Smart Sheriff, Dumb Idea. The wild west of government assisted parenting

Presented at BruCON 0x08 (2016), Oct. 28, 2016, 4 p.m. (60 minutes).

Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Presenters:

  • Abraham Aranguren
    Abraham was an honors student in Information Security at university. His work experience from 2000 until 2007 was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security. He is a senior member of the Cure53 team, and a senior consultant for Version 1 - the top IT consultancy in Ireland. Abraham is also the creator of “Practical Web Defense” - a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on http://7-a.org or twitter as @7a\_ and @owtfp. Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.
  • Fabian Fäßler
    Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security, but started to seriously get into it, after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice. Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification. Fabian is interested in all computer topics from low level hardware up to high level web applications and writes about it on his blog at http://smrrd.de and twitters with @samuirai Contrary to Abraham, Fabian cannot grow a full beard.

Links:

Similar Presentations: