Parental Controls: Safer Internet Solutions Or New Pitfalls?

Total Page:16

File Type:pdf, Size:1020Kb

Parental Controls: Safer Internet Solutions Or New Pitfalls? This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. Parental Controls: Safer Internet Solutions or New Pitfalls? Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, and Amr Youssef | Concordia University Parental-control solutions often require dangerous privileges to function. We analyzed privacy/security risks of popular solutions and found that many leak personal information and are vulnerable to attacks, betraying the trust of parents and children. any children are now as connected to the Inter- operate, such as mobile device administration/man- M net as adults are, if not more. The Internet agement capabilities, Transport Layer Security (TLS) provides an important avenue for education, entertain- interception, access to browsing data, and control over ment, and social connection for children. However, the the network traffic. In addition, they also collect a lot dark sides are also significant: Children are by nature of sensitive user data, such as voice, video, location, vulnerable to online exploitation, Internet addiction, messages, and social media activities. Thus, design and and other negative effects of online social network- implementation flaws in these solutions can lead to seri- ing, including cyberbullying and even cybercrimes. To ous privacy leakage and online and real-world security provide a safe Internet experience, many parents rely and safety issues. on parental-control solutions, which are also recom- To better understand the privacy and security mended by government agencies, including the U.S. implications of parental-control solutions, we designed Federal Trade Commission (FTC) and the U.K. Coun- an experimental framework with a set of security and cil for Child Internet Safety. privacy tests and systematically analyzed popular rep- Parental-control solutions are available for differ- resentative solutions: eight network devices, eight ent platforms, including desktop applications, browser Windows applications, 10 Chrome extensions, and extensions, mobile apps, and network devices that can 46 Android apps representing 28 Android solutions, monitor all connected computers and smart devices. grouped by vendor (an Android solution is typically Most of these solutions require special privileges to composed of a child app, a parent app, and an online parental dashboard). We found 170 vulnerabilities in Digital Object Identifier 10.1109/MSEC.2021.3076150 the tested solutions; the majority of solutions broadly Date of current version: 19 May 2021 fail to adequately preserve the security and privacy of 2 November/December 2021 Copublished by the IEEE Computer and Reliability Societies 1540-7993/21©2021IEEE Authorized licensed use limited to: Concordia University Library. Downloaded on June 11,2021 at 20:12:55 UTC from IEEE Xplore. Restrictions apply. This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. both children and parent users. Our notable findings some of these apps, we further identified new critical include: security issues (for example, the leakage of plaintext authentication information) using our comprehensive ■ The Blocksi parental-control router allows remote app-analysis framework. Reyes et al.3 analyzed children’s command injection, enabling an attacker with a par- Android apps for Children’s Online Privacy Protection ent’s email address to eavesdrop and modify the Act (COPPA) compliance. Out of 5,855 analyzed apps, home network’s traffic or use the device in a bot- the majority of them were found to potentially violate net (for example, Mirai). Blocksi’s firmware-update COPPA, and 19% were found to send PII in their net- mechanism is also completely vulnerable to network work traces. Our analysis across multiple platforms is attackers. inspired by existing work and past security incidents, ■ Nine out of 28 Android solutions and four out of and it provides a broader picture of the security and pri- eight network devices do not properly authenticate vacy risks of parental-control tools. their server application programming interface (API) endpoints, allowing illegitimate parties to access and Background and Threat Model view/modify server-stored children/parent data. ■ Six out of 28 Android solutions allow an attacker to Monitoring Techniques easily compromise the parent account at the server Network parental-control devices can monitor net- end, enabling full account control of the child’s device work traffic but usually cannot inspect the content of (for example, the attacker can install/remove apps and encrypted traffic. The analyzed devices act as man-in- allow/block phone calls and Internet connections). the-middles (MITMs) between the client device and ■ Eight out of 28 Android solutions transmit personally the Internet router by performing Address Resolu- identifiable information (PII) via HTTP (for exam- tion Protocol (ARP) spoofing or by creating a separate ple, kidSAFE-certified Kidoz sends account creden- access point (AP) for all children’s devices. ARP spoof- tials via HTTP). ing enables the network device to impersonate the home router and monitor all of the local network traffic. As part of responsible disclosure, we shared our find- Android apps rely on several Android-specific mech- ings and possible fixes with all of the solution provid- anisms, including the following: ers. Two months after disclosure, only ten companies responded, with seven custom and three automatic ■ device administration: provides several administrative replies. Notable changes after the disclosure include: features at the system level, including device lock, fac- MMGuardian deprecated their custom browser, Fam- tory reset, certificate installation, and device-storage iSafe fixed the Firebase database security issue, and encryption FamilyTime enabled HTTP Strict Transport Security ■ mobile device management: enables additional con- (HSTS) on their server. Details of our findings and trol and monitoring features and is designed for busi- disclosure responses are available in the Annual Com- nesses to fully control/deploy devices in an enterprise puter Security Applications Conference version of our setting article.7 ■ Android accessibility service: enables the capturing and retrieving of window content, logging keystrokes, and Related Work controlling website content by injecting JavaScript Over the past years, several parental-control tools have code into visited web pages made the news for security and privacy breaches. Exam- ■ Android virtual private network, custom browsers, and ple exposures include when TeenSafe leaked thousands third-party domain classifiers: used to filter web content of children’s Apple IDs and passwords and when Family ■ access to Facebook and YouTube OAuth credentials: Orbit exposed nearly 281 gigabytes of children’s photos used to monitor a child’s activities on Facebook and and videos on a cloud server. YouTube. Between 2015 and 2017, researchers from the Citi- zen Lab (citizenlab.ca), Cure53 (cure53.de), and Open- Windows applications use the following techniques: Net Korea (opennetkorea.org) published a series of a TLS proxy is installed by inserting a self-signed cer- technical audits1 mandated by the Korean government tificate in the trusted root certificate store, allowing of three popular Korean parenting apps, revealing seri- content HTTPS content analysis/modification; user ous security and privacy issues in them. In 2019, Feal applications are monitored for usage and duration; and et al.2 studied 46 parental-control Android apps for user activity is monitored via screenshots, keylogging, data collection and data-sharing practices and the com- and webcam access. Parental-control Chrome exten- pleteness and correctness of their privacy policies. In sions use Chrome APIs to monitor the user-requested www.computer.org/security 3 Authorized licensed use limited to: Concordia University Library. Downloaded on June 11,2021 at 20:12:55 UTC from IEEE Xplore. Restrictions apply. This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. uniform resource locators (URLs), which includes Completely Automated Public Turing Test to Tell intercepting and redirecting traffic and modifying page Computers and Humans Apart). content and metadata, including cookies. 8. Uninformed suspicious activities: There are no notifi- cations to parents about indicators of possible com- Threat Model promise (for example, the use of parental accounts We consider the following attacker types with varying on a new device or password changes). capabilities but that require no physical access to either 9. Insecure PII transmission: This is the sending of PII a child/parent’s device or back-end servers: from the client end without encryption, allowing an adversary to eavesdrop for PII. ■ on-device attacker: a malicious app with limited per- 10. PII exposure to third parties: This is the direct PII missions on a child/parent’s device collection and sharing (from client devices) with ■ local network attacker: an attacker with direct or third parties. remote access to the same local network as a child’s device Selection of Parental-Control Solutions ■ on-path attacker: an MITM attacker between the We chose solutions used in the most popular comput- home network and a solution’s back-end server ing platforms for mobile
Recommended publications
  • Parental Controls 1
    Parental Controls 1 Begin as you mean to go. You can introduce parental software controls to a younger child with more ease than to a teenager. Getting your child used to the idea that the tablet goes off, the video goes off, the TV goes off at certain times is extremely attractive. And with parental control software, you can do just that. Parental controls are usually included in most devices, such as your computer, tablet and smartphone. You need to dive into those settings and dig around to see what features are available to you. If you are based in Europe, the European Commission maintains a website called SipBench.eu which provides benchmarking analysis of parental control software. The findings are available in several European languages and identify the prices, technical requirements, operating system and age of the children to be protected. It is a handy background resource to get you started with parental controls. If you know of other parental control software tools that should be added to this list, please write to me at [email protected] so I can investigate and incorporate them into this resource sheet. Thank you for being a part of our Digital Parenting Community. www.digitalparentingcoach.com 2 Before signing up for parental control software • Read this article from Common Sense Media to help you make sense of the different types of parental control systems. • Confirm that your parental control software will allow you, at the very least, to set screen limits, filter content, block ads, and monitor your child’s online activities.
    [Show full text]
  • Security and Privacy Risks of Parental Control Solutions
    Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions Suzan Ali Mounir Elgharabawy Quentin Duchaussoy [email protected] [email protected] [email protected] Concordia University Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada Montreal, Quebec, Canada Mohammad Mannan Amr Youssef [email protected] [email protected] Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada ABSTRACT Conference (ACSAC 2020), December 7–11, 2020, Austin, USA. ACM, New For parents of young children and adolescents, the digital age has in- York, NY, USA, 15 pages. https://doi.org/10.1145/3427228.3427287 troduced many new challenges, including excessive screen time, in- appropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental 1 INTRODUCTION control solutions on different platforms, including parental con- Many of today’s children cannot imagine their daily lives without trol network devices (e.g., WiFi routers) and software applications internet. A recent survey [66] shows that 42% of US children (4–14 on mobile devices and laptops. While these parental control solu- years) spend over 30 hours a week on their phones; nearly 70% of tions may help digital parenting, they may also introduce serious parents think that such use has a positive effect on their children’s security and privacy risks to children and parents, due to their development [66]. While the web could be an excellent environment elevated privileges and having access to a significant amount of for learning and socializing, there is also a plethora of online content privacy-sensitive data.
    [Show full text]
  • Operations Manual
    Operations Manual Français p. 63 Español p. 127 Wii U System Manuals The official seal is your assurance that this product is licensed or manufactured by Nintendo. Always look for this seal when buying video game systems, accessories, Types of Manuals games and related products. Printed manuals • Wii U Quick Start Guide This guide covers the basic information for setting up and using your Wii U system. Please carefully read this Operations Manual before setup or use of the Wii U™ system. If • Wii U Operations Manual (this manual) you have problems or questions after reading all of the instructions, please visit our This manual gives the names of each component and describes how to recharge the customer service area at support.nintendo.com or call 1-800-255-3700. Also, additional controller, configure System Settings, and perform various procedures. It also provides pre-installed electronic manuals are available for the Wii U system and software applications troubleshooting and support information. from the HOME Menu, as described on the next page. Pre-installed electronic manuals • Wii U Electronic Manual ( ) This manual describes the Wii U features and gives detailed instructions on how to use the pre installed software, how to launch the Wii™ menu, and other operations. • Wii Menu Electronic Manual This manual describes the Wii Menu features and gives detailed instructions on how to use the included software. Viewing an Electronic Manual When the Wii U Menu is displayed, press on the Wii U™ GamePad to open the HOME Menu, then tap to open the Wii U Electronic Manual.
    [Show full text]
  • Parental Security Control
    IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 2 Issue 10, October 2015. www.ijiset.com ISSN 2348 – 7968 Parental Security Control Monali Shirbhate, Mitali Tiwari, Supriya Raut and Dolly Kumbhalkar 1Asst Prof, Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 2 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 3 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India 4 Students of Computer Science and Engineering, RTMNU, Nagpur, Maharashtra, India Abstract devices, and your home network. Parents, educators, This project describes an android application for parental social scientists, media pundits, and many others all offer security Control which will help the parents to monitor the their opinions, but rarely is any consensus reached. activities done on their children’s smart phones. Now-a-days a Parental controls are features which may be included lot of misuse is done on smart-phones operating android by in digital television services, computer and video recent generation. To control this misuse we are developing this games, mobile devices and software. Parental controls are application which will be installed on child’s smart phone by divided into four categories: contents filters (which limit parents. There is some feature which we will provide like Create and maintain log of calls, Record call, Create and maintain log of access to age inappropriate content), usage controls message, Record messages, Record the history of websites (which constrain the usage of these devices such as browsed. This entire detail is maintained and recorded by our placing time-limits on usage or forbidding certain types of application file in background.
    [Show full text]
  • Parental Control Guides 10/2020
    Parental Control Guides Revised 10/2020 Resources for Parents Tips for Parenting with Technology • Pick a strategy • Communicate clearly • Set the rules • Expect some challenges • Be consistent as possible Common Limitations for Tech Use • Limit screen time (e.g., 2 hours/day) • Never on weekdays • After homework is done • Educational games/work only How to Establish Rules • Important to establish clear rules from the beginning • If possible, involve your children in the rule-making process. • Frame rules in the positive Setting Rules for Multiple Children • Establish ground rules appropriate to the age of each child • Community tech time: take turns between siblings within a window of time • Alternatively, “homework time” for other siblings while one has access to the screen. • Be flexible in establishing the rules and firm in enforcing them Common Challenges • Visiting friends: contact parents of the other child to discuss tech use • Multiple children: the simpler the better! Blocks of time (community tech time, homework time) tend to be easier to implement than several different strategies • Not sure whether to allow certain games? Watch your child play the games, ask questions, to determine what’s right for them. • Mistakes happen, but if your child gets a free night expect some push-back the next time you enforce the rules! Consistency • Consistency is key! The more predictable the rules and consequences are, the less likely your child will be to argue about them. 1 Parental Control Guides Revised 10/2020 TABLE OF CONTENTS SECTION
    [Show full text]
  • APPLE Vs. ANDROID Apple Has Built in Some Parental Controls in The
    APPLE vs. ANDROID Apple has built in some parental controls in the actual iOS phones system (i.e. ability to set restrictions on what apps can be downloaded or what websites can be visited, settings passcodes to prevent kids from circumventing restrictions you set, syncing your phone and your children’s iPhones/Apple devices together by putting them on the same Apple account, keeping track of child’s location, etc.). Basically, Apple gives you boxed control over your Apple devices with your Apple account. Android does not have those built in features, so some people feel it’s harder for parents to monitor their teens Android devices; however, you can upload apps to your child’s Android device to make it more secure and to let you have control over the device like an Apple device would, you just have to download them. The recommendations I have seen have all recommended downloading a monitoring device such as Disney Cirlce or Mobicip, as we discussed in the training. But specifically, I saw strong recommendations for the use of Net Nanny, Norton Family Premier and Kaspersky Safe Kids. Tom’s Guide recommends these for the level of control they provide to parents of kids with Android devices and says that each product “offer different levels of control, but for the most part you can expect to impose time limits (including a curfew when it's time for your child to go to bed), block individual callers and texters, quickly revise app usage and — most important — get reports on how your child is using the phone.” In addition, Google has also recently introduced Family Link which gives parents more control over their child’s Android devices – screen time, time of day controls, and apps downloads.
    [Show full text]
  • Parental Protection on Games Consoles As a Parent, It's Not Always Easy to Keep an Eye on Your Children's Time Spent with Entertainment Devices
    Parental Protection on Games Consoles As a parent, it's not always easy to keep an eye on your children's time spent with entertainment devices. The Nintendo Switch Parental Controls smart device app is a free smart device app which you can link with Nintendo Switch to easily monitor what and how your children are playing. If you do not have a smart device you can also set certain restrictions on Nintendo Switch directly. Monitor your child’s gameplay time. In the Nintendo Switch Parental Controls smart device app, you can set a time limit for how long your child is allowed to play. When it’s time, an alarm will be triggered on Nintendo Switch to let them know their play time is up. In the Nintendo Switch Parental Controls smart device app, you can also comfortably monitor whether your children are keeping to the set time or not. By using the "Suspend Software" feature, you can set it so that the game turns off automatically when your child’s gameplay time is up. Monitor what your child is playing. There's even a function in the Nintendo Switch Parental Controls smart device app where you can see a report of which video games your child has been playing, and for how long. In addition to seeing what your children have been playing daily, you can also receive a monthly play report of your child from the Nintendo Switch Parental Controls smart device app. At a glance, you can see what kind of games your children are interested in.
    [Show full text]
  • Third Party Parental Controls
    Staying Safe Online Parental Controls on BT Third Party Parental BT Parental Control allows you to manage internet access on all Controls Home Internet devices connected to your BT Home Hub and BT Wi-Fi hotspots. Most UK Broadband providers offer free ‘whole-home parental This service is available for free and includes an option of Strict, You may decide to use a dedicated parental control solution to controls’ which apply to any device connected to your Moderate and Light filters. You are also given an option to block inappropriate content. broadband. restrict specific websites and set a Homework Time which blocks If you already have a security software package on your These controls only work on your Wi-Fi network, not when you social media, gaming and homework cheat sites. computer, check whether it includes Parental Control. You may are using 3G or 4G data. (See next page for Parental controls on mobile devices.) To find out more: BT Parental Controls not need a third party one. Some are free, but most will cost you an annual subscription. Sky TalkTalk McAfee Family Sky has parental controls turned on by default, you have to TalkTalk Home Safe lets you control all devices which are choose to switch it off. connected to your TalkTalk router. Protection (Paid for) Sky Broadband Shield works on all devices connected to your The free package includes; home broadband. It comes at no extra cost. Kids Safe - which allows you to block all or your choice of To find out more: McAfee Family Protection categories of websites.
    [Show full text]
  • Fire TV Stick User Guide Fire TV Stick User Guide
    Fire TV Stick User Guide Fire TV Stick User Guide Contents Fire TV Stick User Guide ...................................................................................................................... 2 Amazon Fire TV Device Basics ............................................................................................................. 4 Fire TV Stick Hardware Basics ............................................................................................................. 5 Main Menu Basics ................................................................................................................................ 8 Settings Basics ................................................................................................................................... 10 Register or Deregister Your Amazon Fire TV Device .......................................................................... 12 Access & Remove Content ................................................................................................................. 13 Remove Content from Your Amazon Fire TV Device .......................................................................... 14 Set Up Parental Controls .................................................................................................................... 15 Use Your Voice to Search Amazon Fire TV Devices ........................................................................... 16 Differences between Amazon Fire TV and Fire TV Stick ....................................................................
    [Show full text]
  • Internet Filtering & Monitoring
    Internet Filtering & Monitoring “Your ultimate goal is to raise kids who use the Internet safely and responsibly and think critically about their actions, but a little technical assistance can help. And, as your kids get older, you’ll need to dial down the restrictions to help them develop their own sense of responsibility. —Common Sense Media Monitors and Filters Are Useful, But They Shouldn’t Replace Relationships There’s no question that there’s a lot of filth on the Internet. And it’s pretty easy to run into it, even accidentally. Internet filters are extremely useful tools for preventing you and your children from encountering content that is harmful and disturbing. But in the same way that sending your kids to Christian school won’t automatically make them Christians, setting up an Internet filter won’t in and of itself keep them from online dangers. Why? For two reasons: 1. People on the other end of the Internet are constantly developing new ways to access new people (for various reasons); and 2. If our tech-savvy kids are determined, they will find ways around anything we implement. Because of that, we hope that parental controls are just one part of your overall strategy for protecting your children. Don’t view Internet filters as the safety net that will keep your kids safe. Instead, view them as your first line of defense. Your priority should be training your kids to think critically and discipling their hearts to want to pursue what is good and to hate what is evil. Because Internet filters are a good resource, we want to highlight what we think are some of the most helpful solutions currently available.
    [Show full text]
  • What Can I Block with Parental Controls?
    What Can I Block with Parental Controls? Applies to: Wii U Deluxe, Wii U Basic Notes: Restriction options are dependent on the availability of system features. A system update may be required for a complete list of options. How to Certain software, such as Wii U Chat, has its own parental control settings. Check the support documentation for specific software titles for more information. Adding users and formatting system memory are restricted automatically when Parental Controls are enabled. Information: You can choose to restrict the following Wii U features: Game Rating: Restrict all usage (as well as purchase through the Nintendo eShop) of software exceeding the rating level of your choice. Online Interaction in Games: Restrict the use of online features of software such as online play, conversation among users, and Miiverse posts. Internet Browser: Prevent use of the Internet browser. Wii U Shopping Services: Restrict the use of credit cards or the purchase of software through services such as the Nintendo eShop. Miiverse: Restrict users from viewing or posting content. Friend Registration: Prevent the registrations of friends. Entertainment Excluding Games: Restrict the viewing of video content, both streaming and stored on physical media such as discs, and software with video-playback functions. Data Management: Restrict the deletion or moving of software or save data using Data Management. Internet Settings: Restrict the addition, modification, or deletion of Internet settings. You can choose to restrict the following Wii features (Wii Mode): Game Rating: Restrict all usage (as well as purchases through the Wii Shop Channel) of software exceeding the rating level of your choice.
    [Show full text]
  • Android Phone
    Android “Every day, every hour, the parents are either passively or actively forming those habits in their children upon which, more than upon anything else, future character and conduct depend. —Charlotte Mason Android: Phone or Sentient Robot? 21st-century parents have to figure out all kinds of digital technology, even if we’re not particularly “techie” by nature. It’s similar to when we worry about helping a high-schooler with algebra when we ourselves are lousy at math. We can send them to tutors when they grow beyond our experience in math, but digital tech doesn’t allow us that same luxury of delegation. It’s vitally important that we know (and keep learning) what our teens’ devices do, how they work, and how they’re being used. Despite what it may seem like, not everything or everyone on the Internet is out to get our kids, and a few simple strategies implemented via the device’s operating system can quickly and regularly protect them from violent content, identity thieves, cyberbullies, porn, and sexual predation. Use these efforts in tandem with relational techniques aimed at connection instead of control, and the device becomes a way to strengthen the parent-child bond while still allowing us to prioritize their health and safety. What does “OS” mean? It stands for “operating system.” Essentially, today’s smartphones and tablets are handheld computers. The minute we turn on a smartphone, computer, tablet, video game console, or even a graphing calculator, an OS fires up. The OS runs the device, allows the integration of features and apps, provides the user interface, and keeps the device running smoothly.
    [Show full text]