DOCSLIB.ORG

Security and Privacy Risks of Parental Control Solutions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security and Privacy Risks of Parental Control Solutions Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions Suzan Ali Mounir Elgharabawy Quentin Duchaussoy [email protected] [email protected] [email protected] Concordia University Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada Montreal, Quebec, Canada Mohammad Mannan Amr Youssef [email protected] [email protected] Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada ABSTRACT Conference (ACSAC 2020), December 7–11, 2020, Austin, USA. ACM, New For parents of young children and adolescents, the digital age has in- York, NY, USA, 15 pages. https://doi.org/10.1145/3427228.3427287 troduced many new challenges, including excessive screen time, in- appropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental 1 INTRODUCTION control solutions on different platforms, including parental con- Many of today’s children cannot imagine their daily lives without trol network devices (e.g., WiFi routers) and software applications internet. A recent survey [66] shows that 42% of US children (4–14 on mobile devices and laptops. While these parental control solu- years) spend over 30 hours a week on their phones; nearly 70% of tions may help digital parenting, they may also introduce serious parents think that such use has a positive effect on their children’s security and privacy risks to children and parents, due to their development [66]. While the web could be an excellent environment elevated privileges and having access to a significant amount of for learning and socializing, there is also a plethora of online content privacy-sensitive data. In this paper, we present an experimental that can be seriously damaging to children. In addition, children are framework for systematically evaluating security and privacy is- by nature vulnerable to online exploitation and other risk effects sues in parental control software and hardware solutions. Using the of online social networking, including cyber-bullying and even developed framework, we provide the first comprehensive study cyber-crimes (see e.g., [3, 20]); the current COVID-19 pandemic has of parental control tools on multiple platforms including network only increased these risks (see e.g., [73]). devices, Windows applications, Chrome extensions and Android To provide a safe, controlled internet experience, many parents apps. Our analysis uncovers pervasive security and privacy issues and school administrators rely on parental control solutions that that can lead to leakage of private information, and/or allow an are easily accessible either for free, or for a relatively cheap price. adversary to fully control the parental control solution, and thereby From recent surveys in the US, some forms of parental control may directly aid cyberbullying and cyber predators. apps/services are used by 26–39% of parents [17, 53], indicating a growing adoption of these solutions. Such solutions are also recom- CCS CONCEPTS mended by government agencies, e.g., US FTC [31] and UK Council • Security and privacy ! Systems security. for Child Internet Safety (UKCCIS) [72], despite their limited ef- fectiveness (cf. EU commissioned benchmark at: sipbench.eu), and KEYWORDS questionable morality since they, arguably, can act as surveillance tools [79]. This ethical/moral debate is outside the scope of our Parental control network devices, Android apps, Windows applica- work. arXiv:2012.06502v1 [cs.CR] 11 Dec 2020 tions, Web extensions, Privacy, Security On the other hand, over the past few years, many attacks tar- ACM Reference Format: geted parental control solutions, exposing monitored children’s Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, data, sometimes at a large scale [46, 54]. Aside from endanger- and Amr Youssef. 2020. Betrayed by the Guardian: Security and Privacy Risks ing children’s safety (online and in the real-world), such leaked of Parental Control Solutions. In Annual Computer Security Applications children’s personal data may be sold by criminals (cf. [81]). Re- cent reports also revealed several security and privacy issues in Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed the analyzed parental control solutions [4, 28, 77]. However, such for profit or commercial advantage and that copies bear this notice and the full citation analysis was limited to the privacy of Android apps, and only one on the first page. Copyrights for components of this work owned by others than the network device, even though popular parental control solutions author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission are used across different platforms: mobile and desktop OSes, web and/or a fee. Request permissions from [email protected]. extensions, and network devices. Note that, unlike other vulnerable ACSAC 2020, December 7–11, 2020, Austin, USA products (e.g., buggy gaming apps [78]), or non-complaint products © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-8858-0/20/12...$15.00 (e.g., Android apps for children [62]), which can be removed when https://doi.org/10.1145/3427228.3427287 such concerns are known, parental control solutions are deemed ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al. essential by many parents and schools, and thus are not expected (Kidswatch) completely lacks HTTPS, and communicates with to be removed due to the lack of better alternatives. the backend server via HTTP. We undertake the first comprehensive study to analyze differ- • 2/10 Chrome extensions and 4/13 Android solutions transmit ent types of parental control hardware and software solutions. We the full URLs from the browser to their server, possibly leaking design a set of security and privacy tests, and systematically ana- sensitive (session) information. lyze popular representative parental control solutions available in As part of responsible disclosure, we contacted the developers network devices, Windows and Android OSes, and Chrome exten- of the solutions we analyzed, and shared our findings, including sions. While developing our comprehensive analysis framework for proof-of-concept scenarios and possible fixes. Two months after solutions in multiple platforms, we faced several challenges. Most disclosure, only ten companies responded, seven custom and three parental control solutions implement various techniques that hin- automatic replies. Blocksi, KoalaSafe, MMGuardian, KidsPlace, Fam- der traffic analysis (e.g., VPNs, SSLpinning and custom protocols). iSafe, and FamilyTime responded that they are investigating the The use of proprietary firmware and code obfuscation techniques issues. Kidoz responded that some of our reported issues are on their also poses challenges for static analysis. Understanding long-term fixing backlog, and acknowledged the new vulnerabilities. Other behaviors of these solutions by running them for hours/days in a re- vendors either sent automatic/ambiguous response, or no response alistic way (e.g., triggering all their features), is also time consuming at all. Notable changes after the disclosure: MMGuardian depre- (compared to simple, automated UI fuzzing). cated their custom browser; FamiSafe fixed the Firebase database Contributions. Our contributions can be summarized as follows. security issue; and FamilyTime enabled HSTS on their server. (i) We developed an experimental framework for systematically evaluating security and privacy issues in parental control software and hardware solutions. (ii) We utilized this framework to conduct 2 RELATED WORK the first comprehensive study of parental control tools on multiple In this section, we first list a few example cases from real-world platforms, including 8 network devices, 8 Windows applications, data breaches involving parental control tools, and then summarize 10 Chrome extensions, and 29 Android apps representing 13 An- related academic studies (mostly privacy analyses of Android apps). droid solutions grouped by vendor.1 The in-depth analysis aims to Over the past years, several parental control tools have made the inspect the apps’ web traffic for personally identifiable information news for security and privacy breaches. The teen-monitoring app (PII) leakage, insecure API endpoints authentication, potential vul- TeenSafe leaked thousands of children’s Apple IDs, email addresses nerabilities, and the presence of third-parties and known trackers. and passwords [46]. Family Orbit exposed nearly 281 GB of chil- (iii) Our analysis reveals 135 vulnerabilities among the solutions dren data from an unsecured cloud server [54]. In 2019, a privacy tested and highlights that the majority of solutions broadly fail to flaw in Kaspersky anti-virus and parental control application was adequately preserve the security and privacy of their users—both found [24]. This application included a script to perform content children and parents. checking on each page intercepted by a TLS proxy. However, some Notable findings and disclosure. Our notable findings include: unique IDs were also included in the process, allowing the web- • The Blocksi parental control router allows remote command site to track the
Load more

Recommended publications
  • Parental Controls 1
    Parental Controls 1 Begin as you mean to go. You can introduce parental software controls to a younger child with more ease than to a teenager. Getting your child used to the idea that the tablet goes off, the video goes off, the TV goes off at certain times is extremely attractive. And with parental control software, you can do just that. Parental controls are usually included in most devices, such as your computer, tablet and smartphone. You need to dive into those settings and dig around to see what features are available to you. If you are based in Europe, the European Commission maintains a website called SipBench.eu which provides benchmarking analysis of parental control software. The findings are available in several European languages and identify the prices, technical requirements, operating system and age of the children to be protected. It is a handy background resource to get you started with parental controls. If you know of other parental control software tools that should be added to this list, please write to me at [email protected] so I can investigate and incorporate them into this resource sheet. Thank you for being a part of our Digital Parenting Community. www.digitalparentingcoach.com 2 Before signing up for parental control software • Read this article from Common Sense Media to help you make sense of the different types of parental control systems. • Confirm that your parental control software will allow you, at the very least, to set screen limits, filter content, block ads, and monitor your child’s online activities.
    [Show full text]
  • Operations Manual
    Operations Manual Français p. 63 Español p. 127 Wii U System Manuals The official seal is your assurance that this product is licensed or manufactured by Nintendo. Always look for this seal when buying video game systems, accessories, Types of Manuals games and related products. Printed manuals • Wii U Quick Start Guide This guide covers the basic information for setting up and using your Wii U system. Please carefully read this Operations Manual before setup or use of the Wii U™ system. If • Wii U Operations Manual (this manual) you have problems or questions after reading all of the instructions, please visit our This manual gives the names of each component and describes how to recharge the customer service area at support.nintendo.com or call 1-800-255-3700. Also, additional controller, configure System Settings, and perform various procedures. It also provides pre-installed electronic manuals are available for the Wii U system and software applications troubleshooting and support information. from the HOME Menu, as described on the next page. Pre-installed electronic manuals • Wii U Electronic Manual ( ) This manual describes the Wii U features and gives detailed instructions on how to use the pre installed software, how to launch the Wii™ menu, and other operations. • Wii Menu Electronic Manual This manual describes the Wii Menu features and gives detailed instructions on how to use the included software. Viewing an Electronic Manual When the Wii U Menu is displayed, press on the Wii U™ GamePad to open the HOME Menu, then tap to open the Wii U Electronic Manual.
    [Show full text]
  • Parental Security Control
    IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 2 Issue 10, October 2015. www.ijiset.com ISSN 2348 – 7968 Parental Security Control Monali Shirbhate, Mitali Tiwari, Supriya Raut and Dolly Kumbhalkar 1Asst Prof, Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 2 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 3 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 4 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India Abstract devices, and your home network. Parents, educators, This project describes an android application for parental social scientists, media pundits, and many others all offer security Control which will help the parents to monitor the their opinions, but rarely is any consensus reached. activities done on their children’s smart phones. Now-a-days a Parental controls are features which may be included lot of misuse is done on smart-phones operating android by in digital television services, computer and video recent generation. To control this misuse we are developing this games, mobile devices and software. Parental controls are application which will be installed on child’s smart phone by divided into four categories: contents filters (which limit parents. There is some feature which we will provide like Create and maintain log of calls, Record call, Create and maintain log of access to age inappropriate content), usage controls message, Record messages, Record the history of websites (which constrain the usage of these devices such as browsed. This entire detail is maintained and recorded by our placing time-limits on usage or forbidding certain types of application file in background.
    [Show full text]
  • Parental Control Guides 10/2020
    Parental Control Guides Revised 10/2020 Resources for Parents Tips for Parenting with Technology • Pick a strategy • Communicate clearly • Set the rules • Expect some challenges • Be consistent as possible Common Limitations for Tech Use • Limit screen time (e.g., 2 hours/day) • Never on weekdays • After homework is done • Educational games/work only How to Establish Rules • Important to establish clear rules from the beginning • If possible, involve your children in the rule-making process. • Frame rules in the positive Setting Rules for Multiple Children • Establish ground rules appropriate to the age of each child • Community tech time: take turns between siblings within a window of time • Alternatively, “homework time” for other siblings while one has access to the screen. • Be flexible in establishing the rules and firm in enforcing them Common Challenges • Visiting friends: contact parents of the other child to discuss tech use • Multiple children: the simpler the better! Blocks of time (community tech time, homework time) tend to be easier to implement than several different strategies • Not sure whether to allow certain games? Watch your child play the games, ask questions, to determine what’s right for them. • Mistakes happen, but if your child gets a free night expect some push-back the next time you enforce the rules! Consistency • Consistency is key! The more predictable the rules and consequences are, the less likely your child will be to argue about them. 1 Parental Control Guides Revised 10/2020 TABLE OF CONTENTS SECTION
    [Show full text]
  • Parental Controls: Safer Internet Solutions Or New Pitfalls?
    This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. Parental Controls: Safer Internet Solutions or New Pitfalls? Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, and Amr Youssef | Concordia University Parental-control solutions often require dangerous privileges to function. We analyzed privacy/security risks of popular solutions and found that many leak personal information and are vulnerable to attacks, betraying the trust of parents and children. any children are now as connected to the Inter- operate, such as mobile device administration/man- M net as adults are, if not more. The Internet agement capabilities, Transport Layer Security (TLS) provides an important avenue for education, entertain- interception, access to browsing data, and control over ment, and social connection for children. However, the the network traffic. In addition, they also collect a lot dark sides are also significant: Children are by nature of sensitive user data, such as voice, video, location, vulnerable to online exploitation, Internet addiction, messages, and social media activities. Thus, design and and other negative effects of online social network- implementation flaws in these solutions can lead to seri- ing, including cyberbullying and even cybercrimes. To ous privacy leakage and online and real-world security provide a safe Internet experience, many parents rely and safety issues. on parental-control solutions, which are also recom- To better understand the privacy and security mended by government agencies, including the U.S. implications of parental-control solutions, we designed Federal Trade Commission (FTC) and the U.K.
    [Show full text]
  • APPLE Vs. ANDROID Apple Has Built in Some Parental Controls in The
    APPLE vs. ANDROID Apple has built in some parental controls in the actual iOS phones system (i.e. ability to set restrictions on what apps can be downloaded or what websites can be visited, settings passcodes to prevent kids from circumventing restrictions you set, syncing your phone and your children’s iPhones/Apple devices together by putting them on the same Apple account, keeping track of child’s location, etc.). Basically, Apple gives you boxed control over your Apple devices with your Apple account. Android does not have those built in features, so some people feel it’s harder for parents to monitor their teens Android devices; however, you can upload apps to your child’s Android device to make it more secure and to let you have control over the device like an Apple device would, you just have to download them. The recommendations I have seen have all recommended downloading a monitoring device such as Disney Cirlce or Mobicip, as we discussed in the training. But specifically, I saw strong recommendations for the use of Net Nanny, Norton Family Premier and Kaspersky Safe Kids. Tom’s Guide recommends these for the level of control they provide to parents of kids with Android devices and says that each product “offer different levels of control, but for the most part you can expect to impose time limits (including a curfew when it's time for your child to go to bed), block individual callers and texters, quickly revise app usage and — most important — get reports on how your child is using the phone.” In addition, Google has also recently introduced Family Link which gives parents more control over their child’s Android devices – screen time, time of day controls, and apps downloads.
    [Show full text]
  • Parental Protection on Games Consoles As a Parent, It's Not Always Easy to Keep an Eye on Your Children's Time Spent with Entertainment Devices
    Parental Protection on Games Consoles As a parent, it's not always easy to keep an eye on your children's time spent with entertainment devices. The Nintendo Switch Parental Controls smart device app is a free smart device app which you can link with Nintendo Switch to easily monitor what and how your children are playing. If you do not have a smart device you can also set certain restrictions on Nintendo Switch directly. Monitor your child’s gameplay time. In the Nintendo Switch Parental Controls smart device app, you can set a time limit for how long your child is allowed to play. When it’s time, an alarm will be triggered on Nintendo Switch to let them know their play time is up. In the Nintendo Switch Parental Controls smart device app, you can also comfortably monitor whether your children are keeping to the set time or not. By using the "Suspend Software" feature, you can set it so that the game turns off automatically when your child’s gameplay time is up. Monitor what your child is playing. There's even a function in the Nintendo Switch Parental Controls smart device app where you can see a report of which video games your child has been playing, and for how long. In addition to seeing what your children have been playing daily, you can also receive a monthly play report of your child from the Nintendo Switch Parental Controls smart device app. At a glance, you can see what kind of games your children are interested in.
    [Show full text]
  • Third Party Parental Controls
    Staying Safe Online Parental Controls on BT Third Party Parental BT Parental Control allows you to manage internet access on all Controls Home Internet devices connected to your BT Home Hub and BT Wi-Fi hotspots. Most UK Broadband providers offer free ‘whole-home parental This service is available for free and includes an option of Strict, You may decide to use a dedicated parental control solution to controls’ which apply to any device connected to your Moderate and Light filters. You are also given an option to block inappropriate content. broadband. restrict specific websites and set a Homework Time which blocks If you already have a security software package on your These controls only work on your Wi-Fi network, not when you social media, gaming and homework cheat sites. computer, check whether it includes Parental Control. You may are using 3G or 4G data. (See next page for Parental controls on mobile devices.) To find out more: BT Parental Controls not need a third party one. Some are free, but most will cost you an annual subscription. Sky TalkTalk McAfee Family Sky has parental controls turned on by default, you have to TalkTalk Home Safe lets you control all devices which are choose to switch it off. connected to your TalkTalk router. Protection (Paid for) Sky Broadband Shield works on all devices connected to your The free package includes; home broadband. It comes at no extra cost. Kids Safe - which allows you to block all or your choice of To find out more: McAfee Family Protection categories of websites.
    [Show full text]
  • Fire TV Stick User Guide Fire TV Stick User Guide
    Fire TV Stick User Guide Fire TV Stick User Guide Contents Fire TV Stick User Guide ...................................................................................................................... 2 Amazon Fire TV Device Basics ............................................................................................................. 4 Fire TV Stick Hardware Basics ............................................................................................................. 5 Main Menu Basics ................................................................................................................................ 8 Settings Basics ................................................................................................................................... 10 Register or Deregister Your Amazon Fire TV Device .......................................................................... 12 Access & Remove Content ................................................................................................................. 13 Remove Content from Your Amazon Fire TV Device .......................................................................... 14 Set Up Parental Controls .................................................................................................................... 15 Use Your Voice to Search Amazon Fire TV Devices ........................................................................... 16 Differences between Amazon Fire TV and Fire TV Stick ....................................................................
    [Show full text]
  • Internet Filtering & Monitoring
    Internet Filtering & Monitoring “Your ultimate goal is to raise kids who use the Internet safely and responsibly and think critically about their actions, but a little technical assistance can help. And, as your kids get older, you’ll need to dial down the restrictions to help them develop their own sense of responsibility. —Common Sense Media Monitors and Filters Are Useful, But They Shouldn’t Replace Relationships There’s no question that there’s a lot of filth on the Internet. And it’s pretty easy to run into it, even accidentally. Internet filters are extremely useful tools for preventing you and your children from encountering content that is harmful and disturbing. But in the same way that sending your kids to Christian school won’t automatically make them Christians, setting up an Internet filter won’t in and of itself keep them from online dangers. Why? For two reasons: 1. People on the other end of the Internet are constantly developing new ways to access new people (for various reasons); and 2. If our tech-savvy kids are determined, they will find ways around anything we implement. Because of that, we hope that parental controls are just one part of your overall strategy for protecting your children. Don’t view Internet filters as the safety net that will keep your kids safe. Instead, view them as your first line of defense. Your priority should be training your kids to think critically and discipling their hearts to want to pursue what is good and to hate what is evil. Because Internet filters are a good resource, we want to highlight what we think are some of the most helpful solutions currently available.
    [Show full text]
  • What Can I Block with Parental Controls?
    What Can I Block with Parental Controls? Applies to: Wii U Deluxe, Wii U Basic Notes: Restriction options are dependent on the availability of system features. A system update may be required for a complete list of options. How to Certain software, such as Wii U Chat, has its own parental control settings. Check the support documentation for specific software titles for more information. Adding users and formatting system memory are restricted automatically when Parental Controls are enabled. Information: You can choose to restrict the following Wii U features: Game Rating: Restrict all usage (as well as purchase through the Nintendo eShop) of software exceeding the rating level of your choice. Online Interaction in Games: Restrict the use of online features of software such as online play, conversation among users, and Miiverse posts. Internet Browser: Prevent use of the Internet browser. Wii U Shopping Services: Restrict the use of credit cards or the purchase of software through services such as the Nintendo eShop. Miiverse: Restrict users from viewing or posting content. Friend Registration: Prevent the registrations of friends. Entertainment Excluding Games: Restrict the viewing of video content, both streaming and stored on physical media such as discs, and software with video-playback functions. Data Management: Restrict the deletion or moving of software or save data using Data Management. Internet Settings: Restrict the addition, modification, or deletion of Internet settings. You can choose to restrict the following Wii features (Wii Mode): Game Rating: Restrict all usage (as well as purchases through the Wii Shop Channel) of software exceeding the rating level of your choice.
    [Show full text]
  • Android Phone
    Android “Every day, every hour, the parents are either passively or actively forming those habits in their children upon which, more than upon anything else, future character and conduct depend. —Charlotte Mason Android: Phone or Sentient Robot? 21st-century parents have to figure out all kinds of digital technology, even if we’re not particularly “techie” by nature. It’s similar to when we worry about helping a high-schooler with algebra when we ourselves are lousy at math. We can send them to tutors when they grow beyond our experience in math, but digital tech doesn’t allow us that same luxury of delegation. It’s vitally important that we know (and keep learning) what our teens’ devices do, how they work, and how they’re being used. Despite what it may seem like, not everything or everyone on the Internet is out to get our kids, and a few simple strategies implemented via the device’s operating system can quickly and regularly protect them from violent content, identity thieves, cyberbullies, porn, and sexual predation. Use these efforts in tandem with relational techniques aimed at connection instead of control, and the device becomes a way to strengthen the parent-child bond while still allowing us to prioritize their health and safety. What does “OS” mean? It stands for “operating system.” Essentially, today’s smartphones and tablets are handheld computers. The minute we turn on a smartphone, computer, tablet, video game console, or even a graphing calculator, an OS fires up. The OS runs the device, allows the integration of features and apps, provides the user interface, and keeps the device running smoothly.
    [Show full text]