Parental controls – Safer Internet solutions or new pitfalls? Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, and Amr Youssef Concordia University, Montreal, Canada Abstract—Parental control solutions are used by many parents to provide their children a safer digital environment. These solutions often require dangerous privileges to function. We analyzed privacy/security risks of popular solutions and found that many leak personal information and are vulnerable to attacks, betraying the trust of parents and children. Index Terms: Privacy, Security, Mobile and Personal devices THE INTRODUCTION flaws in these solutions can lead to serious privacy leakage, and online and real-world security and Many children are now as connected to the In- safety issues. ternet as adults, if not more. The Internet provides an important avenue for education, entertainment To better understand privacy and security im- and social connection for children. However, the plications of parental control solutions, we design dark sides are also significant: children are by an experimental framework with a set of security nature vulnerable to online exploitation, internet and privacy tests, and systematically analyze pop- addiction, and other negative effects of online ular representative solutions: 8 network devices, social networking, including cyber-bullying and 8 Windows applications, 10 Chrome extensions, even cyber-crimes. To provide a safe internet and 46 Android apps representing 28 Android experience, many parents rely on parental con- solutions grouped by vendor (an Android solution trol solutions, which are also recommended by is typically composed of a child app, a parent government agencies, including US FTC and UK app, and an online parental dashboard). We found Council for Child Internet Safety. 170 vulnerabilities among the solutions tested; the majority of solutions broadly fail to adequately Parental control solutions are available for dif- preserve the security and privacy of their users— ferent platforms including desktop applications, both children and parents. browser extensions, mobile apps, and network devices that can monitor all connected comput- Our notable findings include: (i) The Blocksi ers and smart-devices. Most of these solutions parental control router allows remote command require special privileges to operate, such as mo- injection, enabling an attacker with a parent’s bile device administration/management capabili- email address to eavesdrop/modify the home net- ties, TLS interception, access to browsing data, work’s traffic, or use the device in a botnet (cf. and control over the network traffic. In addition, Mirai). Blocksi’s firmware update mechanism is they also collect a lot of sensitive user data, such also completely vulnerable to a network attacker. as voice, video, location, messages and social (ii) 9/28 Android solutions and 4/8 network de- media activities. Thus design and implementation vices do not properly authenticate their server IEEE Security & Privacy Published by the IEEE Computer Society © 2021 IEEE 1 API endpoints, allowing illegitimate access to Our analysis across multiple platforms is in- view/modify server-stored children/parents data. spired by the existing work and past security (iii) 6/28 Android solutions allow an attacker incidents, and provides a broader picture of the to easily compromise the parent account at security and privacy risks of parental control the server-end, enabling full account control to tools. the child device (e.g., install/remove apps, al- low/block phone calls and internet connections). Background and Threat Model (iv) 8/28 Android solutions transmit Personally Identifiable Information (PII) via HTTP (e.g., kid- Monitoring Techniques SAFE certified Kidoz sends account credentials Network parental control devices can monitor via HTTP). network traffic but usually cannot inspect the As part of responsible disclosure, we shared content of encrypted traffic. The devices ana- our findings and possible fixes with all solution lyzed act as a man-in-the-middle between the providers. Two months after disclosure, only ten client device and the internet router as follows: companies responded, with seven custom and performing Address Resolution Protocol (ARP) three automatic replies. Notable changes after the spoofing, or creating a separate access point for disclosure: MMGuardian deprecated their custom all children’s devices. ARP spoofing enables the browser; FamiSafe fixed the Firebase database network device to impersonate the home router, security issue; and FamilyTime enabled HSTS on and monitor all local network traffic. their server. Details of our findings and disclosure Android apps rely on several Android-specific responses are available in the ACSAC version of mechanisms, including the following. (1) Device our paper [7]. administration, which provides several adminis- trative features at the system level, including: Related Work device lock, factory reset, certificate installation, Over the past years, several parental control and device storage encryption. (2) Mobile de- tools have made the news for security and privacy vice management (MDM), which enables addi- breaches. Example exposures include: TeenSafe tional control and monitoring features, designed leaked thousands of children’s Apple IDs and for businesses to fully control/deploy devices in passwords; and Family Orbit exposed nearly 281 an enterprise setting. (3) Android accessibility GB of children’s photos and videos on a cloud service, which enables capturing and retrieving server. window content, logging keystrokes, and control- Between 2015 and 2017, researchers from the ling website content by injecting JavaScript code Citizen Lab (citizenlab.ca), Cure53 (cure53.de), into visited web pages. (4) Android VPN, cus- and OpenNet Korea (opennetkorea.org) published tom browsers, and third-party domain classifiers, a series of technical audits [1] of three popular which are used to filter web content. (5) Access Korean parenting apps mandated by the Ko- to Facebook and YouTube OAuth credentials, rean government, revealing serious security and which are used to monitor the child’s activities privacy issues in these apps. In 2019, Feal et on Facebook and YouTube. al. [2] studied 46 parental control Android apps Windows applications use the following tech- for data collection and data sharing practices, niques: a TLS proxy is installed by inserting a and the completeness and correctness of their self-signed certificate in the trusted root certificate privacy policies. In some of these apps, we fur- store, allowing content HTTPS content analy- ther identified new critical security issues (e.g., sis/modification; user applications are monitored leakage of plaintext authentication information) for their usage and duration; and user activity using our comprehensive app analysis framework. is monitored via screenshots, keylogging, and Reyes et al. [3] analyzed children Android apps accessing the webcam. for COPPA compliance. Out of 5855 apps, the Parental control Chrome extensions use majority of the analyzed apps were found to Chrome APIs to monitor the user-requested potentially violate COPPA, and 19% were found URLs, including: intercepting and redirecting to send PII in their network traces. traffic, modifying page content and meta-data 2 IEEE Security & Privacy including cookies. 6) Weak password policy: Acceptance of very weak passwords (e.g., with 4 characters or Threat Model less). We consider the following attacker types with 7) Online password brute-force: No de- varying capabilities (but require no physical ac- fense against unlimited login attempts on cess to either the child/parent device or back- the online parental login interface (e.g., end servers). (1) On-device attacker: a malicious CAPTCHA). app with limited permissions on the child/parent 8) Uninformed suspicious activities: No noti- device. (2) Local network attacker: an attacker fications to parents about indicators of pos- with direct or remote access to the same local sible compromise (e.g., the use of parental network as the child device. (3) On-path attacker: accounts on a new device, or password a man-in-the-middle attacker between the home changes). network and a solution’s backend server. (4) Re- 9) Insecure PII transmission: PII from the mote attacker: any attacker who can connect to a client-end is sent without encryption, allow- solution’s backend server. ing an adversary to eavesdrop for PII. 10) PII exposure to third-parties: Direct PII Potential Security and Privacy Issues collection and sharing (from client devices) We define the following list of potential se- with third-parties. curity and privacy issues to evaluate parental control tools (tested using only our own accounts Selection of Parental Control Solutions We chose solutions used in the most pop- where applicable). This list was initially inspired ular computing platforms for mobile devices by previous work [1], [4], [5], [6], and then (Android), personal computers (Windows), web iteratively refined by us. browsers (Chrome), and selected network prod- 1) Vulnerable client product: A parental con- ucts from popular online marketplaces (Amazon). trol product (including its update mecha- We used “Parental Control” as a search term on nism) being vulnerable, allowing sensitive Amazon and Chrome Web Store and selected information disclosure (e.g., via on-device eight devices and ten extensions. For Windows side-channels), or even full product com- applications, we relied on rankings