Security and Privacy Risks of Parental Control Solutions
Total Page:16
File Type:pdf, Size:1020Kb
Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions Suzan Ali Mounir Elgharabawy Quentin Duchaussoy [email protected] [email protected] [email protected] Concordia University Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada Montreal, Quebec, Canada Mohammad Mannan Amr Youssef [email protected] [email protected] Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada ABSTRACT Conference (ACSAC 2020), December 7–11, 2020, Austin, USA. ACM, New For parents of young children and adolescents, the digital age has in- York, NY, USA, 15 pages. https://doi.org/10.1145/3427228.3427287 troduced many new challenges, including excessive screen time, in- appropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental 1 INTRODUCTION control solutions on different platforms, including parental con- Many of today’s children cannot imagine their daily lives without trol network devices (e.g., WiFi routers) and software applications internet. A recent survey [66] shows that 42% of US children (4–14 on mobile devices and laptops. While these parental control solu- years) spend over 30 hours a week on their phones; nearly 70% of tions may help digital parenting, they may also introduce serious parents think that such use has a positive effect on their children’s security and privacy risks to children and parents, due to their development [66]. While the web could be an excellent environment elevated privileges and having access to a significant amount of for learning and socializing, there is also a plethora of online content privacy-sensitive data. In this paper, we present an experimental that can be seriously damaging to children. In addition, children are framework for systematically evaluating security and privacy is- by nature vulnerable to online exploitation and other risk effects sues in parental control software and hardware solutions. Using the of online social networking, including cyber-bullying and even developed framework, we provide the first comprehensive study cyber-crimes (see e.g., [3, 20]); the current COVID-19 pandemic has of parental control tools on multiple platforms including network only increased these risks (see e.g., [73]). devices, Windows applications, Chrome extensions and Android To provide a safe, controlled internet experience, many parents apps. Our analysis uncovers pervasive security and privacy issues and school administrators rely on parental control solutions that that can lead to leakage of private information, and/or allow an are easily accessible either for free, or for a relatively cheap price. adversary to fully control the parental control solution, and thereby From recent surveys in the US, some forms of parental control may directly aid cyberbullying and cyber predators. apps/services are used by 26–39% of parents [17, 53], indicating a growing adoption of these solutions. Such solutions are also recom- CCS CONCEPTS mended by government agencies, e.g., US FTC [31] and UK Council • Security and privacy ! Systems security. for Child Internet Safety (UKCCIS) [72], despite their limited ef- fectiveness (cf. EU commissioned benchmark at: sipbench.eu), and KEYWORDS questionable morality since they, arguably, can act as surveillance tools [79]. This ethical/moral debate is outside the scope of our Parental control network devices, Android apps, Windows applica- work. arXiv:2012.06502v1 [cs.CR] 11 Dec 2020 tions, Web extensions, Privacy, Security On the other hand, over the past few years, many attacks tar- ACM Reference Format: geted parental control solutions, exposing monitored children’s Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, data, sometimes at a large scale [46, 54]. Aside from endanger- and Amr Youssef. 2020. Betrayed by the Guardian: Security and Privacy Risks ing children’s safety (online and in the real-world), such leaked of Parental Control Solutions. In Annual Computer Security Applications children’s personal data may be sold by criminals (cf. [81]). Re- cent reports also revealed several security and privacy issues in Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed the analyzed parental control solutions [4, 28, 77]. However, such for profit or commercial advantage and that copies bear this notice and the full citation analysis was limited to the privacy of Android apps, and only one on the first page. Copyrights for components of this work owned by others than the network device, even though popular parental control solutions author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission are used across different platforms: mobile and desktop OSes, web and/or a fee. Request permissions from [email protected]. extensions, and network devices. Note that, unlike other vulnerable ACSAC 2020, December 7–11, 2020, Austin, USA products (e.g., buggy gaming apps [78]), or non-complaint products © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-8858-0/20/12...$15.00 (e.g., Android apps for children [62]), which can be removed when https://doi.org/10.1145/3427228.3427287 such concerns are known, parental control solutions are deemed ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al. essential by many parents and schools, and thus are not expected (Kidswatch) completely lacks HTTPS, and communicates with to be removed due to the lack of better alternatives. the backend server via HTTP. We undertake the first comprehensive study to analyze differ- • 2/10 Chrome extensions and 4/13 Android solutions transmit ent types of parental control hardware and software solutions. We the full URLs from the browser to their server, possibly leaking design a set of security and privacy tests, and systematically ana- sensitive (session) information. lyze popular representative parental control solutions available in As part of responsible disclosure, we contacted the developers network devices, Windows and Android OSes, and Chrome exten- of the solutions we analyzed, and shared our findings, including sions. While developing our comprehensive analysis framework for proof-of-concept scenarios and possible fixes. Two months after solutions in multiple platforms, we faced several challenges. Most disclosure, only ten companies responded, seven custom and three parental control solutions implement various techniques that hin- automatic replies. Blocksi, KoalaSafe, MMGuardian, KidsPlace, Fam- der traffic analysis (e.g., VPNs, SSLpinning and custom protocols). iSafe, and FamilyTime responded that they are investigating the The use of proprietary firmware and code obfuscation techniques issues. Kidoz responded that some of our reported issues are on their also poses challenges for static analysis. Understanding long-term fixing backlog, and acknowledged the new vulnerabilities. Other behaviors of these solutions by running them for hours/days in a re- vendors either sent automatic/ambiguous response, or no response alistic way (e.g., triggering all their features), is also time consuming at all. Notable changes after the disclosure: MMGuardian depre- (compared to simple, automated UI fuzzing). cated their custom browser; FamiSafe fixed the Firebase database Contributions. Our contributions can be summarized as follows. security issue; and FamilyTime enabled HSTS on their server. (i) We developed an experimental framework for systematically evaluating security and privacy issues in parental control software and hardware solutions. (ii) We utilized this framework to conduct 2 RELATED WORK the first comprehensive study of parental control tools on multiple In this section, we first list a few example cases from real-world platforms, including 8 network devices, 8 Windows applications, data breaches involving parental control tools, and then summarize 10 Chrome extensions, and 29 Android apps representing 13 An- related academic studies (mostly privacy analyses of Android apps). droid solutions grouped by vendor.1 The in-depth analysis aims to Over the past years, several parental control tools have made the inspect the apps’ web traffic for personally identifiable information news for security and privacy breaches. The teen-monitoring app (PII) leakage, insecure API endpoints authentication, potential vul- TeenSafe leaked thousands of children’s Apple IDs, email addresses nerabilities, and the presence of third-parties and known trackers. and passwords [46]. Family Orbit exposed nearly 281 GB of chil- (iii) Our analysis reveals 135 vulnerabilities among the solutions dren data from an unsecured cloud server [54]. In 2019, a privacy tested and highlights that the majority of solutions broadly fail to flaw in Kaspersky anti-virus and parental control application was adequately preserve the security and privacy of their users—both found [24]. This application included a script to perform content children and parents. checking on each page intercepted by a TLS proxy. However, some Notable findings and disclosure. Our notable findings include: unique IDs were also included in the process, allowing the web- • The Blocksi parental control router allows remote command site to track the