Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

Smart Sheriff, Dumb Idea
The wild west of government assisted parenting
presented by:
Abraham Aranguren - @7a_
Fabian Fäßler - @samuirai

A story about a Korean law…
• Some background information
• Case MOIBA: Smart Sheriff, Smart Dream
• Case mobile operators: KT, LGU, +SKT
• What now?
„In the end we hope you share our disbelieve“

Takeaways from this talk
• Insight into South Korean culture and politics
• Some basics in Android reversing
• Difficulties with the ethics of disclosing issues

Who are we?
Abraham Aranguren (@7a_) - blog.7-a.org
OWASP OWTF Project leader - owtf.org
abraham@cure53.de
 
Fabian Fäßler (@samuirai) - smrrd.de  
Student at TU Berlin
fabian@cure53.de
Cure53 is led by handsome Mario Heiderich (@0x6D6172696F). 
Bullshit free pentests, sometimes public ☺
https://cure53.de/#publications

Why did we do this?
OpenNet Korea brought this to Citizen Lab
http://opennetkorea.org/
Citizen Lab, Toronto
"Citizen Lab Summer Institute on Monitoring Internet
Openness and Rights 2015“
http://citizenlab.org/
Open Technology Fund supported it
https://www.opentech.fund/

Once upon a time…
… in a country far far away.

South Korea – Smartphone Usage
% Total population % 18-34 y/o population
Source: Spring 2015 Global Attitudes survey. Q71 & Q72.
… the country with the highest Smartphone usage on the planet!

South Korea – Child Protection Laws
Article 32, Section 7 of Korean Telecommunications
Business Act
mobile network operators have to provide adult content
filtering service for legal minors
…
Introduced 15.10.2014

South Korea – Child Protection Laws
Article 32, Section 7 of Korean Telecommunications
Business Act
mobile network operators have to provide adult content
filtering service for legal minors
…
 
Implementation Details Article 37, Section 8
Notify children and parents about features of the blocking
Monthly notification if the blocking means was deleted or
had not been operated for more than 15 days
…

South Korea – Mandatory apps
Mandatory installation of a surveillance app when the
phone is purchased for a teenager.

Mandatory installation of a surveillance app when the
phone is purchased for a teenager.
No opt-out.

Photo: Lee Jin-man/Associated Press

Mobile Internet Business Association (MOIBA)
The Korean Communications Commission (KCC) gave MOIBA
USD $2.7 million to create these mandatory apps

MOIBA - Smart Sheriff / Smart Dream
MOIBA created 2 mobile apps
Smart Sheriff 
(mandatory)
Smart Dream 
(additional service)

Alternative Korean Child Protection Apps
• KT Corporation: https://
play.google.com/store/apps/details?
id=com.kt.ollehkidsafe
• SKTelecom: https://
play.google.com/store/apps/details?
id=com.skt.thug.hazard
• LG U+: https://play.google.com/
store/apps/details?
id=com.lguplus.cleanmobile

Smart Sheriff: Parent vs. Child mode
• Operating mode chosen on first usage
• Parent-Mode: Smartphone usage management
• Child-Mode: For filtering and activity monitoring
Parent Child

Smart Sheriff: Block phone access
Parents can deny phone
access for certain times
for the child

Smart Sheriff: Installed apps
See installed apps on
child’s phone and deny
or enable access to
them.

Smart Sheriff: Websites
Manage/Block access to
websites.
Implemented in the app,
but not usable by parent.

Sensitive Data – Smart Sheriff (+others)
• Family Association (Parent – Child)
• Children‘s names, birthdays
• Installed apps and usage statistics  
(time browsing or playing games)
• Visited/Blocked URLs
Smart Dream
• Private SMS and KakaoTalk messages (!)

Language Barrier
WTF DOES THIS?

unpack, translate,
repack with apktool
http://ibotpeaches.github.io/Apktool/
Language Barrier

http://ibotpeaches.github.io/Apktool/
unpack, translate,
repack with apktool
Language Barrier

Unfortunately …
strings.xml is not
enough for a app
because WebViews
Language Barrier

Language Barrier … Google Translate

move-result-object v0
const-string v1, "SAMU"
invoke-static {v1, v0}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
private static final String TAG = "SAMU";
Log.i(TAG, result);
Debugging
Patching debug messages in smali code for logging

String url = "http://ssweb.moiba.or.kr/pushAlarm";
WebView webview = (WebView)findViewById(0x7f070000);
webview.getSettings().setJavaScriptEnabled(true); 
webview.addJavascriptInterface(new JavaScriptInterface(),
"SmartSheriff");
webview.postUrl(url, obj);
var String = window.jsinterface.getSomeString();
// window.jsinterface.getClass().forName('java.lang.Runtime')
RCE with insecure WebView
Accessing Java methods from JavaScript in Android 2.4 to 4.1
SMS-01-001
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/

String url = "http://ssweb.moiba.or.kr/pushAlarm";
WebView webview = (WebView)findViewById(0x7f070000);
webview.getSettings().setJavaScriptEnabled(true); 
webview.addJavascriptInterface(new JavaScriptInterface(),
"SmartSheriff");
webview.postUrl(url, obj);
What is SSL?
SMS-01-003

Smart Sheriff – SSL v2.0
Fast forward to the fix…

https://api.moiba.or.kr/MessageRequest_New
Smart Sheriff – How to SSL like a pro
They switched to SSL for real O.o ?
SMS-01-003 No use of any SSL/TLS-based transport security FIXED?

Smart Sheriff – How to SSL like a pro
SMS-02-008
public final void onReceivedSslError(WebView
paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
implements HostnameVerifier {
public final boolean verify(String paramString,
SSLSession paramSSLSession)
{
return true;
}

SMS-01-005
"]5ZWSVAB5]" "05555215554"
• But SSL is not necessary, when you do your own crypto Layer…
moibagtwigsystemsfightinghhhkkkkok

moibagtwigsystemsfightinghhhkkkkok
SMS-01-005
"]5ZWSVAB5]" "05555215554"
XOR Key: mx00oibagtwx00igsystex00msfightx00inghhhkx00kkkok

Smart Sheriff – Crypto v2.0
Fast forward to the fixes…

"+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL...
"MOBILE":"3ZP[QVDC6]UK@JC",
"DEVICE_ID: ... }
moiba1cybar8smart4sheriff4securi
SMS-01-012
• MOIBA added more crypto…

"+yld3N...aVIjqteA==„ { “action”:”CLT_MBR_GETCL...
"MOBILE":"3ZP[QVDC6]UK@JC",
"DEVICE_ID: ... }
moiba1cybar8smart4sheriff4securi
SMS-01-012
• Useless AES layer with static key

API Design
SMS-01-012
request="+yld3N...aVIjqteA=="
{ "action":"CLT_MBR_GETCL...
"MOBILE":"]5ZWSVAB5]",
"DEVICE_ID: ... }
"05555215554"
{"SYNC_APP_LIST":
{"BLCK_ACT_DIVN":[], ...
"CHILD_BIR_YMD":"20050105",
"CHILD_BLCK_GRADE":"2","PAS
SWORD":"****","DIVN":"CHILD
"}}
Fail SSL
Request Response

Smart Sheriff – Bully API
SMS-01-018
API

SMS-01-018
API
API response with the password (XORed)

Smart Sheriff – Bully API - Pass Leak
SMS-01-018
root@redstar-os $ curl -v -s 'http://api.moiba.or.kr/MessageRequest
--data '{ "action":"CLT_MBR_GETCLIENTMEMBERINFO", "MOBILE_MACHINE_INFO":"XXX", "MOBILE":"
5ZWSVAA5[", "DEVICE_ID":"unknown" }'
> POST /MessageRequest HTTP/1.1
> Host: api.moiba.or.kr
> User-Agent: curl/7.48.0
> Accept: */*
> Content-Length: 141
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 141 out of 141 bytes
< HTTP/1.1 200 OK
< Date: Sun, 15 Oct 2015 17:05:20 GMT
< Server: Apache/2.0.65 (Unix) DAV/2 mod_jk/1.2.37
< Content-Length: 242
< Content-Type: text/plain; charset=euc-kr
< 
{"CHILD_GRADE_TYPE":"","CHILD_BIR_YMD":"","MEMBER_YN":"Y","CHILD_BLCK_GRADE":"","PASSWORD":"
2]","PARENT_MOBILE":"5ZWSVAA5[","REGISTRATION_ID":"","DIVN":"PARENT"}
2] 1234
5ZWSVAA5[ 15555215652

SMS-01-018
Smart sheriff has so many users, you can find valid phone
numbers by just trying random numbers.
root@redstar-os $ python sheriff_raid.py
CHILD : 010XXXXXXXX - pw: 0879 -> parent number: 010XXXXXXXX
PARENT : 010XXXXXXXX - pw: 8493
Parent passwords. 4 digit strong!

Bruteforce numbers - Skip to 2:54

Smart Sheriff – Bully API - Fake usage
SMS-01-018
API
No authentication for the child application.
There is a DEVICE_ID as session cookie, but most API
endpoints simply accept the phone number to perform
updates.

Smart Sheriff – Bully API v2.0
Fast forward to the fixes…

SMS-02-009
API
Guess what happened using a different User Agent :D

SMS-02-010
API
No authentication for the child application.
You can still fake the phone usage (kid installs p0rn
app)
Smart Sheriff – Bully API v2.0

XSS
• SMS-01-008 Reflected XSS
on ssweb.moiba.or.kr via CHILD_MOBILE FIXED!
But…
• SMS-02-008 Reflected XSS
on ssweb.moiba.or.kr via H_TYPE ???!

You really screwed up when even Google indexes your vulns!

Why not? – Tomcat 6.0.29 (released 2009)

Block websites
function shouldOverrideUrlLoading()…
if(s.startsWith("market://") || s.startsWith("tel:")
|| s.startsWith("http") && !s.contains("ssweb.moiba.or.kr"))
SMS-01-002
blocked allowed :D
http://blocked.com http://blocked.com/?blah=ssweb.moiba.or.kr

Insecure Storage on SD card
Object obj = new File((new StringBuilder())
obj.append(Environment.getDataDirectory());
obj.append("/data/com.gt101.cleanwave/databases/SmartSheriff.db");
Object obj1 = new File(Environment.getExternalStorageDirectory(), "");

Unlicensed Fonts
„This font is made with the trial version of FontCreator.
You may not use this font for commercial purposes.“

Test and dev. snippets everywhere
{"a1":"!@#$%^&*()_+","a2":"/","a3":"
","a4":""","a5":"''''","a6":"aaa한글 테스트 ....aaa"}
http://api.moiba.or.kr/test/
http://api.moiba.or.kr/aaa/
http://api.moiba.or.kr/aaa2/
…
Test URLs:

Test and dev. snippets everywhere
http://220.117.226.129:8082 http://
hikdev.cafe24.com/demo-gcm-server
http://ssadm.moiba.or.kr/
<li><a href='/index'>관리자메인</a></li>
<li><a href='/subMain'>서브메인메인</a></li>
<li><a href='/harm/app/list'>유해정보관리</a>
<ul>
<li><a href="/harm/app/appList">앱관리</a></li>
<li><a href="/harm/site/list">사이트관리</a></li>
<li><a href="/harm/accept/acceptList_app">앱/사이트 접 관리</a></li>
</ul>
</li>
<li><a href='/member/admin/memberAdm'>가입자관리</a>
<li><a href='/minwon/minwonList'>민원관리</a>
<li><a href='/home/report/list'>홈이지</a></li>
</ul>
 <a href='/html/filelist.html'>디자인</a> 
<a href='/minwon/minwonPushTest'>Push TEST</a> 
<a href='/minwon/livePushTest'>Live Push TEST</a> 
<a href="minwon/logPushTest">log Push Test</a>

Big pile of
• XSS
• Leaking personal data over the API
• No authentication
• No Transport Security
• Even a SQL injection inside their mobile app for the .db
• ….
Seriously:
https://cure53.de/pentest-report_smartsheriff.pdf
https://cure53.de/pentest-report_smartsheriff-2.pdf

Citizen Lab publishes the report

Some media attention
… but reaction was a
bit underwhelming

„Thanks for the free pentest!“
It kinda backfired…

Did we just help improving surveilance software?

Citizen Lab publishes updated report

MOIBA reacts and pulls the app

Find the difference!
사이버안심존 
(Cyber Safety Zone)
스마트보안관
(Smart Sheriff)

Web Interface – Cyber Safety Zone

Smart Sheriff / Cyber Safety Zone
• MOIBA didn‘t deprecate the API
• MOIBA renamed the app
• MOIBA is trying to hide the issues
But what is up with Smart Dream?

The new MOIBA – Login for Parents
Smart Sheriff / Cyber Safety Zone Smart Dream

Smart Dream Nightmare
Parent Child
• Parent-Mode: Check messages and searches containing
dangerous words
• Child-Mode: Monitoring SMS/KakaoTalk and google
searches. installs as accessibility service

• Very clever solution - request accessibility permissions
• Abusing functionality intended for text2speech, …
How do they read KakaoTalk?

Parent App
monitoring SMS
Parent Web Backend

XSS via SMS/KakaoTalk messages (no authentication)… and no SSL?

Register an account
Korean number needed. And wait for verification SMS…
Or simply change forms.auth_ok.value = "1"

Register an account
Fixed!?... you can still register via the App
Korean number needed. And wait for verification SMS…
Or simply change forms.auth_ok.value = "1"

+700k Messages from +55k Children
root@redstar-os $ python nightmare.py
### Messages from Child:
From: ".인터넷" (5)
1. [KakaoTalk] (violence/gang up): "투명성성인기회"
2. [KakaoTalk] (blackmail/money): "깡패?"
3. [KakaoTalk] (violence/맞다): "한!!국교!!„
4. [KakaoTalk] (blackmail/빌려달라): "보안어린이개방성사랑정?"
5. [KakaoTalk] (threat/kill): "성인성인괴상한해킹비밀한국성인강남스타일모바일„
 
From: ".사이버억압♡" (2)
1. [KakaoTalk] (rant/crazy girl acting as child): "투명♥♥"
2. [KakaoTalk] (abuse/fuck it): "비 밀사 이버비？밀번역 조 화정부 기 회개인 성 인 어린이정 ..."
 
From: "010XXXXXXXX" (3)
1. [SMS] (harass/desperate): "어린이강남스?타일인터넷"
2. [SMS] (harass/): "깡패구글괴상한"
3. [SMS] (harass/desperate): "부패교육감?"
 
From: ".사이버투♥" (3)
1. [KakaoTalk] (threat/kill): "해킹 평등"
2. [KakaoTalk] (harass/desperate): "자 기 검열보?"
3. [KakaoTalk] (violence/gang up): "강남스타일!!!"

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

The Most Offensive Slide :O
The 1086 "harmful" words that are monitored by smart dream

The Most Offensive Slide :O
The 1086 "harmful" words that are monitored by smart dream
Example words:
divorce, single parent,
remarriage, adoption,
earn money, multiculturalism,
menstruation, breast, stress,
I hate …, girlfriend, boyfriend,
break up, dating, lie, beer,
person/friend/guy/girl I like,
r-rated, sex, discrimination,
black history, going to school,
borrow, sarcasm, fanboy,
gangster, disability,
reporting to police, …

MOIBA‘s guide to fixing vulns
Lack of Authentication
Important parameters
will be encrypted with AES256
Hardcoded API key 1. Put API key into NDK binaries
2. Each user get‘s own key
XSS with messages
Before sending SMS message,
escape and replace special chars

Another big pile of
• XSS
• No SSL
• Lack of Authentication and Authorization
• Accessing stored messages and searches
• …

But what about the other apps?

We love you too, Plantynet
DamnYouHackerwHAt1syoUrBENefitwhEnDeComPil2Th1saPpplEas2DOnOtd1sTurbUs
“Damn You Hacker what is your benefit when
decompile this app please dont disturb us”
Found as a string inside a Java class:

... guess why they don‘t want people looking

SKT Corperation
• Encrypted/obfuscated application 
implemented via native library

Defeat Obfuscation – Lame Strategy
• Encrypted/obfuscated application 
implemented via native library

• Jeff from CitizenLab  
reverse engineered the binary
• AES key unwrapping
(RFC 3394)
• PBKDF2 HMAC
• AES ECB
Defeat Obfuscation – Cool Strategy

SKTelecom - Issues
• No HTTPS
• XSS

• Take a step back
• Imagine these apps were magically 100% secure
• Would you trust any company or government...
• ... to have a database with all that information?
• Phone usage statistics (times, apps)
• SMS/IM Messages
• Knowing family associations
• Names and birthdays
A note for reflexion

What is happening next?
• The Korean government proposed a new bill to make opt-out
possible
• OpenNet Korea submitted a constitutional complaint about the
law 
! final decision in 2-3 years
• Should there be regulations for parental/child-protection apps? 
! eg. no cloud service, only local

Reports
• [20 September 2015] Are the Kids Alright? Digital Risks to
Minors from South Korea’s Smart Sheriff Application -
https://citizenlab.org/2015/09/digital-risks-south-korea-
smart-sheriff/
• [1 November 2015] The Kids are Still at Risk: Update to
Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report -
https://citizenlab.org/2015/11/smart-sheriff-update/
• [21 September 2015] Submission to the 113th Session of the
UN Human Rights Committee for Fourth Periodic Report of
the Republic of Korea -  
http://opennetkorea.org/en/wp/wp-content/uploads/
2016/03/INT_CCPR__KOR_OPEN_NETSmart-Sheriff.pdf

Some News Articles
• [19 May 2015] Don’t text ‘beer’ in Korea: Words that
trigger teen alerts - http://www.japantimes.co.jp/
news/2015/05/19/asia-pacific/dont-text-beer-korea-
words-trigger-teen-alerts/
• [16 June 2015] South Korea provokes teenage
smartphone privacy row - http://www.bbc.com/news/
technology-33091990
• [21 September 2015] Smart Sheriff child surveillance
app leaves South Korean kids vulnerable to hackers -
http://www.cbc.ca/news/technology/smart-
sheriff-1.3236682

Abraham Aranguren (@7a_) - abraham@cure53.de
 
Fabian Fäßler (@samuirai) - fabian@cure53.de
Reports: https://cure53.de/#publications
Questions/Comments/Discussion

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Smart Sheriff, Dumb Idea, the wild west of government assisted parenting (20)

Recently uploaded (20)

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting