citizen lab – Techdirt (original) (raw)
NSO Group Continues To Use The Lawsuit Filed Against It By WhatsApp To Harass Canadian Security Researchers
from the if-you-can't-beat-'em,-fuck-with-'em dept
Israeli malware manufacturer NSO Group spent years making good money selling to bad people. Its only concern for the longest time was how long it would take nearby autocrats and totalitarians to start targeting Israeli citizens.
To be fair, the Israeli government shares at least some of the blame. Surrounded by entities that would love to see it erased from the earth, the government helped broker deals with unfriendly countries — a perverse form of diplomacy that allowed some of its worst enemies to gain access to extremely powerful spyware.
NSO is no longer the local darling in Israel. In fact, none of its competitors are either. The country achieved terminal embarrassment velocity following the leak of documents that appeared to show many of NSO’s customers were abusing access to its Pegasus spyware to target journalists, dissidents, human rights lawyers, political opponents, and even the occasional ex-wife and her lawyer.
NSO has also been sued multiple times. The first tech firm to sue NSO was WhatsApp. Backed by Meta, WhatsApp took NSO to court for using WhatsApp’s US-based servers to deliver malware packages to users targeted by NSO’s absolute shitlist of customers.
Some of what WhatsApp observed might have been due to the FBI taking a bespoke version of NSO’s Pegasus for a spin before deciding it would be pretty much impossible to use it without doing a ton of damage to the Fourth Amendment.
This lawsuit has not gone well for NSO. It invoked a variety of defenses, including sovereign immunity, reasoning that it was a stand-in for the governments it sold to. And, as such, it was entitled to the same immunity often granted foreign governments by US courts.
This tactic didn’t work. Not only did multiple courts (district, appellate, the Top Court in the Land) reject NSO immunity overtures, but the original court handling this lawsuit ordered the company to turn over its code to WhatsApp. And that order meant all the code, not just the stuff involving NSO’s flagship spyware, Pegasus.
Far from the nation’s courts, Canadians have been giving NSO (and its competitors) fits for years. Citizen Lab — a group of Canadian malware researchers linked to the University of Toronto — has been examining NSO’s malware for years. More importantly, it’s been detecting infections and allowing those targeted by NSO spyware to rid themselves of these infections. In every case, Citizen Lab has exposed the targeting of the usual people: dissidents, opposition leaders, journalists, lawyers, diplomats, etc. The company continues to pretend this malware is sold to target the most dangerous criminals despite all evidence to the contrary.
With NSO now being asked to turn over its source code, it has decided to drag a non-party into the mix by going after Citizen Lab repeatedly during this lawsuit. (This is something its financial backers did years before NSO was a defendant in multiple lawsuits and an international pariah.)
As Shawn Musgrave reports for The Intercept, NSO appears to be engaged in a campaign of harassment against Citizen Lab… presumably because it has run out of believable defenses and/or solid litigation strategies.
FOR YEARS, CYBERSECURITY researchers at Citizen Lab have monitored Israeli spyware firm NSO Group and its banner product, Pegasus. In 2019, Citizen Lab reported finding dozens of cases in which Pegasus was used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability.
Now NSO, which is blacklisted by the U.S. government for selling spyware to repressive regimes, is trying to use a lawsuit over the WhatsApp exploit to learn “how Citizen Lab conducted its analysis.”
[…]
With the lawsuit now moving forward, NSO is trying a different tactic: demanding repeatedly that Citizen Lab, which is based in Canada, hand over every single document about its Pegasus investigation. A judge denied NSO’s latest attempt to get access to Citizen Lab’s materials last week.
While it’s good to see a court shut down this obvious attempt to turn Citizen Lab into a co-litigant, the fact remains that Citizen Lab has never been a party to this lawsuit. This is nothing more than NSO attempting to obtain information it has no legal reason to request, possibly because it’s still aching from being ordered to turn over its own information: i.e, its source code.
It also may be even more petty than the previous hypothetical: it may be trying to get Citizen Lab to burn up some of its limited resources fighting stupid requests for stuff Citizen Lab should even be asking for, much less expecting a judge to sign off on.
Whatever it is, it certainly isn’t good litigation. This reeks of desperation. These are the acts of litigant that has run out of options. NSO is just flailing, hoping to drag down a non-party with it as it heads towards a seemingly-inevitable loss.
And this certainly isn’t a winning strategy. It’s not even capable of maintaining the miserable status quo NSO Group is currently mired in. Citizen Lab (obviously) refused these demands for information (justifiably!) and the judge handling the case has made it clear there’s almost zero chance of NSO being able to drag anything out of this particular thorn in its side.
Citizen Lab opposed NSO’s demands on numerous grounds, particularly given “NSO’s animosity” toward its research.
In the latest order, Hamilton concluded that NSO’s demand was “plainly overbroad.” She left open the possibility for NSO to try again, but only if it can point to evidence that specific individuals that Citizen Lab categorized as “civil society” targets were actually involved in “criminal/terrorist activity.”
lol at that last sentence. Does anyone think anyone, much less an aggrieved NSO Group, has any evidence Citizen Lab is involved in “criminal/terrorist activity?” All it has done is expose abuse of malware sold by NSO Group to governments with long histories of corruption and/or human rights abuses.
NSO is just going to keep on losing. Reap/sow. Lie down with dogs. The foreseeable consequences of actions. Etc. Etc. Etc. Citizen Lab will keep performing its important work. And, with any luck, NSO will soon collapse under the weight of its hubris. Hope the (temporary) shekels were worth it.
Filed Under: canada, discovery, harassment, source code, spyware, surveillance
Companies: citizen lab, meta, nso group, whatsapp
New Investigation Shows A US Journalist Critical Of The Saudi Government Was Hit With NSO Spyware
from the truly-an-unsurprising-development dept
Malware merchant NSO Group’s year of embarrassment continues. Leaked data published in July appeared to show NSO malware (namely its phone-hijacking malware Pegasus) had been used to target dissidents, journalists, religious leaders, and prominent politicians.
NSO reacted by first claiming the data showed nothing of the sort or at least was unrelated to its malware and its customers. Then it made contradictory claims, saying it terminated contracts when it discovered abuse of its products and that it had no visibility into its customers’ actions. Puzzling.
Then things somehow got worse. Countries accused of using NSO Group malware to target critics and journalists decided to sue critics and journalists. Israel’s government opened an investigation into the Israeli company. Another investigation found the government of Bahrain was engaging in exactly the kind of abuse NSO claimed it didn’t allow. And, thanks to some pretty ugly divorce proceedings, it came to light that the Dubai’s king had used the malware to spy on his ex-wife and her lawyer.
The debacle continues. An investigation by Citizen Lab — which has uncovered previous misuse of NSO’s software — reveals an American journalist was targeted multiple times by NSO’s hacking tools.
New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
The investigators aren’t sure who targeted Hubbard, but they do note that complaining to NSO about being targeted in violation of the company’s guidelines has zero deterrent effect on future targeting.
The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.
While it would seem the most likely suspect is the Saudi government (or perhaps the prince himself, given what we now know about individual misuse of NSO spyware), Citizen Lab doesn’t have enough information to definitively say who’s behind the second round of targeting. And, given government/government officials’ willingness to sue journalists over accusations of spying, Citizen Lab is wise to play it safe when it comes to attribution.
The in-depth report is worth reading, detailing how Citizen Lab arrived at these conclusions, as well as noting the similarities between these attacks (which utilized both malicious links and zero-click exploits) and ones observed targeting a Saudi activist earlier this year. And it shows NSO is still months away from being able to put this in the rearview mirror. A change of culture is needed at NSO and it needs to cancel all contracts with countries whose governments whose abuses of human rights and hacking tools have already been the subject of years of reporting.
Filed Under: ben hubbard, malware, pegasus, spyware, surveillance
Companies: citizen lab, nso
Investigation Finds NSO Malware Being Used By The Bahrain Government To Target Activists And Dissidents
from the truly-unsurprising-development dept
More bad news for Israeli malware purveyor NSO Group. Despite its contradictory and simultaneous claims that it does not allow its customers to abuse its products and that it has no way of monitoring use of its products, more evidence continues to surface that shows the company’s customers are deploying NSO’s malware to target journalists, activists, prominent politicians, and religious leaders.
Citizen Lab — which has uncovered plenty of abusive use of NSO malware previously — has released another report showing an abusive government abusing NSO spyware to spy on activists opposed to the country’s current leadership. The investigation also confirms something NSO has repeatedly denied: that the list of numbers leaked to journalists and investigators is actually a list of potential targets of NSO’s customers. That list included plenty of journalists, activists, politicians, and religious leaders.
Perhaps the most worrying thing about this report is the use of an exploit that bypasses security measures activists would logically adopt: refusing to click on links sent by unknown senders.
We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.
The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).
And here’s at least partial confirmation that the leaked list of potential targets has something to do with NSO Group and its customers:
We shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers associated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to several years ago.
If NSO Group is serious about preventing abuse of its products, the first step it could take is refusing to sell exploits to abusive governments. As Citizen Lab points out, Bahrain’s government has a long history of human rights abuses. While things improved slightly and briefly around the turn of the century, everything reverted back to the abusive mean a decade later, when reforms were rolled back and the government went back to imprisoning and torturing dissidents, critics, and anti-government activists.
And you can’t find people to jail and torture without domestic spying, which the Bahraini government enthusiastically engages in. That apparently includes spying on activists and dissidents who have left the country. The report says two Bahrain citizens who now live in London were hit with NSO malware. But this may have been a proxy hack on behalf of the Bahrain government. Citizen Lab notes it has only seen the Bahrain government deploy malware in its own country or in neighboring Qatar. So, these hacks may have been performed on its behalf by a friendly government with its own set of NSO malware.
In conclusion, NSO Group is complicit in the surveillance, imprisonment, torture, and silencing of activists around the world. The company claims it is selective about who it sells to and that it takes action when there are reports of abuse, but neither of these statements can possibly be true.
While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group.
Once again, if NSO’s statements about preventing abuse are going to be taken seriously, the company needs to dump customers with proven track records of human rights abuses. That’s the bare minimum it can do to prevent its exploits from being used to target people governments just don’t like. If these tools have been developed to fight dangerous crime and terrorism, the worst thing to do is place them in the hands of governments whose actions are criminal and often indistinguishable from terrorism.
Filed Under: activists, bahrain, dissidents, malware, pegasus, spyware, surveillance
Companies: citizen lab, nso group
Israeli Tech Company's Spyware Still Being Used To Target Journalists And Activists
from the buy-it-for-safety,-use-it-for-evil dept
Israeli exploit/malware developer NSO Group says its products are marketed to governments for legitimate national security and law enforcement purposes. Yet somehow it keeps ending up in the hands of governments with terrible human rights records and deployed against journalists, dissent groups, and activists.
The software sold by NSO is being deployed against journalists in Mexico — ones looking to expose government corruption. This report by the Columbia Journalism Review provides more details on the hacks, building off Citizen Lab’s exposure of NSO’s “Pegasus” spyware.
Mexico has been ground zero for Pegasus’s deployment against journalists. At least six reporters have been targeted there, according to exhaustive research by both Citizen Lab and the Mexican digital rights group R3D. Those attacks coincided with major journalistic investigations that challenged the Mexican government. For example: three reporters who were targeted worked on the “Casa Blanca Scandal,” a major story exposing how Mexico’s first lady was given a mansion by a government contractor who later received lucrative contracts. Mexican television journalist Carlos Loret de Mola was targeted while he was reporting on extrajudicial killings. Although three Mexican federal agencies have access to Pegasus, the government has denied it ever launched any attacks on reporters.
This is more of the same for NSO’s spyware. Citizen Lab also uncovered use of the software by notorious humans rights violators like Saudi Arabia, Kazakhstan, and the United Arab Emirates. In many cases, deployments targeted critics and activists, rather than criminals or national security threats. The deployments are disturbing enough. The tactics are even worse:
The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats.
CJR’s report is supposed to act as a warning for journalists around the world. They are targets, no matter what their governments say and no matter how NSO frames its pitches.
And we’re not completely immune to this in the United States. Although any deployment against journalists would be viewed as a serious violation of Constitutional rights, the fact is US government agencies are seeking to purchase NSO’s spyware for use in their work. The DEA has met with NSO in the recent past and the agency’s own past suggests it isn’t above violating rights to further its own ends. No rights violations have been seen yet but, as we’ve seen before, the government is willing to impersonate journalists to track down suspects. Infecting journalists’ phones to track down leakers and whistleblowers isn’t that much of a step forward.
Filed Under: activists, journalism, mexico, pegasus, spyware
Companies: citizen lab, nso
Apple Updates iOS To Close Three Separate 0days That Were Being Exploited
from the throw-away-your-phone dept
As you may have heard, if you have an iOS device (iPhone, iPad, even iPod Touch) you should be updating your devices, like a few hours ago. Seriously, if you haven’t done it yet, stop reading and go update. The story behind this update is quite incredible, and is detailed in a great article over at Motherboard by Lorenzo Franceschi-Bicchierai. Basically after someone (most likely a gov’t) targeted Ahmed Mansoor, a human rights activist in the United Arab Emirates with a slightly questionable text (urging him to click on a link to get info about prison torture), a team of folks from Citizen Lab (who have exposed lots of questionable malware) and Lookout (anti-malware company) got to work on the text and figured out what it did. And, basically the short version is that the single click exploits three separate 0days vulnerabilities to effectively take over your phone in secret. All of it. It secretly jailbreaks the phone without you knowing it and then accesses basically everything.
?It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,? Murray explained. ?It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram?you name it.?
So that’s great.
The researches believe they’ve tracked back the exploit to a secretive hacking company called NSO Group. The full Citizen Lab writeup on all of this is quite fascinating as well. They estimate that this exploit from NSO probably costs in the range of a million dollars on the market, though obviously it’s closed now. That doesn’t mean that NSO or others don’t have other exploits up their sleeves.
The report also notes that this kind of exploit is probably just used by nation states right now, but there’s nothing to say that it couldn’t move down the stack before too long, letting all sorts of mischievous characters look to basically completely pwn your phone. Pretty scary stuff, and yet another reminder of why it’s so dangerous that folks like the NSA are hoarding 0days, rather than revealing them, and that the FBI is trying to force tech companies to break encryption and other tools that are necessary to block these kinds of attacks.
Filed Under: 0days, exploits, hacking, human rights, ios, iphone, surveillance, vulnerabilities
Companies: citizen lab, lookout, nso
Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country
from the 'you're-making-us-look-bad'-said-company-caught-looking-bad dept
Nothing says “Please stop keep talking about the bad stuff we do” quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.
On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought 3,000,000.00ingeneraldamages;3,000,000.00 in general damages; 3,000,000.00ingeneraldamages;500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”
Netsweeper apparently was less than amused by Citizen Lab’s insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:
The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.
Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.
These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).
Netsweeper was given a chance to defend itself against Citizen Lab’s allegations before the report was made public.
We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”
Netsweeper never replied.
Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios’s version of anti-SLAPP laws: the Protection of Public Participation Act.
The world of security research is still a dangerous place. When researchers aren’t being arrested for reporting on their findings, they’re being sued for exposing security flaws and highly-questionable behavior. It’s a shame there aren’t more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.
Filed Under: canada, censorship, citizen lab, filtering, software, yemen
Companies: citizen lab, netsweeper
China Considers Cutting Itself Off From The Global Internet, As Three Home-Grown Browsers Are Found Leaking Personal Data
from the probably-just-a-coincidence dept
Techdirt readers know that the Chinese authorities have been steadily tightening their grip on most aspects of online life in the country, but there’s one area that hasn’t been mentioned much: the Web browser. Recently, a new report from the University of Toronto’s Citizen Lab identified security and privacy issues in QQ Browser, a mobile browser produced by the China-based Internet giant Tencent. Here’s a summary:
> The Android version of the browser transmits personally identifiable data, including a user’s search terms, the URLs of visited websites, nearby WiFi access points, and the user’s IMSI [International Mobile Subscriber Identification] and IMEI [International Mobile Equipment Identifier] identifiers, without encryption or with easily decrypted encryption. Similarly, the Windows version sends personally identifiable data, including the URL of all pages visited in the browser, a user’s hard drive serial number, MAC address, Windows hostname, and Windows user security identifier, also without encryption or with easily decrypted decryption.
Now, this could just be the result of some supremely sloppy coding combined with lax privacy practice — in theory, at least. But that generous interpretation becomes rather harder to sustain when you bear in mind that this is not the first time Citizen Lab has found this behavior. To be precise, this is the third time. Last month, it discovered that Baidu Browser, a free Web browser for the Windows and Android platforms produced by Baidu, one of China?s biggest tech companies, has strikingly similar problems to QQ Browser:
> The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user?s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
And before that, back in May last year, the same researchers found unauthorized transmission of personal data by another widely-used browser:
> UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
Putting these three browsers together, you have a serious chunk of not just the Chinese online population, but across the whole of Asia. As the Citizen Lab researchers point out:
> That the three China-based browser applications we have examined all evince strikingly similar data gathering and insecure data handling problems raises an obvious question of whether there is some underlying cause for the similarities.
The post runs through all the options, including the most likely explanation: that the companies were ordered by the Chinese authorities to build in these highly-useful vulnerabilities. Not surprisingly:
> The questions we asked the companies about government directives or influence have not been directly answered.
But if anyone still doubts that the Chinese government wants to control every aspect of the Internet, they may like to consider the following recent report in The New York Times:
> A draft law posted by one of China?s technology regulators said that websites in the country would have to register domain names with local service providers and with the authorities.
It’s not entirely clear what that means, but there is one possibility that would be very problematic for Chinese Internet users — and for every Western company operating in the country:
> If the rule applies to all websites, it will have major implications and will effectively cut China out of the global Internet. By creating a domestic registry for websites, the rule would create a system of censorship in which only websites that have specifically registered with the Chinese government would be reachable from within the country.
China’s technology regulator has rejected that interpretation, and said that there is a “misunderstanding.” But if past experience teaches us anything, it is that there really are no limits to what the present Chinese leadership is willing to do in order to bring the online world under control. And that doubtless even includes cutting China off from the rest of the Internet, if need be.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: browsers, china, data leak, privacy, qq
Companies: citizen lab, tencent
Government-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming Rate
from the dysfunctional-by-design dept
A few months ago, the South Korean government strongly suggested parents load their children’s cell phones up with government-approved spyware. It recommended an app called “Smart Sheriff.” The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children’s shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.
It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.
Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn’t even live up to the government’s own standards for data and information security.
Citizen Lab has uncovered a plethora of flaws that make Smart Sheriff even worse than it was when it was simply government-approved spyware.
We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.
Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child’s gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can’t be bothered to arrange for its safe travel?)
What comes through as plaintext is the user’s browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they’re addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.
Beyond that, the software’s authentication process can be decrypted by reverse engineering or decompiling the app. There’s layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.
The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.
For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.
Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The “do something” do-goodery we see in our own legislators is echoed here. In response, a “good enough” solution is mandated, even if it’s not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes — not even the company that made the app.
After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.
As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children’s privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children’s cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.
Filed Under: leaks, privacy, smart sheriff, south korea, spyware
Companies: citizen lab