UW Computer Security Research and Course Blog

Summary

Parental controls on television sets (or on the Internet, or mobile phones, etc.) allow parents to restrict the media to which their children have access to an age-appropriate level. Parental controls allow parents to restrict access to television based on a variety of different factors, including rating, the content that produced the rating (e.g., violence, language, nudity, etc.), and occasionally even the time that the shows are on (no movies after 11:00PM, kids). Of course, sometimes cartoons can get a little raunchy while still technically meeting none of the filter criteria, so parents can also block shows individually.

Assets

Children could be considered the asset most in need of protecting by this system. The goal in protecting this asset would be to keep children from watching things that are deemed inappropriate.

The Parents’ money could also be considered an asset, and the goal would be to limit the children’s ability to purchase pay-per-view shows without the parents consent.

Adversaries/Threats

The Children are perhaps the most obvious adversary, as their goal is to watch R-rated movies and buy boxing matches on pay-per-view. The threat here is that they might overhear the parents mention the password, or look over their shoulder while they are typing it in (for the inevitable occasion when a Disney movie gets blocked overzealously).

Neighborhood kids are a little bit of a stretch, but it is not inconceivable that someone could break into the house (or climb through an open window) during the day and order explicit (read: X-rated) pay-per-view movies on the new HD projector. If the credit card number is stored on the device for easy ordering of movies, it gets even easier…

Weaknesses

Access code: Depending on how old the children (or delinquent neighbors) are, the code to access the blocked content might be a weakness, especially if it is not carefully chosen. This is especially true if the code is short, or if the length of the code maps nicely to a birthday (4 digits, 6 digits).

Storage of content flags: Depending on the device in use, a power outage might erase flags for blocked content, or the device might have a reset button that could achieve the same functionality. Either way, some sort of physical access to the device is required.

System upgrades / new systems: Buying a new system to replace the old one doesn’t necessarily transfer settings and content blocks, which might leave an opening for a determined attacker to watch R-rated movies after bedtime.

Storing credit card numbers: Storing credit card numbers for easy purchasing of movies is good for business, but it also makes it very easy for someone malicious to purchase movies his/her own devious ends.

Defenses

Password complexity: if the system required a password of a certain minimum length and complexity, it could mitigate the usefulness of guessing, and even deter resourceful children from inferring passwords from parents’ birthdays, etc.

Don’t store credit card info: The system could simply not store credit card information, and require that the purchaser type it in every time. On a television, this doesn’t seem very feasible. Another option might be to just charge money to your account to be paid at the end of the month (which makes the most sense from company and user perspective, but doesn’t fix the problem of unauthorized people being able to purchase movies).

Content flags/filters could be stored in hardware that survives power outages (on disk, for instance). This would mitigate the problem of someone unplugging the device and plugging it in again to remove the blocks on content. (This seems to be a very likely implementation choice).

Risks

The potential risk of neighborhood kids breaking in to watch pay-per-view movies while parents are at work can be mitigated pretty easily by closing windows and locking doors, and choosing a reasonable password for blocking content. The likelihood of anyone living next to kids like this is probably small to begin with, and simple steps can be taken to ensure that the house isn’t presented as a likely candidate for intrusion.

The risk of children living in the house is probably much greater. As the children get older, the potential for more complicated trickery to obtain the password and thus be able to watch explicit movies after bedtime increases. Over time, they will gain insight into the system (and perhaps into their parents’ choices of passwords), and they might also notice things like their father buying a new satellite TV box, and intuitively understand that he will forget to turn the parental controls on for at least the first night. There is a good chance that they will take advantage of this. The risk of a child purchase a pay-per-view movie at some point without realizing that it costs his/her parents money is probably very good; however, the cost of these accidents can be minimized by explaining to kids early on what “pay-per-view” means, and by punishing them if they do purchase a movie.

Conclusions

The parental control system is fairly straightforward, and on the whole seems to do a pretty reasonable job of protecting children from things their parents don’t want them to see (or else companies would stop paying engineers money to write access-control software for their systems). Most of the weaknesses in the system require someone have physical access to the device, either to input a code, or to reset the system in some way. It just so happens that the biggest adversaries do, in fact, have physical access to the system. Luckily something as simple as a hard-to-guess password can keep younger children from accessing inappropriate content, and by the time the kids are old enough to use social-engineering techniques to get the password from their parents (or the younger siblings’ babysitter, or the cousin who is spending the night), the necessity of having content-based access-control systems for the television will have probably passed by.