This is part of my 38 Before 38 series. Where I will write a blog post everyday for the 38 days leading up to my 38th birthday.
In cyber-security circles there is a term for really dangerous attackers: Advanced Persistent Threats. Or APTs for short. Current industry convention dictates that this term be reserved for State actors, and large-scale criminal organization. However there one more type of “malicious actor” that nobody seems to consider.
They are always looking to bypass security of our devices. They can, and will, devote an immense amount of time and effort to do so. They have easy physical access as well. And worst of all you have no legal recourse in case of any harm.
I am talking of our children. Specifically, I am talking toddlers and young children under 10. And while consumer tech companies have implemented some measures to counter State persecution, they have made it a lot more difficult to counter their attack vectors.
Today I will list some of what these vectors are, and what design oversight has lead to dire consequences for parents, beyond mere annoyance.
Face to face
Apple’s FaceID might be one of the worst security features in practice. Facial unlock seems like a no-brainer when compared to fingerprint unlock. There are numerous usability advantages. The “entropy” is higher, so the encryption security is stronger. Especially as implemented by Apple.
However, it is functionally insecure. If you are being picked up by any given police state for protesting, they can just point the phone at your face. And this is what children do as well. Parents may relaxing, watching TV, praying, or doing any activity/chore that requires their focus. Your child will take your phone and just point at your face.
The children may use the same techniques to approve purchases, unlock blocked apps, etc. As a security measure, it is easily defeated. A total design failure. Of course, most toddlers at least can’t really wreak much havoc on your device. Since they are not deliberate. Which is a lot less than I can say about our next attack vector.
Locked in
A few weeks ago, my son picked my father-in-laws phone. He saw a lock-screen notifications for his preferred messaging app(it was WhatsApp). And he decided to use the reply-via-notification feature to send “No” to everyone. This included in response to a very import business deal.
Fortunately, he was able to salvage the situation. The phone in question is again iPhone. Android, at least on version 14, requires you to unlock the phone to use this feature. This issue also exists on iPads, and for messaging apps, like messenger and iMessage. It is on by default, but you have long-press to activate it.
An average iPhone user might not even know this feature is on. And you have to go through hoops to turn it off.
You might be thinking this is just an Apple problem. It is not.
Family Ties
The biggest cybersecurity concern for a parent is not protection from their children. It is to protect their child from these devices. This is one thing Apple does really well. The family organization, the privilege management for children, content blocking, etc. All work perfectly.
We setup an iPad with a child account for our son. It was smooth, and worked perfectly until the device stopped working. Apple can improve this experience by allowing multi-user support on the tablets at least. Otherwise, perfect.
This is not the case for Google at all. The only reason to create a Google account is Youtube. You can create restrictions for Youtube kids and have them apply to any device. Except it does not. The account and content restrictions do not transfer to all versions of the App. The setting on your Google TV will not be applied to your phone. Even the ones you set-up are easily bypassed and might as well not exist. I might write about how they are bypassed but I still don’t know. My son just figured them out.
Speaking of TVs…
Smart Idiot Box
Phones aren’t the only consumer tech in a modern household. TV’s are more or less shitty computers. They have apps, OS and network connectivity. They are also awful at basic security. We have Samsung and a Google TV.
The Samsung TV has a pretty intuitive app lock feature. Except it can be easily bypassed going to the Apps section, coming back, and access the blocked app in the recent section.
The Google TV is even worse. There is no App Lock feature. You can protect you Google profile with a pin. But anyone can just remove your account from the select screen. You can add it back, but you would have to enable the lock again, which is buried in menus.
And it is all useless, since the child will just press the “recent app” button, and access any app through that.
A Way Out
These are not the only security threats posed by children. But I am way past the 300 word minimum. Being a parent is a full-time job, no matter what your state GDP numbers say. And there should be an element of pride when children manage to break the barriers you have setup in creative ways.
However, there are real world consequences sometimes. And tech companies should take this into account.