In April, the South Korean government insisted that smartphones owned by children must have software that protects the innocent little snowflakes from looking at stuff online that might harm them or steal their personal information.
Now it seems sloppy programming means the cure is even more of a threat.
Canadian internet watchers Citizen Lab and researchers at German security firm Cure53 analyzed "Smart Sheriff," software created by the Korean Mobile Internet Business Association (MOIBA) to fit the government mandate, and found security blunders that make Windows 98 look like a paragon of secure coding.
"The Smart Sheriff app was written without any security in mind. The connected API services are architectured and implemented in similarly horrendous ways, allowing trivial exposure of passwords and other highly sensitive user data," reads Cure53's report [PDF].
"Given the level of vulnerability this app exposes, combined with the extremely high numbers of its users, it needs to be considered that at least some of the issues published in this report must have started to be actively exploited by now."
The analysis showed that the app was storing users' personal information in plain text on the app, and sending it back to the software's servers unencrypted. In addition, poor authentication makes it easy for an attacker to harvest this information, impersonate the Safe Sheriff servers, and inject code into handsets using the software.
Breaking into the applications proved surprisingly easy. The software appears to have no brute force detection system, allowing the researchers to bombard Smart Sheriff with thousands of login attempts until one worked.
Data stored on the device isn't protected by the application, which instead relies on the data protection systems used in post-Lollipop builds of Android. But, as we've seen in the last few months, these too are vulnerable to attack.
In all, the team found twenty-six serious security vulnerabilities in the software that South Korea's kids are using. The researchers let MOIBA know about the problems, and so far, 20 have been patched. But given that the software cost $2.7m to develop, it appears that everyone using it is still getting a very raw deal.
According to the study, Smart Sherriff's data protection is so poor that it actually violates South Korea's Personal Information Protection Act (PIPA). The software also doesn't live up to the manufacturer's own claims of having advanced data protection systems in place.
"Smart Sheriff exemplifies the risks inherent in government-mandated monitoring applications," Citizen Lab's report concludes.
"The application's design suffers from serious security flaws and appears to have been insufficiently checked for vulnerabilities, yet users have little choice in adopting and continuing to use the software. Indeed, this technology was popularized throughout the country through government regulation, exposing potentially hundreds of thousands of users to digital security compromise." ®