South Korea's "Smart Sheriff" Nanny App Puts Children At Risk

Starting in April, the South Korean government required that cellphones sold to anyone below the age of 19 be equipped with approved monitoring software that would allow the user's parents to monitor their phone use, report their location, and more. Now, however, researchers have discovered that one of the most popular of the approved apps, called Smart Sheriff, may not actually be very smart to have on one's phone. Researchers from Citizen Lab and Cure53, at the request of the Open Technology Fund, have analyzed the code of Smart Sheriff, and found that it actually endangers, rather than protects, the users. Reports the Associated Press, in a story carried by the Houston Chronicle: Children's phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app's 380,000 users could be compromised at once.

Start them young with surveillance . . .

[PolygamousRanchKid+]

. . . and then they won't worry about being spied on by the government later in their lives.

I find this Korean law very creepy. I think that "trust" is one of the most important aspects of the parent-child relationship. If parents need to spy on their children . . . there is a lack of trust.

Re:Who approved this?

But not as bad as GMail...

  * Storing most people's mail at one single company
  * That company making its money from sifting through the contents of the email
  * That company being based in the US
  * The US doing its best to be a dick about privacy

Now THAT is a proper train-wreck waiting to happen.

Re:Why do we need a nanny state?

[sociocapitalist]

There will always be shoddy code that makes it into apps, though this is pretty awful and unacceptable. I'm also really troubled by the government mandate that such a program be installed on children's phones. Shouldn't it be up to the parents if they want this level of monitoring or not? Also, can't this be implemented by wireless carriers in a secure fashion by monitoring traffic from the device instead of apps on the phone? Surely such a thing would be more secure and probably a lot harder to circumvent. Why is the government of South Korea turning into a nanny state and requiring something that should be solely the decision of the parents?

The question as always is, who profits?

Follow the money spent on this crapp and you'll know the 'why' of it.

Duh!

[gstoddart]

When will people start to realize that all of the shit they do because they think will solve one technology problem usually creates another one?

If you start putting in an app to track your children and monitor what they do ... any exploit in that is going to have really bad results. And your band-aid solution slapped together is always going to have exploits. If you poke holes in encryption for law enforcement, law enforcement will never be the only ones who can exploit those holes.

As long as corporations aren't under any legal standard for encryption and security and bear no penalty for doing a bad job, this will always happen. Because they write the stuff which looks cool in a demo, and they may or may not ever get around to realizing they've been totally inept at security. And if they do realize they've been inept at security, they're likely to do nothing.

Almost without fail, these schemes of "won't someone think of the children" or "yarg, teh terrorists" end up with stupid solutions being implemented by people without a clue. And almost without fail someone loudly says "this has huge holes and issues in it and won't work".

And almost without fail, this proves to be true.

So, this is unfortunate. But, it's also something which was pretty much 100% predictable as something doomed to fail ... because the people demanding it, and the people implementing it are seldom aware of, or qualified to deal with, the security holes created by shit like this.

This was kind of inevitable from the start.

If you institute something to track your children under the guise of protecting your children ... you better be damned sure you're doing it to the highest possible standard. Otherwise, all you're doing it creating the situations where you're going to make this information available to someone else.