Many popular parental control solutions are insecure, according to a new Concordia paper
Since the spring, parents have often been allowing their children additional screen time in order to get through the pandemic — and this is not necessarily a bad thing, But new research by Concordia students and faculty suggests that children are no more immune from tech snooping than anyone else, even by the products that are marketed to protect them.
In fact, they may be even more vulnerable. As the researchers point out in a paper being presented at the Annual Computer Security Applications Conference next week, a number of parental control solutions available on the market are insecure.
The researchers developed experimental frameworks to systematically evaluate security and privacy issues in dozens of separate parental control solutions, including network devices such as routers, as well as popular Windows applications, Chrome extensions and Android apps. They found that most of them had serious problems regarding the security of personal information, secure authentication and the presence of third parties and known trackers, among other issues.
“I have children myself, and I was considering having some of these tools on their devices,” says Suzan Ali, a master’s student at the Concordia Institute for Information Systems Engineering (CIISE) at the Gina Cody School of Engineering and Computer Science and the paper’s lead author. “I was very surprised when we found that many of them fail to protect the collected child and parent personal information and/or allow an adversary to fully control the parental control solution.”
Ali’s co-authors include fellow CIISE master’s students Mounir Elgharabawy and Quentin Duchaussoy, CIISE associate professor Mohammad Mannan and CIISE professor Amr Youssef.
Flaws in the machine
The researchers identified a long list of problems across mobile and desktop products, browser extensions and network devices. These include weak password policies, insecure backend communication and unprotected data storage.
They noted the following flaws in particular:
Blocksi parental control router was particularly vulnerable to uploaded malicious firmware. The KoalaSafe Dropbear server is also open to exploitation from threats outside a local network.
Several Android apps — FamiSafe, KidsPlace and Life360 — do not encrypt personal data on shared external storage. That means information such as a parent’s email address, PIN and phone numbers or even a child’s geolocation can be accessed by other apps. Other products that rely on custom browsers to restrict and filter web content do not observe basic safety protocols like HSTS.
Windows applications like Qustodio and Dr. Web use proxy servers that do not properly perform certificate validation and accept revoked certifications. And Chrome extensions Adult Blocker and MateCode Blocker download and run third-party tracking script, which can often provide camouflage for malicious scripts.
Mannan believes the security flaws are usually the result of poor design, but the privacy violations are likely deliberate.
“The developers are actually sending private, personally sensitive information to third-party vendors and trackers. Their only job is to collect information and monetize it,” he says. “The person who buys these products does not even know who these third parties are.”
The researchers did approach the companies whose products they found flawed. A few seemed to take their concerns seriously, while others responded with canned answers promising to look into the issues. Some did not bother to respond at all.
“The vendor should put more efforts to secure these solutions by conducting regular security audits and having a well-defined process to address vulnerabilities such as responsible disclosure and bug bounty programs,” Ali says.
The researchers recommend parents stay with the safeguards built into the operating systems. They may be basic, but they are effective.
“We found that in general, the more complicated the solution, the more bells and whistles it has, the more information it is lifting.”
The Office of the Privacy Commissioner of Canada Contributions Program partially funded this study.
Read the cited paper: “Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions.”