Popular childcare and care communication programs are “dangerously unsafe,” according to recently published research, exposing children and parents to the risk of data breaches with loose security settings and permissive or completely misleading privacy policies.
The details come from a new report by the Electronic Frontier Foundation (EFF), which published the results of a month-long research project Tuesday.
The research was conducted by Alexis Hancock, EFF’s director of engineering for the Certbot project, found that popular programs like Brightwheel, HiMama, and Tadpoles lacked two-factor authentication (2FA), meaning that any malicious actor who could get a user’s password could log in remotely. Further analysis of application code revealed a number of other privacy-compromising features, including data with Facebook and other third parties, which were not disclosed in privacy policies.
After being contacted by the EFF, Brightwheel carried out 2FA and pretends to be “the first in the early education industry to add this extra layer of security.” HiMama has reportedly said it will hand over the feature request to its design team but has not yet implemented the additional security feature. It is unknown at this time what he will do after leaving the post.
Hancock began researching the privacy and security settings of various nursery applications after being asked to download Brightwheel for the first time enrolling his two-year-old daughter in a nursery. Hancock told The Edge that she initially enjoyed using the app to get updates about her daughter but was worried about a lack of security given the potentially sensitive nature of the information.
“At first there was a lot of comfort in seeing [my daughter] during the day, with the pictures they sent me, ”said Hancock. “Then I looked at the app like, eh, I don’t really see security checks that I would normally see in most services like this.”
With a background in software, Hancock was able to use a range of tools such as Apktoilo and mitmproxy analyzed the application code and researched online calls made by each of the child care apps, and she was surprised to find some easily fixable bugs.
“I found trackers in a few applications. I found a weak security policy, a weak password policy,” said Hancock. Really just low hanging fruit. ”
The new EFF report is not the first to point to serious flaws in reliable applications to keep children safe. For years, researchers have expressed concern about security vulnerabilities in baby monitoring applications and related hardware, with some of these vulnerabilities being exploited by hackers to send messages to children. More broadly, a survey of 1,000 applications likely to be used by children found that more than two-thirds sent personal information to the advertising industry.
Hancock hopes that reporting these privacy and security breaches could lead to better regulation of child-focused programs – yet the findings have worried her.
“It made me feel like a parent, even more scared for my child,” she said. “I don’t want her to have a data breach until she’s five. I’m doing my best to make sure that doesn’t happen. “