Security researcher Robert Wiggins recently uncovered a serious security issue in the TeenSafe “secure” monitoring product for Android and iOS platforms.
The app allows users (typically parents) to monitor devices (typically their children’s) to view location, text messages, calls, browsing history, and more.
TeenSafe claims the technology can and will help protect your child. There is a debate among privacy advocates and parents about whether this type of monitoring is acceptable, but for our analysis today, let’s just roll with the idea that the app is intended to keep children safe.
What Robert found was that publicly available services were leaking information about TeenSafe accounts. Once notified, TeenSafe took down the affected services for analysis.
When Robert found the leak, he wasn’t assessing the security of TeenSafe directly. Rather, he was searching for misconfigurations in AWS across the web when he found the TeenSafe servers. The misconfigurations highlighted are not exclusive to TeenSafe and can be found easily by attackers who may not be targeting a specific company.
From what we know, there are three key points as to why the data was at risk:
This combination of factors gives an attacker all the information required to impersonate a child and access their account. An attacker may not be able to obtain device content directly from the exposed servers, but using the obtained credentials, they most certainly can get some forms of sensitive data directly from Apple.
All the factors that contributed to this data being exposed could have been avoided.
First, user credentials for authenticating to another service shouldn’t be stored in plaintext, or even stored at all if possible. It’s typical for systems to use credentials to authenticate to a service, then receive an access token of some sort (e.g., a cookie or OAuth access token) in return. This token can be encrypted and stored instead of the user’s credentials, reducing the impact if exposed. If the service does not provide an API that does this, it may be necessary to authenticate using user credentials each time the system interacts with the service, although this is far from ideal. In this case, TeenSafe could have stored the credentials after encrypting them using an HSM-backed cryptographic key (e.g., AWS CloudHSM).
Second, administration/monitoring consoles such as Celery Flower should not be publicly accessible, especially without authentication. Ideally, TeenSafe would have used some form of firewall or AWS Elastic Load Balancer to restrict access to this portal, unless the visitor was accessing from a location internal to TeenSafe. Furthermore, a proxy can be configured to authenticate a user before providing access to data. There’s no reason that this data should have been exposed to the internet in the way it was.
Finally, if TeenSafe was using Celery for task management, they should have ensured that appropriate security measures were in place, such as using TLS and strong credentials.
Overall, regardless of the privacy stance we hold, it’s clear that if we handle this type of data, we must take significant care when doing so. TeenSafe is marketed as helping protect children online, but what if an attacker can access children’s photos in iCloud owing to a monitoring product their own parents set up?
If a child sends an inappropriate message to another child, there is a chance that the recipient will expose that message, whether deliberately or inadvertently. But if that message is automatically sent to (or through) a remote server, the attack surface is now even bigger. Instead of the data residing in potentially three places (sender’s phone, receiver’s phone, Apple servers), it may also be stored or obtainable via server storage, network traffic, or logs. And in the case of TeenSafe, user credentials were being stored not only in an publicly accessible system but also in plaintext.
Regardless of whether it’s acceptable to perform such monitoring, this type of information processing is about as sensitive as it gets. It affects real human lives and the lives of children, and a data compromise may have disastrous effects.