Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
3. Smart Sheriff, Dumb Idea
The wild west of government assisted parenting
presented by:
Abraham Aranguren - @7a_
Fabian Fäßler - @Samuirai
4. We talk about an app
• Background Information
• Smart Sheriff - 1. Pentest Round
• Smart Sheriff - 2. Pentest Round
• Results
• Smart Dream
• Future work
„In the end we hope you share our disbelieve“
5. Who are we?
Abraham Aranguren (@7a_) - blog.7-a.org
OWASP OWTF Project leader - owtf.org
abraham@cure53.de
Fabian Fäßler (@samuirai) - smrrd.de
fabian@cure53.de
Cure53 is led by handsome Mario Heiderich
(@0x6D6172696F). Bullshit free pentests, sometimes public
https://cure53.de/#publications
7. South Korea – Smartphone Usage
% Total population % 18-34 y/o population
Source: Spring 2015 Global Attitudes survey. Q71 & Q72.
… the country with the highest Smartphone usage on the planet!
8. South Korea – Child Protection Laws
Article 32, Section 7 of Korean Telecommunications Business Act
mobile network operators have to provide adult content filtering
service for legal minors
…
Introduced 15.10.2014
9. Article 32, Section 7 of Korean Telecommunications Business Act
mobile network operators have to provide adult content filtering
service for legal minors
…
Introduced 15.10.2014
Introduced 14.04.2015
Implementation Details Article 37, Section 8
Notify children and parents about features of the blocking
Monthly notification if the blocking means was deleted or had
not been operated for more than 15 days
…
South Korea – Child Protection Laws
10. South Korea – Mandatory apps
Mandatory installation of a surveilance app when the phone is
purchased for a teenager.
11. South Korea – Mandatory apps
Mandatory installation of a surveilance app when the phone is
purchased for a teenager.
No opt-out.
12. South Korea – Mandatory apps
Photo: Lee Jin-man/Associated Press
13. Mobile Internet Business Association
(MOIBA)
The Korean Communications Commission (KCC) gave MOIBA
USD $2.7 million to create these mandatory apps
14. Why did we do this?
OpenNet Korea brought this to Citizen Lab
http://opennetkorea.org/
Citizen Lab, Toronto
"Citizen Lab Summer Institute on Monitoring Internet
Openness and Rights 2015“
http://citizenlab.org/
Open Technology Fund supported it
https://www.opentech.fund/
15. MOIBA - Smart Sheriff / Smart Dream
MOIBA created 2 mobile apps
Smart Sheriff Smart Dream
(Nightmare?)
Scope Out of scope
Smartphone usage restrictions.
Block apps.
Usage time restrictions.
SMS/Chat and search monitoring for bad
keywords.
Security: why do you think are we here? Security: wait till the end
16. Smart Sheriff: Parent vs. Child mode
Parent Child
• Operating mode chosen on first usage
• Parent-Mode: Smartphone usage management
• Child-Mode: For filtering and activity monitoring
17. Smart Sheriff: Block phone access
Parents can deny phone
access for certain times
for the child
18. Smart Sheriff: Installed apps
See installed apps on
child’s phone and deny or
enable access to them.
41. Smart Sheriff – Bully API - Fake usage
SMS-01-018
API
No authentication for the child application.
There is a DEVICE_ID as session cookie, but most API
endpoints simply accept the phone number to perform
updates.
42. Why not? – HTTP Response for Login
root@redstar-os $ curl -X POST http://ssweb.moiba.or.kr/main/ajaxLoginConfirm --data
"PNAME=1234&LINKGBN=&PARENTNUM=0102222222"
<script type="text/javascript">
function fn_goMain() {
if ($("#LINKGBN").val() == "NOTICE") {
$("#frmCont").attr("action","/board/boardList");
} else {
$("#frmCont").attr("action","/main/childList");
}
$("#frmCont").submit();
}
// add by his
function fn_goPasswordChange() {
$("#frmCont").attr("action","/main/passwordChange");
$("#frmCont").submit();
}
if('3' < 5){
alert('3회 비밀번호를 잘못 입력하셨습니다.n하단의 ‘비밀번호 찾기’를 클릭하세요.');
}else{
alert('비밀번호 5회 이상 오류로 로그인이 제한됩니다.n고객센터로 문의해주세요(1566-8274)');
}
$("#PARENT").attr("disabled", false);
$("#INPUTP").attr("disabled", false);
</script>
AJAX login response returns HTML <script> tag instead of JSON, XML, ... because … why not?
45. Test and dev. snippets everywhere
{"a1":"!@#$%^&*()_+","a2":"/","a3":"","a4":""","a5":"''''"
,"a6":"aaa한글 테스트 ....aaa"}
http://api.moiba.or.kr/test/
http://api.moiba.or.kr/aaa/
http://api.moiba.or.kr/aaa2/
…
Test URLs:
46. Big pile of
• XSS
• Unsafe storage of block history on SD card
• Leaking personal data over the API
• SQL Injection in mobile app
• …
Seriously:
https://cure53.de/pentest-report_smartsheriff.pdf
47. CitizenLab approaches MOIBA
• We gave our report to CitizenLab
• CitizenLab was in contact with MOIBA
• MOIBA made some legal threats in the beginning
⇒ Responsible Disclosure
54. Fixed Stuff
• SMS-01-002 Possible Filter-Bypass via unsafe URL check
• SMS-01-003 No use of any SSL/TLS-based transport security
• SMS-01-004 Test-Page leaks Data and App-Internals
• SMS-01-008 Reflected XSS on ssweb.moiba.or.kr
55. Smart Sheriff – How to SSL like a man
SMS-02-008
public final void onReceivedSslError(WebView
paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
implements HostnameVerifier {
public final boolean verify(String paramString,
SSLSession paramSSLSession)
{
return true;
}
56. Smart Sheriff – Bully API v2.0
SMS-02-009
http://api.moiba.or.kr/MessageRequest
https://api.moiba.or.kr/MessageRequest_New
• New endpoint introduced
• Old endpoint never deprecated – MOIBA lied
59. Smart Sheriff – Bully API
SMS-02-009
API
Guess what happened using a different User Agent :D
60. SMS-02-010
API
No authentication for the child application.
You can still fake the phone usage (kid installs p0rn app)
Smart Sheriff – Bully API v2.0
61. • They fixed what matters to them (Internal Dev Leaks)
• They did not fix what affected their user (Information leaks,
no authentication)
Seriously:
https://cure53.de/pentest-report_smartsheriff-2.pdf
Round 2 - Summary
75. Smart Sheriff / Cyber Safety Zone
• MOIBA didn‘t deprecate the API
• MOIBA renamed the app
• MOIBA is trying to hide the issues
But what is up with Smart Dream?
77. Smart Dream Nightmare
Parent Child
• Parent-Mode: Check messages and searches containing
dangerous words
• Child-Mode: Monitoring SMS/KakaoTalk and google searches.
installs as accessibility service
79. Responsible Disclosure?
• MOIBA lied to customers about security fixes.
• Simply rebranding Smart Sheriff (still vulnerable) - And our
reports are public
• How can we protect the privacy of the children when MOIBA
doesn‘t fix anything when disclosed in private?
⇒ We will not disclose technical details.
Any research was done with our own test accounts.
82. The Most Offensive Slide :O
The 1086 "harmful" words that are monitored by smart dream
83. Another big pile of
• XSS
• Lack of Authentication and Authorization
• Accessing stored messages and searches
• …
84. • Take a step back
• Imagine these apps were magically 100% secure
• Would you trust any company or government...
• ... to have a database with all that information?
A note for reflexion
85. If you know Korean Security Researchers, Journalists or Activists,
raise awareness.
→ Korean society has to deal with these issues
Have a look at the other child protection applications
and relay results to human rights organizations.
→ perfect project for a university class
Support organizations like
OpenNet Korea, CitizenLab, Open Technology Fund, EFF, …
What‘s next?
86. I‘ve learned how virtualization works,
by hiding p0rn inside VMWare in early 2000s
(and never got busted).
88. Other Korean Child Protection Apps
• SKTelecom:
https://play.google.com/store/apps/details?id=com.skt.thug
.hazard&hl=ko
• KT Corporation:
https://play.google.com/store/apps/details?id=com.kt.olleh
kidsafe&hl=ko
• LG U+:
https://play.google.com/store/apps/details?id=com.lguplus.
cleanmobile&hl=ko
• …
89. Reports
• [20 September 2015] Are the Kids Alright? Digital Risks to Minors
from South Korea’s Smart Sheriff Application -
https://citizenlab.org/2015/09/digital-risks-south-korea-smart-
sheriff/
• [1 November 2015] The Kids are Still at Risk: Update to Citizen
Lab’s “Are the Kids Alright?” Smart Sheriff report -
https://citizenlab.org/2015/11/smart-sheriff-update/
• [21 September 2015] Submission to the 113th Session of the UN
Human Rights Committee for Fourth Periodic Report of the
Republic of Korea -
http://opennetkorea.org/en/wp/wp-
content/uploads/2016/03/INT_CCPR__KOR_OPEN_NETSmart-
Sheriff.pdf
90. Some News Articles
• [19 May 2015] Don’t text ‘beer’ in Korea: Words that trigger
teen alerts -
http://www.japantimes.co.jp/news/2015/05/19/asia-
pacific/dont-text-beer-korea-words-trigger-teen-alerts/
• [16 June 2015] South Korea provokes teenage smartphone
privacy row - http://www.bbc.com/news/technology-
33091990
• [21 September 2015] Smart Sheriff child surveillance app
leaves South Korean kids vulnerable to hackers -
http://www.cbc.ca/news/technology/smart-sheriff-
1.3236682