This article is more than 1 year old

North Korea's Red Star Linux inserts sneaky serial content tracker

Hermit Kingdom activists can feel more secure with Open Office

ERNW security analyst Florian Grunow says North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags.

The operating system, developed from 2002 as a replacement for Windows XP, was relaunched with a Mac-like interface in 2013's version three. The newest version emerged in January 2015.

Grunow says files including Microsoft Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers.

"When analysing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of 'virus scanner' and seems to share some code base with opprc," Grunow says.

"The first thing that came to our attention when looking at the functions in the binary was gpsWatermarkingInformation.

"Creating and using media files and documents on RedStar OS can get you into trouble if you are living in North Korea; do not assume that the files can be kept private and cannot be traced back to the creator."

Grunow says the operating system does not watermark files created with the open source OpenOffice word processing suite.

A probe of the gpsWatermarkingInformation function shows it would watermark documents, images, and even audio that had been run on the operating system.

The research is the latest examination of Red Star since the disclosure of operating system vulnerabilities in January. The operating system has continue to intrigue sectors of the security industry since it was documented publicly in 2010.

The KDE 3 based operating system sports an OS X -like interface with a modified Mozilla Firefox browser dubbed Naenara which allows users to peruse the nation's 'Kwangmyong' intranet. ®

More about

More about

More about


Send us news

Other stories you might like