14 DAY TRIAL // A joint security audit by researchers at Citizen Lab and Cure53 has discovered 26 security vulnerabilities in the recent versions of Smart Sheriff, an application used by parents in South Korea to monitor how kids use their phones.
According to the research, Smart Sheriff versions 1.7.5 or higher are vulnerable, and any attacker could easily exploit them to gain control over accounts, disable the parent control features, and even steal the personal information.
Smart Sheriff is the most used parental control application in South Korea
Government officials mandated in April this year that mobile operators provide a way for parents to block harmful and adult content from reaching their kids' smartphone, along with a way to get notified of whenever the child disables the parent control system.
For this, the Korean Mobile Internet Business Association (MOIBA), a conglomerate of mobile telcos and phone manufacturers, released Smart Sheriff and then heavily advertised it among the country's parents, managing to reach around 500,000 installations.
The Korean Communications Commission (KCC) also backed up the application, contributing with $2.7 million / €2.4 million in funding.
Smart Sherrif was eventually released to much fanfare, for both Android and iPhones, allowing parents to decide what to block from their children's phones, and the time interval in which the device can be used.
Smart Sheriff is plagued by a series of problems
After concluding their research, security experts warn that Smart Sheriff does not process personally identifiable information in a secure manner, storing and transmitting it in a way that would allow an attacker to intercept it.
Additionally, malicious code can be injected in the application, allowing hackers to run unauthorized operations. What's even worse, accounts can also be registered and managed without any type of advanced validation or passwords.
The app also comes with some design flaws that allow parent-set limits to be circumvented, and even transmits Web browsing history to MOIBA servers in an insecure manner that favors easy interception by third-parties.
Citizen Lab researchers also analyzed Smart Sheriff's underlying infrastructure, finding that the whole thing sits on a pile of matchsticks, running from an outdated and unpatched backend, vulnerable to basic brute-force attacks.
Citizen Lab and Cure53 notified MOIBA on August 3 of their findings, but did not mention in their report if any of them were fixed at the time of its publication.