Parental Controls: Safer Internet Solutions Or New Pitfalls?
Total Page:16
File Type:pdf, Size:1020Kb
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. Parental Controls: Safer Internet Solutions or New Pitfalls? Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, and Amr Youssef | Concordia University Parental-control solutions often require dangerous privileges to function. We analyzed privacy/security risks of popular solutions and found that many leak personal information and are vulnerable to attacks, betraying the trust of parents and children. any children are now as connected to the Inter- operate, such as mobile device administration/man- M net as adults are, if not more. The Internet agement capabilities, Transport Layer Security (TLS) provides an important avenue for education, entertain- interception, access to browsing data, and control over ment, and social connection for children. However, the the network traffic. In addition, they also collect a lot dark sides are also significant: Children are by nature of sensitive user data, such as voice, video, location, vulnerable to online exploitation, Internet addiction, messages, and social media activities. Thus, design and and other negative effects of online social network- implementation flaws in these solutions can lead to seri- ing, including cyberbullying and even cybercrimes. To ous privacy leakage and online and real-world security provide a safe Internet experience, many parents rely and safety issues. on parental-control solutions, which are also recom- To better understand the privacy and security mended by government agencies, including the U.S. implications of parental-control solutions, we designed Federal Trade Commission (FTC) and the U.K. Coun- an experimental framework with a set of security and cil for Child Internet Safety. privacy tests and systematically analyzed popular rep- Parental-control solutions are available for differ- resentative solutions: eight network devices, eight ent platforms, including desktop applications, browser Windows applications, 10 Chrome extensions, and extensions, mobile apps, and network devices that can 46 Android apps representing 28 Android solutions, monitor all connected computers and smart devices. grouped by vendor (an Android solution is typically Most of these solutions require special privileges to composed of a child app, a parent app, and an online parental dashboard). We found 170 vulnerabilities in Digital Object Identifier 10.1109/MSEC.2021.3076150 the tested solutions; the majority of solutions broadly Date of current version: 19 May 2021 fail to adequately preserve the security and privacy of 2 November/December 2021 Copublished by the IEEE Computer and Reliability Societies 1540-7993/21©2021IEEE Authorized licensed use limited to: Concordia University Library. Downloaded on June 11,2021 at 20:12:55 UTC from IEEE Xplore. Restrictions apply. This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. both children and parent users. Our notable findings some of these apps, we further identified new critical include: security issues (for example, the leakage of plaintext authentication information) using our comprehensive ■ The Blocksi parental-control router allows remote app-analysis framework. Reyes et al.3 analyzed children’s command injection, enabling an attacker with a par- Android apps for Children’s Online Privacy Protection ent’s email address to eavesdrop and modify the Act (COPPA) compliance. Out of 5,855 analyzed apps, home network’s traffic or use the device in a bot- the majority of them were found to potentially violate net (for example, Mirai). Blocksi’s firmware-update COPPA, and 19% were found to send PII in their net- mechanism is also completely vulnerable to network work traces. Our analysis across multiple platforms is attackers. inspired by existing work and past security incidents, ■ Nine out of 28 Android solutions and four out of and it provides a broader picture of the security and pri- eight network devices do not properly authenticate vacy risks of parental-control tools. their server application programming interface (API) endpoints, allowing illegitimate parties to access and Background and Threat Model view/modify server-stored children/parent data. ■ Six out of 28 Android solutions allow an attacker to Monitoring Techniques easily compromise the parent account at the server Network parental-control devices can monitor net- end, enabling full account control of the child’s device work traffic but usually cannot inspect the content of (for example, the attacker can install/remove apps and encrypted traffic. The analyzed devices act as man-in- allow/block phone calls and Internet connections). the-middles (MITMs) between the client device and ■ Eight out of 28 Android solutions transmit personally the Internet router by performing Address Resolu- identifiable information (PII) via HTTP (for exam- tion Protocol (ARP) spoofing or by creating a separate ple, kidSAFE-certified Kidoz sends account creden- access point (AP) for all children’s devices. ARP spoof- tials via HTTP). ing enables the network device to impersonate the home router and monitor all of the local network traffic. As part of responsible disclosure, we shared our find- Android apps rely on several Android-specific mech- ings and possible fixes with all of the solution provid- anisms, including the following: ers. Two months after disclosure, only ten companies responded, with seven custom and three automatic ■ device administration: provides several administrative replies. Notable changes after the disclosure include: features at the system level, including device lock, fac- MMGuardian deprecated their custom browser, Fam- tory reset, certificate installation, and device-storage iSafe fixed the Firebase database security issue, and encryption FamilyTime enabled HTTP Strict Transport Security ■ mobile device management: enables additional con- (HSTS) on their server. Details of our findings and trol and monitoring features and is designed for busi- disclosure responses are available in the Annual Com- nesses to fully control/deploy devices in an enterprise puter Security Applications Conference version of our setting article.7 ■ Android accessibility service: enables the capturing and retrieving of window content, logging keystrokes, and Related Work controlling website content by injecting JavaScript Over the past years, several parental-control tools have code into visited web pages made the news for security and privacy breaches. Exam- ■ Android virtual private network, custom browsers, and ple exposures include when TeenSafe leaked thousands third-party domain classifiers: used to filter web content of children’s Apple IDs and passwords and when Family ■ access to Facebook and YouTube OAuth credentials: Orbit exposed nearly 281 gigabytes of children’s photos used to monitor a child’s activities on Facebook and and videos on a cloud server. YouTube. Between 2015 and 2017, researchers from the Citi- zen Lab (citizenlab.ca), Cure53 (cure53.de), and Open- Windows applications use the following techniques: Net Korea (opennetkorea.org) published a series of a TLS proxy is installed by inserting a self-signed cer- technical audits1 mandated by the Korean government tificate in the trusted root certificate store, allowing of three popular Korean parenting apps, revealing seri- content HTTPS content analysis/modification; user ous security and privacy issues in them. In 2019, Feal applications are monitored for usage and duration; and et al.2 studied 46 parental-control Android apps for user activity is monitored via screenshots, keylogging, data collection and data-sharing practices and the com- and webcam access. Parental-control Chrome exten- pleteness and correctness of their privacy policies. In sions use Chrome APIs to monitor the user-requested www.computer.org/security 3 Authorized licensed use limited to: Concordia University Library. Downloaded on June 11,2021 at 20:12:55 UTC from IEEE Xplore. Restrictions apply. This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. uniform resource locators (URLs), which includes Completely Automated Public Turing Test to Tell intercepting and redirecting traffic and modifying page Computers and Humans Apart). content and metadata, including cookies. 8. Uninformed suspicious activities: There are no notifi- cations to parents about indicators of possible com- Threat Model promise (for example, the use of parental accounts We consider the following attacker types with varying on a new device or password changes). capabilities but that require no physical access to either 9. Insecure PII transmission: This is the sending of PII a child/parent’s device or back-end servers: from the client end without encryption, allowing an adversary to eavesdrop for PII. ■ on-device attacker: a malicious app with limited per- 10. PII exposure to third parties: This is the direct PII missions on a child/parent’s device collection and sharing (from client devices) with ■ local network attacker: an attacker with direct or third parties. remote access to the same local network as a child’s device Selection of Parental-Control Solutions ■ on-path attacker: an MITM attacker between the We chose solutions used in the most popular comput- home network and a solution’s back-end server ing platforms for mobile