Child Tracker App uKnowkids Data Leak Exposed Weak Database

uknow-breachThe world of cyber security is faced with yet another irony.

Such is the case with uKnowkids, a “digital parenting” app by a Virginia-based company that vows to provide superior online protection to its clientele. The app is designed to track a child’s digital footprint—from online activities to social media behavior—in an effort to protect children from online predators. The irony is, this promised cloak of protection was recently put to the test after the company was hit by a data breach.

Security researcher Chris Vickery discovered that a “misconfigured MongoDB installation” led to the exposure of a company database comprised largely of data from a myriad of Android and iPhone devices. The data includes 1,700 children’s profiles collected from Android and iPhone devices. The exposed profiles included names, email addresses, social media credentials, GPS coordinates, dates of birth, almost 7 million private text messages, and nearly 2 million photos, including those of the account owners’ children. Prior to discovery, the database was said to have already been exposed for at least 48 days before it was found, reported, and immediately taken down.

uKnow and uKnowkids CEO Steve Woda confirmed the said leak in a signed statement in which he said, “It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.

While complete details of the occurrence have not been divulged yet, Woda shared facts referencing to the occurrence, detailing that the database vulnerability has been patched 90 minutes after its discovery. “We have been locking down on the facts over the last few days with a forensics analysis of ALL uKnow systems, and we plan to disclose ALL of the relevant facts to our customers, the media, and the appropriate legal authorities as soon as we are confident that our facts are 100% accurate.”

In his statement, Woda shared that the compromised database leaked not just “0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone,” but also a significant chunk of the company’s “business data, trade secrets, and proprietary algorithms developed to power some of uKnow’s most important technology.”

He furthered that the two IP addresses that breached their private database in two different instances belonged to Vickery in Austin, Texas, whom he refers to as a “white-hat hacker”, though a confirmation has yet to be released. He continued, “Mr. Vickery downloaded uKnow's database starting at 3:45am CT on Wed Feb 17, 2016) and ending at 3:55am CT on Wed Feb 17, 2016. Twelve minutes after the final breach from IP address 209.144.254.123 and after taking screenshots of our intellectual property, business data, and customer data, Mr. Vickery notified uKnow of his breach of our private systems.”

This fired up a heated exchange between Woda and Vickery—opening a dispute extrapolating the former’s disregard of sensitive client information by its inability to provide any level of authentication in one of its databases and the latter’s “benign intentions”.

Woda shared that the company has sought consultation with the Federal Trade Commission on the next appropriate steps to be undertaken on the subject matter, reiterating its astute compliance to the regulations put forth by the Children Online Privacy Act (COPPA). COPPA requires businesses like uKnowkids to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children,” a rule that Vickery claims that the company has apparently violated.

In a statement, he notes, “As the use of 'Child Tracking' software applications and services continues to grow in popularity, this is big a wake up call to the entire industry to secure, encrypt, and protect the information they collect on children.”

An incident involving the child of Woda’s brother, wherein the child was victimized by an online predator, serves as the impetus for the creation of the child tracker app. It is aimed at creating an open communication with parents and their children on the perils that come with exposure on the Internet—“to start a conversation with their kids about digital citizenship and responsible behaviors online”. Making itself known as an added layer of protection for children, the company emphasizes that it is not a form of spyware.

Ironically, uKnowkids received questions on the presence of an option on parents to “hide” the app from the child’s device, contrary to the set ideals of creating transparency between the parent and the child. The terms and conditions stipulated in the app have also received flak as it has claimed no liability on cases of data loss, one that new members readily agree upon.

Not more than two months ago, the VTech  breach made news after threat actors clawed out names, birthdays, account information, and over 190 GB of photos from its application database. On December 24, the company’s updated terms and conditions got the ire of consumers and security experts after transferring blame and liability on customers in cases of damaging data loss with the addition of a line that says, “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”

The line of flaws and data breaches involving children’s information does not stop with this massive breach. In the same month of the VTech hack, Mattel’s Hello Barbie was discovered by researchers to have a flaw that could potentially allow threat actors to sniff on communications between the toy and servers it is linked to. At the onset of this month, another researcher uncovered a vulnerability involving Mattel’s Fisher-Price brand’s Smart Toy Bear.

As of this writing, Woda states that customers of the app have already been properly notified, and security measures have been added to new customers. While no in-depth details have been shared publicly, the company assured reinforcing practices and steadfast security measures to protect its customers.

We believe that protecting a child's digital identity is just as important as protecting a child's Social Security Number or other sensitive information. The potential for abuse or safety risks involved with the unsecured data collection of children is a nightmare that no parent ever wants to be faced with,” Vickery shared in a statement.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.