DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler

Sanna/ November 4, 2016/ Conference, Legal, Security, Stories

Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games?

Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!

Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved in the first and, who would have guessed, second penetration test against the “Smart Sheriff” app, will share their findings. Maybe everything went allright, maybe the million kids forced to have this app run on their devices are safe. Maybe. But if so would there be a talk about it?

We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?

Going over the first and second pentest results we will share our impressions about the “security” of this ecosystem and show examples about the “comprehensive” vendor response, addressing “all” the findings impeccably. This talk is a great example of how security research concerning a serious political decision and mandatory measures might achieve nothing at all – or of how a simple pentest together with excellent activist work may spark a political discussion and more.

Abraham was an honors student in Information Security at university. From 2000 until 2007 his work experience was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with a special focus on web app security. He is a senior member of the Cure53 team, and a senior consultant for Version 1 – the top IT consultancy in Ireland. Abraham is also the creator of “Practical Web Defense” – a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on http://7-a.org or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.

As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.

Previous presentations and some recordings can be found here and here.

Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security and started to seriously get into it after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice.

Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification.

Fabian is interested in all computer topics from low level hardware up to high level web applications and writes about it on his blog and on  twitter .

Contrary to Abraham, Fabian cannot grow a full beard.