Back in April, South Korea required that wireless carriers install parental control apps on kids’ phones to prevent young ones from seeing naughty content. It sounded wise to officials at the time, but it now looks like that cure is worse than the disease. Researchers at the University of Toronto’s Citizen Lab have discovered 26 security holes in Smart Sheriff, the most popular of these mandatory parental apps. The software has weak authentication, sends a lot of data without encryption and relies on servers using outdated, vulnerable code. It wouldn’t be hard for an intruder to hijack the parent’s account, intercept communications or even scoop up the kids’ personal details. The worst part? Some of these vulnerabilities apply on a large scale, so a particularly sinister attacker could compromise hundreds of thousands of phones at once.
Citizen Lab was quick to notify the South Korean carrier association (MOIBA) that developed the app, and the group claims that the flaws have already been fixed. However, the discoverers aren’t buying that line. They believe that “very little” has been resolved, and that one of the fixes may have created a new hole. Oops. No matter what the scoop is, the findings underscore the risks involved in demanding that providers bundle apps — exploits that normally have a limited impact quickly turn into major issues.
[Image credit: AP Photo/Ahn Young-joon]
Source: Citizen Lab