CVE-2023-36621

Vulnerability

The Boomerang Parental Control application for Android, through version 13.83, fails to prevent the child from using the device's Safe Mode to bypass all parental restrictions. Safe Mode disables third-party applications, including the parental control app, allowing the child to either temporarily remove restrictions or uninstall the app entirely without the parents noticing [1][2].

Exploitation

An attacker (the child) requires physical access to the Android device and knowledge of how to boot into Safe Mode. The steps are: reboot the device into Safe Mode (typically by holding the volume down button during boot), then either uninstall the Boomerang app or disable its permissions. No authentication or additional privileges are needed beyond physical access [1].

Impact

Successful exploitation allows the child to completely bypass all parental controls enforced by the app, including screen time limits, content restrictions, and monitoring features. The child gains unrestricted access to the device and can hide the removal of restrictions from parents, as the app may appear to be running normally until the device is rebooted normally [1].

Mitigation

As of the publication date (2023-11-03), no official fix has been released by the vendor. The vendor's website [2] does not mention any update addressing this issue. Parents are advised to monitor device usage closely and consider alternative parental control solutions that are not susceptible to Safe Mode bypass. If a newer version of the app is released, updating may resolve the issue, but no patched version is confirmed.