Kids' Photos and Locations Leaked by Family Snooping App Spyfone
Protect your child's data
Spyfone is an app designed for parents to spy on their kids’ phones. It claims on its website to be the world’s number one parental monitoring software.
And it apparently has very little regard for the data that it stores about the kids who are being spied on.
A researcher located an Amazon S3 bucket -- a form of online storage -- with no security at all. The bucket contained selfies, text messages, location data, and audio files from the phones of people whose devices are being watched by Spyfone.
It’s logical to assume that most of the people affected by this leak would have no idea that their data was being snooped on in the first place, making it extremely alarming.
Motherboard was able to check that the breach existed by signing up for Spyfone and taking photos. Shortly afterwards, the researcher, who wanted to remain anonymous, was able to retrieve the photos from the open Amazon S3 bucket and send them back.
Spyfone Data Laid Bare
The enormous Spyfone cache appears to contain thousands of unencrypted photos from the phones of more than 2,000 devices running Spyfone on iOS or Android.
Files available in the bucket also include more than 44,000 email addresses. These aren’t just email addresses from user accounts; they seem to also include people who the spied-on phones had contact with.
Unbelievably, it doesn’t stop there. Spyfone allegedly has absolutely no security on its back-end systems. Motherboard’s researchers were able to create their own accounts and find lists of users by altering URLs.
This situation proves the risk of using any monitoring software on a family member’s device. In some cases, the users who installed Spyfone would be concerned, privacy-conscious parents who felt that, for whatever reason, they needed to keep an eye on what their kids were up to on their phones. But software like this can also be used to spy on adults: ex-partners, employees, victims of abuse.
Should You Spy On Your Kids?
Even if you believe that so-called personal or consumer spyware like Spyfone is necessary and ethical, this data breach makes it very difficult to defend its use in the real world.
The fact that a company can collect so much data -- much of it extremely sensitive -- and then place it on a publicly-accessible service is almost unbelievable, particularly since Spyfone is a paid service -- and not a cheap one at that.
If Spyfone has been so sloppy as to allow this data to build up in an unprotected S3 storage instance, one has to wonder whether they put any effort at all into protecting their customers against hackers.
Protecting Your Child’s Data
Giving your children electronic devices is risky. From connected toys to rogue apps, there is always a chance that their data won’t be protected with the rigor you’d expect.
Any device that your child owns should have location services turned off. And parents should be wary of well-intentioned GPS tracking devices that often have a very lax approach to storing location data.
When it comes to the use of a phone, spyware is a controversial tool at the best of times, but this incredible cache of unsecured data proves that you may not be the only person spying on your kids.