SlideShare una empresa de Scribd logo

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

Abraham Aranguren
Abraham Aranguren

Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Tecnología
1 de 112
Descargar para leer sin conexión
Smart Sheriff,
Smart Sheriff, Dumb Idea
Smart Sheriff, Dumb Idea The wild west of government assisted parenting presented by: Abraham Aranguren - @7a_ Fabian Fäßler - @samuirai
A story about a Korean law… • Some background information • Case MOIBA: Smart Sheriff, Smart Dream • Case mobile operators: KT, LGU, +SKT • What now? „In the end we hope you share our disbelieve“
Takeaways from this talk • Insight into South Korean culture and politics • Some basics in Android reversing • Difficulties with the ethics of disclosing issues
Who are we? Abraham Aranguren (@7a_) - blog.7-a.org OWASP OWTF Project leader - owtf.org abraham@cure53.de 
 Fabian Fäßler (@samuirai) - smrrd.de 
 Student at TU Berlin fabian@cure53.de Cure53 is led by handsome Mario Heiderich (@0x6D6172696F).
 Bullshit free pentests, sometimes public ☺ https://cure53.de/#publications
Why did we do this? OpenNet Korea brought this to Citizen Lab http://opennetkorea.org/ Citizen Lab, Toronto "Citizen Lab Summer Institute on Monitoring Internet Openness and Rights 2015“ http://citizenlab.org/ Open Technology Fund supported it https://www.opentech.fund/
Once upon a time… … in a country far far away.
South Korea – Smartphone Usage % Total population % 18-34 y/o population Source: Spring 2015 Global Attitudes survey. Q71 & Q72. … the country with the highest Smartphone usage on the planet!
South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014
South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014 
 Introduced 14.04.2015 Implementation Details Article 37, Section 8 Notify children and parents about features of the blocking Monthly notification if the blocking means was deleted or had not been operated for more than 15 days …
South Korea – Mandatory apps Mandatory installation of a surveillance app when the phone is purchased for a teenager.
South Korea – Mandatory apps Mandatory installation of a surveillance app when the phone is purchased for a teenager. No opt-out.
South Korea – Mandatory apps Photo: Lee Jin-man/Associated Press
Mobile Internet Business Association (MOIBA) The Korean Communications Commission (KCC) gave MOIBA USD $2.7 million to create these mandatory apps
MOIBA - Smart Sheriff / Smart Dream MOIBA created 2 mobile apps Smart Sheriff
 (mandatory) Smart Dream
 (additional service)
Alternative Korean Child Protection Apps • KT Corporation: https:// play.google.com/store/apps/details? id=com.kt.ollehkidsafe • SKTelecom: https:// play.google.com/store/apps/details? id=com.skt.thug.hazard • LG U+: https://play.google.com/ store/apps/details? id=com.lguplus.cleanmobile
Smart Sheriff: Parent vs. Child mode • Operating mode chosen on first usage • Parent-Mode: Smartphone usage management • Child-Mode: For filtering and activity monitoring Parent Child
Smart Sheriff: Block phone access Parents can deny phone access for certain times for the child
Smart Sheriff: Installed apps See installed apps on child’s phone and deny or enable access to them.
Smart Sheriff: Websites Manage/Block access to websites. Implemented in the app, but not usable by parent.
Sensitive Data – Smart Sheriff (+others) • Family Association (Parent – Child) • Children‘s names, birthdays • Installed apps and usage statistics 
 (time browsing or playing games) • Visited/Blocked URLs Smart Dream • Private SMS and KakaoTalk messages (!)
Round 1 – Setup Challenges
Language Barrier WTF DOES THIS?
unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/ Language Barrier
http://ibotpeaches.github.io/Apktool/ unpack, translate, repack with apktool Language Barrier
Unfortunately … strings.xml is not enough for a app because WebViews Language Barrier
Language Barrier … Google Translate
  
   move-result-object v0   const-string v1, "SAMU"   invoke-static {v1, v0}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I private static final String TAG = "SAMU"; Log.i(TAG, result); Debugging Patching debug messages in smali code for logging
Round 1 – Shoot
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); var String = window.jsinterface.getSomeString(); // window.jsinterface.getClass().forName('java.lang.Runtime') RCE with insecure WebView Accessing Java methods from JavaScript in Android 2.4 to 4.1 SMS-01-001 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
Smart Sheriff – SSL v2.0 Fast forward to the fix…
https://api.moiba.or.kr/MessageRequest_New Smart Sheriff – How to SSL like a pro They switched to SSL for real O.o ? SMS-01-003 No use of any SSL/TLS-based transport security FIXED?
Smart Sheriff – How to SSL like a pro SMS-02-008 public final void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { paramSslErrorHandler.proceed(); } implements HostnameVerifier { public final boolean verify(String paramString, SSLSession paramSSLSession) { return true; }
SMS-01-005 "]5ZWSVAB5]" "05555215554" • But SSL is not necessary, when you do your own crypto Layer… moibagtwigsystemsfightinghhhkkkkok
moibagtwigsystemsfightinghhhkkkkok SMS-01-005 "]5ZWSVAB5]" "05555215554" XOR Key: mx00oibagtwx00igsystex00msfightx00inghhhkx00kkkok
Smart Sheriff – Crypto v2.0 Fast forward to the fixes…
"+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL... "MOBILE":"3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012 • MOIBA added more crypto…
"+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL... "MOBILE":"3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012 • Useless AES layer with static key
API Design SMS-01-012 request="+yld3N...aVIjqteA==" { "action":"CLT_MBR_GETCL... "MOBILE":"]5ZWSVAB5]", "DEVICE_ID: ... } "05555215554" {"SYNC_APP_LIST": {"BLCK_ACT_DIVN":[], ... "CHILD_BIR_YMD":"20050105", "CHILD_BLCK_GRADE":"2","PAS SWORD":"****","DIVN":"CHILD "}} Fail SSL Request Response
SMS-01-018 STORY TIME!
SMS-01-018
SMS-01-018
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API API response with the password (XORed)
Smart Sheriff – Bully API - Pass Leak SMS-01-018 root@redstar-os $ curl -v -s 'http://api.moiba.or.kr/MessageRequest --data '{ "action":"CLT_MBR_GETCLIENTMEMBERINFO", "MOBILE_MACHINE_INFO":"XXX", "MOBILE":" 5ZWSVAA5[",  "DEVICE_ID":"unknown" }' > POST /MessageRequest HTTP/1.1 > Host: api.moiba.or.kr > User-Agent: curl/7.48.0 > Accept: */* > Content-Length: 141 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 141 out of 141 bytes < HTTP/1.1 200 OK < Date: Sun, 15 Oct 2015 17:05:20 GMT < Server: Apache/2.0.65 (Unix) DAV/2 mod_jk/1.2.37 < Content-Length: 242 < Content-Type: text/plain; charset=euc-kr <
 {"CHILD_GRADE_TYPE":"","CHILD_BIR_YMD":"","MEMBER_YN":"Y","CHILD_BLCK_GRADE":"","PASSWORD":" 2]","PARENT_MOBILE":"5ZWSVAA5[","REGISTRATION_ID":"","DIVN":"PARENT"} 2] 1234 5ZWSVAA5[ 15555215652
Smart Sheriff – Bully API SMS-01-018 Smart sheriff has so many users, you can find valid phone numbers by just trying random numbers. root@redstar-os $ python sheriff_raid.py CHILD : 010XXXXXXXX - pw: 0879 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 8493 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 8493 PARENT : 010XXXXXXXX - pw: 0878 CHILD : 010XXXXXXXX - pw: 0878 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 2580 CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 5912 CHILD : 010XXXXXXXX - pw: 1004 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 1004 Parent passwords. 4 digit strong!
Bruteforce numbers - Skip to 2:54
Smart Sheriff – Bully API - Fake usage SMS-01-018 API No authentication for the child application. There is a DEVICE_ID as session cookie, but most API endpoints simply accept the phone number to perform updates.
Smart Sheriff – Bully API v2.0 Fast forward to the fixes…
Smart Sheriff – Bully API SMS-02-009 API Guess what happened using a different User Agent :D
SMS-02-010 API No authentication for the child application. You can still fake the phone usage (kid installs p0rn app) Smart Sheriff – Bully API v2.0
XSS • SMS-01-008 Reflected XSS on ssweb.moiba.or.kr via CHILD_MOBILE FIXED! But… • SMS-02-008 Reflected XSS on ssweb.moiba.or.kr via H_TYPE ???!
You really screwed up when even Google indexes your vulns!
Why not? – Tomcat 6.0.29 (released 2009)
Block websites function shouldOverrideUrlLoading()… if(s.startsWith("market://") || s.startsWith("tel:") || s.startsWith("http") && !s.contains("ssweb.moiba.or.kr")) SMS-01-002 blocked allowed :D http://blocked.com http://blocked.com/?blah=ssweb.moiba.or.kr
Insecure Storage on SD card Object obj = new File((new StringBuilder()) obj.append(Environment.getDataDirectory()); obj.append("/data/com.gt101.cleanwave/databases/SmartSheriff.db"); Object obj1 = new File(Environment.getExternalStorageDirectory(), "");
Unlicensed Fonts „This font is made with the trial version of FontCreator. You may not use this font for commercial purposes.“
Test and dev. snippets everywhere {"a1":"!@#$%^&*()_+","a2":"/","a3":" ","a4":""","a5":"''''","a6":"aaa한글 테스트 ....aaa"} http://api.moiba.or.kr/test/ http://api.moiba.or.kr/aaa/ http://api.moiba.or.kr/aaa2/ … Test URLs:
Test and dev. snippets everywhere http://220.117.226.129:8082 http:// hikdev.cafe24.com/demo-gcm-server http://ssadm.moiba.or.kr/ <li><a href='/index'>관리자메인</a></li> <li><a href='/subMain'>서브메인메인</a></li> <li><a href='/harm/app/list'>유해정보관리</a> <ul> <li><a href="/harm/app/appList">앱관리</a></li> <li><a href="/harm/site/list">사이트관리</a></li> <li><a href="/harm/accept/acceptList_app">앱/사이트 접 관리</a></li> </ul> </li> <li><a href='/member/admin/memberAdm'>가입자관리</a> <li><a href='/minwon/minwonList'>민원관리</a> <li><a href='/home/report/list'>홈이지</a></li> </ul> <p> <a href='/html/filelist.html'>디자인</a><br/><br/> <a href='/minwon/minwonPushTest'>Push TEST</a><br/><br/> <a href='/minwon/livePushTest'>Live Push TEST</a><br/> <a href="minwon/logPushTest">log Push Test</a></br>
Big pile of • XSS • Leaking personal data over the API • No authentication • No Transport Security • Even a SQL injection inside their mobile app for the .db • …. Seriously: https://cure53.de/pentest-report_smartsheriff.pdf https://cure53.de/pentest-report_smartsheriff-2.pdf
Citizen Lab publishes the report
MOIBA Press Release 1
MOIBA Press Release 2
Some media attention … but reaction was a bit underwhelming
„Thanks for the free pentest!“ It kinda backfired…
Did we just help improving surveilance software?
Citizen Lab publishes updated report
MOIBA reacts and pulls the app
News about the app removal
Time to celebrate!
But something is shady…
Did we fail?
Find the difference! 사이버안심존
 (Cyber Safety Zone) 스마트보안관 (Smart Sheriff)
The old MOIBA
The new MOIBA
Web Interface – Cyber Safety Zone
Web Interface – Cyber Safety Zone
Smart Sheriff / Cyber Safety Zone • MOIBA didn‘t deprecate the API • MOIBA renamed the app • MOIBA is trying to hide the issues But what is up with Smart Dream?
The new MOIBA – Login for Parents Smart Sheriff / Cyber Safety Zone Smart Dream
Smart Dream Nightmare Parent Child • Parent-Mode: Check messages and searches containing dangerous words • Child-Mode: Monitoring SMS/KakaoTalk and google searches. installs as accessibility service
• Very clever solution - request accessibility permissions • Abusing functionality intended for text2speech, … How do they read KakaoTalk?
Web Interface – Smart Dream
Smart Dream Nightmare Parent App monitoring SMS Parent Web Backend
Smart Dream Nightmare XSS via SMS/KakaoTalk messages (no authentication)… and no SSL?
Register an account Korean number needed. And wait for verification SMS… Or simply change forms.auth_ok.value = "1"
Register an account Fixed!?... you can still register via the App Korean number needed. And wait for verification SMS… Or simply change forms.auth_ok.value = "1"
+700k Messages from +55k Children root@redstar-os $ python nightmare.py ### Messages from Child: From: ".인터넷" (5) 1. [KakaoTalk] (violence/gang up): "투명성성인기회" 2. [KakaoTalk] (blackmail/money): "깡패?" 3. [KakaoTalk] (violence/맞다): "한!!국교!!„ 4. [KakaoTalk] (blackmail/빌려달라): "보안어린이개방성사랑정?" 5. [KakaoTalk] (threat/kill): "성인성인괴상한해킹비밀한국성인강남스타일모바일„ 
 From: ".사이버억압♡" (2) 1. [KakaoTalk] (rant/crazy girl acting as child): "투명♥♥" 2. [KakaoTalk] (abuse/fuck it): "비 밀사 이버비?밀번역 조 화정부 기 회개인 성 인 어린이정 ..." 
 From: "010XXXXXXXX" (3) 1. [SMS] (harass/desperate): "어린이강남스?타일인터넷" 2. [SMS] (harass/): "깡패구글괴상한" 3. [SMS] (harass/desperate): "부패교육감?" 
 From: ".사이버투♥" (3) 1. [KakaoTalk] (threat/kill): "해킹 평등" 2. [KakaoTalk] (harass/desperate): "자 기 검열보?" 3. [KakaoTalk] (violence/gang up): "강남스타일!!!"
The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream
The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream Example words: divorce, single parent, remarriage, adoption, earn money, multiculturalism, menstruation, breast, stress, I hate …, girlfriend, boyfriend, break up, dating, lie, beer, person/friend/guy/girl I like, r-rated, sex, discrimination, black history, going to school, borrow, sarcasm, fanboy, gangster, disability, reporting to police, …
MOIBA‘s guide to fixing vulns Lack of Authentication Important parameters will be encrypted with AES256 Hardcoded API key 1. Put API key into NDK binaries 2. Each user get‘s own key XSS with messages Before sending SMS message, escape and replace special chars
Another big pile of • XSS • No SSL • Lack of Authentication and Authorization • Accessing stored messages and searches • …
But what about the other apps?
But what about the other apps?
We love you too, Plantynet DamnYouHackerwHAt1syoUrBENefitwhEnDeComPil2Th1saPpplEas2DOnOtd1sTurbUs “Damn You Hacker what is your benefit when decompile this app please dont disturb us” Found as a string inside a Java class:
... guess why they don‘t want people looking
SKTelecom
SKT Corperation • Encrypted/obfuscated application
 implemented via native library
Defeat Obfuscation – Lame Strategy • Encrypted/obfuscated application
 implemented via native library
• Jeff from CitizenLab 
 reverse engineered the binary • AES key unwrapping (RFC 3394) • PBKDF2 HMAC • AES ECB Defeat Obfuscation – Cool Strategy
SKTelecom - Issues • No HTTPS • XSS
• Take a step back • Imagine these apps were magically 100% secure • Would you trust any company or government... • ... to have a database with all that information? • Phone usage statistics (times, apps) • SMS/IM Messages • Knowing family associations • Names and birthdays A note for reflexion
What is happening next? • The Korean government proposed a new bill to make opt-out possible • OpenNet Korea submitted a constitutional complaint about the law
 ! final decision in 2-3 years • Should there be regulations for parental/child-protection apps?
 ! eg. no cloud service, only local
Reports • [20 September 2015] Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application - https://citizenlab.org/2015/09/digital-risks-south-korea- smart-sheriff/ • [1 November 2015] The Kids are Still at Risk: Update to Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report - https://citizenlab.org/2015/11/smart-sheriff-update/ • [21 September 2015] Submission to the 113th Session of the UN Human Rights Committee for Fourth Periodic Report of the Republic of Korea - 
 http://opennetkorea.org/en/wp/wp-content/uploads/ 2016/03/INT_CCPR__KOR_OPEN_NETSmart-Sheriff.pdf
Some News Articles • [19 May 2015] Don’t text ‘beer’ in Korea: Words that trigger teen alerts - http://www.japantimes.co.jp/ news/2015/05/19/asia-pacific/dont-text-beer-korea- words-trigger-teen-alerts/ • [16 June 2015] South Korea provokes teenage smartphone privacy row - http://www.bbc.com/news/ technology-33091990 • [21 September 2015] Smart Sheriff child surveillance app leaves South Korean kids vulnerable to hackers - http://www.cbc.ca/news/technology/smart- sheriff-1.3236682

 Abraham Aranguren (@7a_) - abraham@cure53.de 
 Fabian Fäßler (@samuirai) - fabian@cure53.de Reports: https://cure53.de/#publications Questions/Comments/Discussion

Recomendados

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Adobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionAdobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionYash Mody
 
Rest api and-crud-api
Rest api and-crud-apiRest api and-crud-api
Rest api and-crud-apiF(x) Data Labs Pvt Ltd
 
AOT and Native with Spring Boot 3.0
AOT and Native with Spring Boot 3.0AOT and Native with Spring Boot 3.0
AOT and Native with Spring Boot 3.0MoritzHalbritter
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 

Recomendados

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Adobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionAdobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionYash Mody
 
Rest api and-crud-api
Rest api and-crud-apiRest api and-crud-api
Rest api and-crud-apiF(x) Data Labs Pvt Ltd
 
AOT and Native with Spring Boot 3.0
AOT and Native with Spring Boot 3.0AOT and Native with Spring Boot 3.0
AOT and Native with Spring Boot 3.0MoritzHalbritter
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代Shengyou Fan
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
PWA 與 Service Worker
PWA 與 Service WorkerPWA 與 Service Worker
PWA 與 Service WorkerAnna Su
 
Rest in flask
Rest in flaskRest in flask
Rest in flaskHamid Feizabadi
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKJosé Paumard
 
Spring Boot Interview Questions | Edureka
Spring Boot Interview Questions | EdurekaSpring Boot Interview Questions | Edureka
Spring Boot Interview Questions | EdurekaEdureka!
 
코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우Arawn Park
 
Top 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? EdurekaTop 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? EdurekaEdureka!
 
Php ppt
Php pptPhp ppt
Php pptSanmuga Nathan
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best PracticesTricode (part of Dept)
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Express JS
Express JSExpress JS
Express JSDesignveloper
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
Troubleshooting APEX Performance Issues
Troubleshooting APEX Performance IssuesTroubleshooting APEX Performance Issues
Troubleshooting APEX Performance IssuesRoel Hartman
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Um pouco sobre APIs
Um pouco sobre APIsUm pouco sobre APIs
Um pouco sobre APIsLuiz Paulo dos Prazeres Júnior
 
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOUHOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOULucas Jellema
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 

Más contenido relacionado

La actualidad más candente

[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代Shengyou Fan
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
PWA 與 Service Worker
PWA 與 Service WorkerPWA 與 Service Worker
PWA 與 Service WorkerAnna Su
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKJosé Paumard
 
Spring Boot Interview Questions | Edureka
Spring Boot Interview Questions | EdurekaSpring Boot Interview Questions | Edureka
Spring Boot Interview Questions | EdurekaEdureka!
 
코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우Arawn Park
 
Top 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? EdurekaTop 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? EdurekaEdureka!
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
Troubleshooting APEX Performance Issues
Troubleshooting APEX Performance IssuesTroubleshooting APEX Performance Issues
Troubleshooting APEX Performance IssuesRoel Hartman
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOUHOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOULucas Jellema
 

La actualidad más candente (20)

[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
[JCConf 2020] 用 Kotlin 跨入 Serverless 世代
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
PWA 與 Service Worker
PWA 與 Service WorkerPWA 與 Service Worker
PWA 與 Service Worker
 
Rest in flask
Rest in flaskRest in flask
Rest in flask
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UK
 
Spring Boot Interview Questions | Edureka
Spring Boot Interview Questions | EdurekaSpring Boot Interview Questions | Edureka
Spring Boot Interview Questions | Edureka
 
코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우코틀린 멀티플랫폼, 미지와의 조우
코틀린 멀티플랫폼, 미지와의 조우
 
Top 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? EdurekaTop 10 Front End Developer Skills | How to become a Front End Developer? Edureka
Top 10 Front End Developer Skills | How to become a Front End Developer? Edureka
 
Php ppt
Php pptPhp ppt
Php ppt
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
 
Express JS
Express JSExpress JS
Express JS
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
 
Troubleshooting APEX Performance Issues
Troubleshooting APEX Performance IssuesTroubleshooting APEX Performance Issues
Troubleshooting APEX Performance Issues
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Um pouco sobre APIs
Um pouco sobre APIsUm pouco sobre APIs
Um pouco sobre APIs
 
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOUHOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
HOW AND WHY GRAALVM IS QUICKLY BECOMING RELEVANT FOR YOU
 

Destacado

OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 

Destacado (6)

OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 

Similar a Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...PROIDEA
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015kingsBSD
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data CommonskingsBSD
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
 
All your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsAll your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsPriyanka Aash
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Jon Arne Sæterås
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET Journal
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramBGA Cyber Security
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 

Similar a Smart Sheriff, Dumb Idea, the wild west of government assisted parenting (20)

[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data Commons
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
 
All your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsAll your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker apps
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response Program
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 

Último

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

  • 3. Smart Sheriff, Dumb Idea The wild west of government assisted parenting presented by: Abraham Aranguren - @7a_ Fabian Fäßler - @samuirai
  • 4. A story about a Korean law… • Some background information • Case MOIBA: Smart Sheriff, Smart Dream • Case mobile operators: KT, LGU, +SKT • What now? „In the end we hope you share our disbelieve“
  • 5. Takeaways from this talk • Insight into South Korean culture and politics • Some basics in Android reversing • Difficulties with the ethics of disclosing issues
  • 6. Who are we? Abraham Aranguren (@7a_) - blog.7-a.org OWASP OWTF Project leader - owtf.org abraham@cure53.de 
 Fabian Fäßler (@samuirai) - smrrd.de 
 Student at TU Berlin fabian@cure53.de Cure53 is led by handsome Mario Heiderich (@0x6D6172696F).
 Bullshit free pentests, sometimes public ☺ https://cure53.de/#publications
  • 7. Why did we do this? OpenNet Korea brought this to Citizen Lab http://opennetkorea.org/ Citizen Lab, Toronto "Citizen Lab Summer Institute on Monitoring Internet Openness and Rights 2015“ http://citizenlab.org/ Open Technology Fund supported it https://www.opentech.fund/
  • 8. Once upon a time… … in a country far far away.
  • 9. South Korea – Smartphone Usage % Total population % 18-34 y/o population Source: Spring 2015 Global Attitudes survey. Q71 & Q72. … the country with the highest Smartphone usage on the planet!
  • 10. South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014
  • 11. South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014 
 Introduced 14.04.2015 Implementation Details Article 37, Section 8 Notify children and parents about features of the blocking Monthly notification if the blocking means was deleted or had not been operated for more than 15 days …
  • 12. South Korea – Mandatory apps Mandatory installation of a surveillance app when the phone is purchased for a teenager.
  • 13. South Korea – Mandatory apps Mandatory installation of a surveillance app when the phone is purchased for a teenager. No opt-out.
  • 14. South Korea – Mandatory apps Photo: Lee Jin-man/Associated Press
  • 15. Mobile Internet Business Association (MOIBA) The Korean Communications Commission (KCC) gave MOIBA USD $2.7 million to create these mandatory apps
  • 16. MOIBA - Smart Sheriff / Smart Dream MOIBA created 2 mobile apps Smart Sheriff
 (mandatory) Smart Dream
 (additional service)
  • 17. Alternative Korean Child Protection Apps • KT Corporation: https:// play.google.com/store/apps/details? id=com.kt.ollehkidsafe • SKTelecom: https:// play.google.com/store/apps/details? id=com.skt.thug.hazard • LG U+: https://play.google.com/ store/apps/details? id=com.lguplus.cleanmobile
  • 18. Smart Sheriff: Parent vs. Child mode • Operating mode chosen on first usage • Parent-Mode: Smartphone usage management • Child-Mode: For filtering and activity monitoring Parent Child
  • 19. Smart Sheriff: Block phone access Parents can deny phone access for certain times for the child
  • 20. Smart Sheriff: Installed apps See installed apps on child’s phone and deny or enable access to them.
  • 21. Smart Sheriff: Websites Manage/Block access to websites. Implemented in the app, but not usable by parent.
  • 22. Sensitive Data – Smart Sheriff (+others) • Family Association (Parent – Child) • Children‘s names, birthdays • Installed apps and usage statistics 
 (time browsing or playing games) • Visited/Blocked URLs Smart Dream • Private SMS and KakaoTalk messages (!)
  • 23. Round 1 – Setup Challenges
  • 25. unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/ Language Barrier
  • 27. Unfortunately … strings.xml is not enough for a app because WebViews Language Barrier
  • 28. Language Barrier … Google Translate
  • 29.   
   move-result-object v0   const-string v1, "SAMU"   invoke-static {v1, v0}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I private static final String TAG = "SAMU"; Log.i(TAG, result); Debugging Patching debug messages in smali code for logging
  • 30. Round 1 – Shoot
  • 31. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); var String = window.jsinterface.getSomeString(); // window.jsinterface.getClass().forName('java.lang.Runtime') RCE with insecure WebView Accessing Java methods from JavaScript in Android 2.4 to 4.1 SMS-01-001 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
  • 32. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
  • 33. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
  • 34. Smart Sheriff – SSL v2.0 Fast forward to the fix…
  • 35. https://api.moiba.or.kr/MessageRequest_New Smart Sheriff – How to SSL like a pro They switched to SSL for real O.o ? SMS-01-003 No use of any SSL/TLS-based transport security FIXED?
  • 36. Smart Sheriff – How to SSL like a pro SMS-02-008 public final void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { paramSslErrorHandler.proceed(); } implements HostnameVerifier { public final boolean verify(String paramString, SSLSession paramSSLSession) { return true; }
  • 37. SMS-01-005 "]5ZWSVAB5]" "05555215554" • But SSL is not necessary, when you do your own crypto Layer… moibagtwigsystemsfightinghhhkkkkok
  • 39. Smart Sheriff – Crypto v2.0 Fast forward to the fixes…
  • 40. "+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL... "MOBILE":"3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012 • MOIBA added more crypto…
  • 41. "+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL... "MOBILE":"3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012 • Useless AES layer with static key
  • 42. API Design SMS-01-012 request="+yld3N...aVIjqteA==" { "action":"CLT_MBR_GETCL... "MOBILE":"]5ZWSVAB5]", "DEVICE_ID: ... } "05555215554" {"SYNC_APP_LIST": {"BLCK_ACT_DIVN":[], ... "CHILD_BIR_YMD":"20050105", "CHILD_BLCK_GRADE":"2","PAS SWORD":"****","DIVN":"CHILD "}} Fail SSL Request Response
  • 46. Smart Sheriff – Bully API SMS-01-018 API
  • 47. Smart Sheriff – Bully API SMS-01-018 API
  • 48. Smart Sheriff – Bully API SMS-01-018 API
  • 49. Smart Sheriff – Bully API SMS-01-018 API
  • 50. Smart Sheriff – Bully API SMS-01-018 API API response with the password (XORed)
  • 51. Smart Sheriff – Bully API - Pass Leak SMS-01-018 root@redstar-os $ curl -v -s 'http://api.moiba.or.kr/MessageRequest --data '{ "action":"CLT_MBR_GETCLIENTMEMBERINFO", "MOBILE_MACHINE_INFO":"XXX", "MOBILE":" 5ZWSVAA5[",  "DEVICE_ID":"unknown" }' > POST /MessageRequest HTTP/1.1 > Host: api.moiba.or.kr > User-Agent: curl/7.48.0 > Accept: */* > Content-Length: 141 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 141 out of 141 bytes < HTTP/1.1 200 OK < Date: Sun, 15 Oct 2015 17:05:20 GMT < Server: Apache/2.0.65 (Unix) DAV/2 mod_jk/1.2.37 < Content-Length: 242 < Content-Type: text/plain; charset=euc-kr <
 {"CHILD_GRADE_TYPE":"","CHILD_BIR_YMD":"","MEMBER_YN":"Y","CHILD_BLCK_GRADE":"","PASSWORD":" 2]","PARENT_MOBILE":"5ZWSVAA5[","REGISTRATION_ID":"","DIVN":"PARENT"} 2] 1234 5ZWSVAA5[ 15555215652
  • 52. Smart Sheriff – Bully API SMS-01-018 Smart sheriff has so many users, you can find valid phone numbers by just trying random numbers. root@redstar-os $ python sheriff_raid.py CHILD : 010XXXXXXXX - pw: 0879 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 8493 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 8493 PARENT : 010XXXXXXXX - pw: 0878 CHILD : 010XXXXXXXX - pw: 0878 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 2580 CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 5912 CHILD : 010XXXXXXXX - pw: 1004 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 1004 Parent passwords. 4 digit strong!
  • 53. Bruteforce numbers - Skip to 2:54
  • 54. Smart Sheriff – Bully API - Fake usage SMS-01-018 API No authentication for the child application. There is a DEVICE_ID as session cookie, but most API endpoints simply accept the phone number to perform updates.
  • 55. Smart Sheriff – Bully API v2.0 Fast forward to the fixes…
  • 56. Smart Sheriff – Bully API SMS-02-009 API Guess what happened using a different User Agent :D
  • 57. SMS-02-010 API No authentication for the child application. You can still fake the phone usage (kid installs p0rn app) Smart Sheriff – Bully API v2.0
  • 58. XSS • SMS-01-008 Reflected XSS on ssweb.moiba.or.kr via CHILD_MOBILE FIXED! But… • SMS-02-008 Reflected XSS on ssweb.moiba.or.kr via H_TYPE ???!
  • 59. You really screwed up when even Google indexes your vulns!
  • 60. Why not? – Tomcat 6.0.29 (released 2009)
  • 61. Block websites function shouldOverrideUrlLoading()… if(s.startsWith("market://") || s.startsWith("tel:") || s.startsWith("http") && !s.contains("ssweb.moiba.or.kr")) SMS-01-002 blocked allowed :D http://blocked.com http://blocked.com/?blah=ssweb.moiba.or.kr
  • 62. Insecure Storage on SD card Object obj = new File((new StringBuilder()) obj.append(Environment.getDataDirectory()); obj.append("/data/com.gt101.cleanwave/databases/SmartSheriff.db"); Object obj1 = new File(Environment.getExternalStorageDirectory(), "");
  • 63. Unlicensed Fonts „This font is made with the trial version of FontCreator. You may not use this font for commercial purposes.“
  • 64. Test and dev. snippets everywhere {"a1":"!@#$%^&*()_+","a2":"/","a3":" ","a4":""","a5":"''''","a6":"aaa한글 테스트 ....aaa"} http://api.moiba.or.kr/test/ http://api.moiba.or.kr/aaa/ http://api.moiba.or.kr/aaa2/ … Test URLs:
  • 65. Test and dev. snippets everywhere http://220.117.226.129:8082 http:// hikdev.cafe24.com/demo-gcm-server http://ssadm.moiba.or.kr/ <li><a href='/index'>관리자메인</a></li> <li><a href='/subMain'>서브메인메인</a></li> <li><a href='/harm/app/list'>유해정보관리</a> <ul> <li><a href="/harm/app/appList">앱관리</a></li> <li><a href="/harm/site/list">사이트관리</a></li> <li><a href="/harm/accept/acceptList_app">앱/사이트 접 관리</a></li> </ul> </li> <li><a href='/member/admin/memberAdm'>가입자관리</a> <li><a href='/minwon/minwonList'>민원관리</a> <li><a href='/home/report/list'>홈이지</a></li> </ul> <p> <a href='/html/filelist.html'>디자인</a><br/><br/> <a href='/minwon/minwonPushTest'>Push TEST</a><br/><br/> <a href='/minwon/livePushTest'>Live Push TEST</a><br/> <a href="minwon/logPushTest">log Push Test</a></br>
  • 66. Big pile of • XSS • Leaking personal data over the API • No authentication • No Transport Security • Even a SQL injection inside their mobile app for the .db • …. Seriously: https://cure53.de/pentest-report_smartsheriff.pdf https://cure53.de/pentest-report_smartsheriff-2.pdf
  • 67. Citizen Lab publishes the report
  • 70. Some media attention … but reaction was a bit underwhelming
  • 71. „Thanks for the free pentest!“ It kinda backfired…
  • 72. Did we just help improving surveilance software?
  • 73. Citizen Lab publishes updated report
  • 74. MOIBA reacts and pulls the app
  • 75. News about the app removal
  • 77. But something is shady…
  • 79. Find the difference! 사이버안심존
 (Cyber Safety Zone) 스마트보안관 (Smart Sheriff)
  • 82. Web Interface – Cyber Safety Zone
  • 83. Web Interface – Cyber Safety Zone
  • 84. Smart Sheriff / Cyber Safety Zone • MOIBA didn‘t deprecate the API • MOIBA renamed the app • MOIBA is trying to hide the issues But what is up with Smart Dream?
  • 85. The new MOIBA – Login for Parents Smart Sheriff / Cyber Safety Zone Smart Dream
  • 86. Smart Dream Nightmare Parent Child • Parent-Mode: Check messages and searches containing dangerous words • Child-Mode: Monitoring SMS/KakaoTalk and google searches. installs as accessibility service
  • 87. • Very clever solution - request accessibility permissions • Abusing functionality intended for text2speech, … How do they read KakaoTalk?
  • 88. Web Interface – Smart Dream
  • 89. Smart Dream Nightmare Parent App monitoring SMS Parent Web Backend
  • 90. Smart Dream Nightmare XSS via SMS/KakaoTalk messages (no authentication)… and no SSL?
  • 91. Register an account Korean number needed. And wait for verification SMS… Or simply change forms.auth_ok.value = "1"
  • 92. Register an account Fixed!?... you can still register via the App Korean number needed. And wait for verification SMS… Or simply change forms.auth_ok.value = "1"
  • 93. +700k Messages from +55k Children root@redstar-os $ python nightmare.py ### Messages from Child: From: ".인터넷" (5) 1. [KakaoTalk] (violence/gang up): "투명성성인기회" 2. [KakaoTalk] (blackmail/money): "깡패?" 3. [KakaoTalk] (violence/맞다): "한!!국교!!„ 4. [KakaoTalk] (blackmail/빌려달라): "보안어린이개방성사랑정?" 5. [KakaoTalk] (threat/kill): "성인성인괴상한해킹비밀한국성인강남스타일모바일„ 
 From: ".사이버억압♡" (2) 1. [KakaoTalk] (rant/crazy girl acting as child): "투명♥♥" 2. [KakaoTalk] (abuse/fuck it): "비 밀사 이버비?밀번역 조 화정부 기 회개인 성 인 어린이정 ..." 
 From: "010XXXXXXXX" (3) 1. [SMS] (harass/desperate): "어린이강남스?타일인터넷" 2. [SMS] (harass/): "깡패구글괴상한" 3. [SMS] (harass/desperate): "부패교육감?" 
 From: ".사이버투♥" (3) 1. [KakaoTalk] (threat/kill): "해킹 평등" 2. [KakaoTalk] (harass/desperate): "자 기 검열보?" 3. [KakaoTalk] (violence/gang up): "강남스타일!!!"
  • 94.
  • 95. The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream
  • 96. The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream Example words: divorce, single parent, remarriage, adoption, earn money, multiculturalism, menstruation, breast, stress, I hate …, girlfriend, boyfriend, break up, dating, lie, beer, person/friend/guy/girl I like, r-rated, sex, discrimination, black history, going to school, borrow, sarcasm, fanboy, gangster, disability, reporting to police, …
  • 97. MOIBA‘s guide to fixing vulns Lack of Authentication Important parameters will be encrypted with AES256 Hardcoded API key 1. Put API key into NDK binaries 2. Each user get‘s own key XSS with messages Before sending SMS message, escape and replace special chars
  • 98. Another big pile of • XSS • No SSL • Lack of Authentication and Authorization • Accessing stored messages and searches • …
  • 99. But what about the other apps?
  • 100. But what about the other apps?
  • 101. We love you too, Plantynet DamnYouHackerwHAt1syoUrBENefitwhEnDeComPil2Th1saPpplEas2DOnOtd1sTurbUs “Damn You Hacker what is your benefit when decompile this app please dont disturb us” Found as a string inside a Java class:
  • 102. ... guess why they don‘t want people looking
  • 104. SKT Corperation • Encrypted/obfuscated application
 implemented via native library
  • 105. Defeat Obfuscation – Lame Strategy • Encrypted/obfuscated application
 implemented via native library
  • 106. • Jeff from CitizenLab 
 reverse engineered the binary • AES key unwrapping (RFC 3394) • PBKDF2 HMAC • AES ECB Defeat Obfuscation – Cool Strategy
  • 107. SKTelecom - Issues • No HTTPS • XSS
  • 108. • Take a step back • Imagine these apps were magically 100% secure • Would you trust any company or government... • ... to have a database with all that information? • Phone usage statistics (times, apps) • SMS/IM Messages • Knowing family associations • Names and birthdays A note for reflexion
  • 109. What is happening next? • The Korean government proposed a new bill to make opt-out possible • OpenNet Korea submitted a constitutional complaint about the law
 ! final decision in 2-3 years • Should there be regulations for parental/child-protection apps?
 ! eg. no cloud service, only local
  • 110. Reports • [20 September 2015] Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application - https://citizenlab.org/2015/09/digital-risks-south-korea- smart-sheriff/ • [1 November 2015] The Kids are Still at Risk: Update to Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report - https://citizenlab.org/2015/11/smart-sheriff-update/ • [21 September 2015] Submission to the 113th Session of the UN Human Rights Committee for Fourth Periodic Report of the Republic of Korea - 
 http://opennetkorea.org/en/wp/wp-content/uploads/ 2016/03/INT_CCPR__KOR_OPEN_NETSmart-Sheriff.pdf
  • 111. Some News Articles • [19 May 2015] Don’t text ‘beer’ in Korea: Words that trigger teen alerts - http://www.japantimes.co.jp/ news/2015/05/19/asia-pacific/dont-text-beer-korea- words-trigger-teen-alerts/ • [16 June 2015] South Korea provokes teenage smartphone privacy row - http://www.bbc.com/news/ technology-33091990 • [21 September 2015] Smart Sheriff child surveillance app leaves South Korean kids vulnerable to hackers - http://www.cbc.ca/news/technology/smart- sheriff-1.3236682
  • 112. 
 Abraham Aranguren (@7a_) - abraham@cure53.de 
 Fabian Fäßler (@samuirai) - fabian@cure53.de Reports: https://cure53.de/#publications Questions/Comments/Discussion