Tech

uKnowKids child tracker firm in row with security researcher

Is the tide going against white-hat researchers -- or are they going too far in their crusades?

Written by Charlie Osborne, Contributing Writer Feb. 23, 2016 at 5:43 a.m. PT

Child activity tracker uKnowKids is embroiled in a row with a MacKeeper researcher who infiltrated the company's servers to highlight security vulnerabilities.

While uKnow says it does not approve of the hacker's methods to break into a private database "repeatedly" for the "public good," MacKeeper security researcher Chris Vickery said uKnowKids.com violated the Children's Online Privacy Protection Act (COPPA) by not ensuring security was up to scratch.

In total, over 6.8 million private text messages, nearly 2 million images and over 1,700 detailed child profiles -- containing first and last names, dates of birth, GPS information and social media account credentials, among other data sets -- was exposed, according to Vickery.

In a blog post, Vickery said that a "database error" was at fault, as the database was configured for full public access, and required no "level of authentication or password and providing no protection at all for this data."

When a company stores data related to children, COPPA, established by the Federal Trade Commission (FTC), requires them to "establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children."

However, Vickery says that in uKnow's case, this was not being achieved.

UKnowKids, bound by the COPPA agreement, offers a platform for parents to monitor their children's activities across the Internet and social media networks. Naturally, when kids and their data are involved in today's data breaches, things become very, very serious.

Vickery claims that in a telephone conversation, uKnowKids CEO Steve Woda "tried all manner of intimidation tactics" on the researcher, in what he believes was a way to try and hush up the situation, despite having previously been grateful for being alerted to the security issue.

Vickery said:

"Woda repeatedly insisted that I have acted inappropriately in my response to discovering and alerting his company to the gaping breach.
Furthermore, he tried to convince me that an outlet reporting on the breach could face liability under COPPA (a claim which is, of course, preposterous)."

It seems Woda may have been concerned about the reputation hit uKnow would suffer should the database issue be made public. The executive allegedly told the researcher "you could easily put us out of business if we are not provided the opportunity to comprehensively deal with this appropriately," and while Vickery had no interest in bringing the firm to its knees, he noted that information revealed by the Shodan search engine related to the database shows the problem was active for at least 48 days.

The blog post resulted in Woda responding to these allegations through the company's blog.

The executive said the database was "repeatedly breached" by the researcher using two different IP addresses on 16 and 17 February, 2016. Woda says the vulnerable database included "customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow's most important technology," and the security error did not expose financial information or unencrypted passwords -- but data belonging to approximately 0.5 percent of kids registered on the website was public.

Security

Woda did thank the researcher for his quick, proactive notification of the flaw, despite "not approve of his methods because it unnecessarily puts customer data and intellectual property at risk," but the "vulnerability" was patched within 90 minutes of the alert.

"uKnow's demand for Mr. Vickery to delete ALL copies of uKnow's database was obviously driven by our desire to protect our uKnowKids customers, but also to fully comply with COPPA requirements," Woda says.

"Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately."

uKnowKids places doubt on the "benign" intentions of the researcher, and while the firm may be spending time doing background checks on Vickery, the company is still taking the security issue seriously -- having hired two security companies to test online systems and resolve any further issues.

"The lesson to learn here is that, if you're a parent, be wary of services that offer to monitor your child's online behavior," Vickery concluded. "These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people."