North Korean operating system is a surveillance state's tour de force

Further digging unveils more privacy-destroying features in Red Star OS


32c3 Fresh light has been shed on North Korea's Red Star OS, which – we're told – silently tracks the exchange of files between computers.

It was discovered in July that the software appends a fingerprint derived from the computer's hardware to files when they are opened.

Further analysis of the Nork government's operating system, which is based on Fedora Linux, was revealed by security researchers Florian Grunow and Niklaus Schiess at the 32nd annual Chaos Communications Congress in Germany this week.

Speaking to The Register ahead of their presentation titled "Lifting the Fog on Red Star OS," Grunow said he believed it was “quite important to look into an operating system that is built by a state” especially if that state is as secretive and repressive as North Korea.

A new version of Red Star OS, 3.0, shows that the impoverished country was not completely technologically illiterate, the researchers said: the software has the look and feel of Apple's OS X along with an in-house email client, calendar app, word processor, media player, a slide presentation program – which Grunow and Schiess used to give their talk – and a disk encryption tool.

Grunow said the Red Star developers "touched everything on the operating system," and strived to prevent someone from tampering with the code. One assumes said mechanisms are needed to stop people from disabling the file-tracking features. The operating system is standard issue to the few North Koreans who are allowed anywhere near a computer.

“DPRK put a lot of effort into having control over the system,” said Grunow, “and basically they wanted to build a resilient and secure system which could not be manipulated. They do this in a pretty transparent way: they inform the user if particular critical files have been changed, and if there are changes, the system will go into a reboot loop.”

"They did a pretty good job in building an architecture which is self-protecting," Schiess said. He added that Red Star OS includes an antivirus package that “actually contains a pattern-matching scanner that not even the root user can access. Tightly coupled with that is another background service that is watermarking files.”

Surveillance and censorship

The antivirus scanner, scnprc, has a user interface, and cannot be disabled without provoking a system reboot. It has a particularly crucial file called /tmp/AnGae.dat. Apparently, "Angae" translates to "fog" in Korean.

AnGae.dat contains UTF-16 strings of text in several different languages – phrases that, for example, translate into "strike with fists," "punishment," and “hungry". Any media files found by scnprc that contain any of the listed strings are automatically deleted.

The watermarking service, opprc, runs in the background out of sight, unlike the antivirus.

The researchers have now discovered that these watermarks can stack up inside a file – a new one is appended for each machine that handles the data – providing an audit trail for file distribution throughout the North Korean network. This would allow the authorities to trace the swapping of a file, perhaps containing sensitive information about the government, all the way back to its source, who along with their family will be in grave trouble if the transfer of information is unauthorized. "An oppressive state's wet dream," as Grunow described it.

The researchers have confirmed .docx, .rtf, .png, and .jpg files are watermarked, and other types may be as well. ®

Bootnote

The researchers encourage others with an interest to visit their Github repo – particularly the home-brewed cryptography programs Bokem (meaning Sword) and Pilsung (Victory), which may be flawed.

Broader topics


Other stories you might like

  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Abortion rights: US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022