When using parental control apps, parents should be aware that this information ends up on the servers of the app vendors and a lot of trust is put in the provider of the software. As mentioned above, we currently won’t provide detailed technical information, because some applications are still vulnerable to those attacks and some issues might not be easily resolved. This blog post describes which apps were looked at, the methodology used to analyze the apps and the identified vulnerability classes. We investigated if it was possible to circumvent authorization checks so that remote or local attackers could access features of the child devices or gain access to personal information of other users of those applications. cloud storage) and paid close attention to the features that enable parental management of the child device. We examined the information stored on the device and at the app provider (e.g. Moreover, we wanted to find out which and how much data is being collected and stored by these apps in general.
The goal of this infosec research was to find out whether the apps' users are properly separated from each other in order to prevent unauthorized third parties accessing their data or devices. To block and control access to potentially harmful or non-child-friendly content or restrict usage times, parents often install parental control apps on the children's devices. Nowadays, children have access to smartphones or tablets at an early age or already possess their own devices. We are going to release further technical details through security advisories after those patches are publicly available.
The identified security vulnerabilities should be fixed in the near future, according to the vendors. The SEC Consult Vulnerability Lab is already in contact with some of the vendors mentioned below through our responsible disclosure process. Since many of these apps collect a lot of private data of children, and some may even store the data in the cloud beyond the reach of GDPR, the privacy of the surveilled children may be at risk. Additionally, the Android apps’ restrictions imposed by the parents could be easily bypassed by the children by removing the necessary permissions in the settings app or by using the safe mode feature of Android. These vulnerabilities allowed the attacker to bypass the restrictions set by the parents, or even attack the parents themselves. During their analysis, they found out that the parent web dashboards were susceptible to cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks. Fabian Densborn and Bernhard Gründling of the SEC Consult Vulnerability Lab recently discovered several security vulnerabilities in popular parental control apps for the Android platform.
0 kommentar(er)
