their use of the application.
Concluding Remarks
The Smart Sheriff case illustrates the importance of examining privacy and security around all applications, but especially those involving minor children and other users who could be considered at high risk.
It also underscores a broader public policy issue: government-mandated applications will result in a large number of users, who, in turn, will attract a large number of potential attackers. When governments mandate the use of a specific application by the general public there must be an exceptionally rigorous process of due diligence around security and privacy that is transparent and accountable to the users.
In all these respects, Smart Sheriff is a failure. MOIBA, the Korean industry consortium responsible for the Smart Sheriff application, has been slow to respond to the issues raised (of which it was notified more than 90 days ago); the fixes that have been applied do not adequately or effectively address the issues, especially for users; and MOIBA has not communicated transparently to the public about Smart Sheriff’s known risks.
Smart Sheriff should serve as a cautionary case study, as attempts to protect a vulnerable group through a mandated application have ended up actually endangering that very group. Regardless of the initial intentions of the program, after three months of study and follow-up, it is clear that a user’s security and privacy are better served by uninstalling the Smart Sheriff application than running it.