Popular communication applications for daycare and kindergartens are “dangerously insecure”, according to a newly published study, exposing children and parents to the risk of data breaches with weak security settings and enabling or outright misleading privacy policies.
Details come from a new report by the Electronic Frontier Foundation (EFF), which publishes the results of a one-month research project in Tuesday.
The study, conducted by Alexis Hancock, EFF’s director of engineering for Certbot The project found that popular applications such as Brightwheel, HiMama and Tadpoles do not have two-factor authentication (2FA), which means that any malicious actor who has managed to obtain a user password can log in remotely. Further analysis of the application’s code revealed a number of other privacy-compromising features, including sharing data with Facebook and other third parties that were not disclosed in the privacy policies.
After contacting EFF, Brightwheel implemented 2FA and claims to be “The first in the early education industry to add this extra layer of security.” HiMama reportedly said it would submit the feature application to its design team, but has not yet implemented the additional security feature. It is unknown whether Tadpoles intends to implement 2FA.
Hancock began researching the privacy and security settings of various day care applications after being asked to download Brightwheel when enrolling its two-year-old daughter in kindergarten for the first time. Hancock said On the edge that she initially liked to use the app to receive updates for her daughter, but was worried about the lack of security given the potentially sensitive nature of the information.
“In the beginning, it was very comfortable to see [my daughter] during the day, with the images they sent me, “Hancock said. “Back then, I looked at the app as, well, I don’t really see the security controls I’d normally see in most services like this.”
With experience in software development, Hancock has been able to use a number of tools such as Apktool and mitmproxy to analyze the code of the application and to investigate the network calls made by each of the childcare applications, and she was surprised to find a number of easily correctable errors.
“I found trackers in several applications. I found a weak security policy, weak password policies, “Hancock said. “I found vulnerabilities that were very easy to fix while going through some of the applications. Really just low-hanging fruit. ”
The new EFF report is not the first to draw attention to serious shortcomings in the applications it trusts to protect children. For years, researchers have expressed concerns about security vulnerabilities in baby monitor applications and related hardware, with some of these vulnerabilities being exploited by hackers for send messages to children. More generally, a study of 1,000 applications likely to be used by children found that more than two-thirds sent personal information to the advertising industry
Hancock hoped that reporting these privacy and security gaps could lead to better regulation of child-centered applications, but she was concerned.
“It made me feel even more scared of my child as a parent,” she said. “I don’t want her to have a data breach before she’s five. I’m doing my best not to let that happen. “