[liberationtech] New Citizen Lab Report Digital Risks to Minors from South Korea's Smart Sheriff Application

Ronald Deibert r.deibert at utoronto.ca
Sun Sep 20 15:32:44 PDT 2015 

Dear Libtech

Today, the Citizen Lab is releasing a new report, entitled: "Are the Kids Alright? Digital Risks to Minors from South Korea's Smart Sheriff Application."   South Korea is unique among all countries in having a legal mandate that requires parents whose minor children have mobile phone subscriptions to install a parental content filtering application.  A powerful industry consortium, the Korean Mobile Internet Business Association (MOIBA), had just such an application in hand ready prior to the law being introduced, called "Smart Sheriff." Smart Sheriff provided a lot more than just content filtering: it went beyond the legal mandate to allow parents to monitor their minor children's use and receive notifications if their minor children did anything to try and disable the application.

Earlier this summer, a group of researchers who participated at the 2015 Citizen Lab Summer Institute, as well as the European security company Cure53, got together and collaborated on an independent analysis of the application.  What we found was alarming: at least 26 different security vulnerabilities, including lack of industry-standard encryption, outdated software running on servers, and a lack of proper validation or passwords required to register and manage accounts.  All of these represent fundamental failures to follow standard practices for protecting user information and could seriously put minor children at risk.  

We engaged in a process of responsible disclosure to the manufacturers of the application, giving them 45 days to patch the vulnerabilities before we released our report.  At this point, however, we are not confident that the problems have been fixed and we are urging South Koreans to cease using the application until an independent audit can be undertaken.

The Associated Press has a breaking alert story about it here:
http://bigstory.ap.org/article/947a7b2b0b45410a8034ebb2dd041fc6/apnewsbreak-south-korea-backed-app-puts-children-risk#

As the story says "Children's phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands — or even all — of the app's 380,000 users could be compromised at once."

Our press release is here:

https://citizenlab.org/2015/09/press-release-security-privacy-issues-in-smart-sheriff-south-korea

The full report can be found here:

https://citizenlab.org/2015/09/digital-risks-south-korea-smart-sheriff

Cheers
Ron

Ronald Deibert
Director, the Citizen Lab 
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
twitter.com/rondeibert
r.deibert at utoronto.ca



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20150920/42656b2f/attachment.html>

More information about the liberationtech mailing list