North Korean operating system is a surveillance state's tour de force

Further digging unveils more privacy-destroying features in Red Star OS

32c3 Fresh light has been shed on North Korea's Red Star OS, which – we're told – silently tracks the exchange of files between computers.

It was discovered in July that the software appends a fingerprint derived from the computer's hardware to files when they are opened.

Further analysis of the Nork government's operating system, which is based on Fedora Linux, was revealed by security researchers Florian Grunow and Niklaus Schiess at the 32nd annual Chaos Communications Congress in Germany this week.

Speaking to The Register ahead of their presentation titled "Lifting the Fog on Red Star OS," Grunow said he believed it was “quite important to look into an operating system that is built by a state” especially if that state is as secretive and repressive as North Korea.

A new version of Red Star OS, 3.0, shows that the impoverished country was not completely technologically illiterate, the researchers said: the software has the look and feel of Apple's OS X along with an in-house email client, calendar app, word processor, media player, a slide presentation program – which Grunow and Schiess used to give their talk – and a disk encryption tool.

Grunow said the Red Star developers "touched everything on the operating system," and strived to prevent someone from tampering with the code. One assumes said mechanisms are needed to stop people from disabling the file-tracking features. The operating system is standard issue to the few North Koreans who are allowed anywhere near a computer.

“DPRK put a lot of effort into having control over the system,” said Grunow, “and basically they wanted to build a resilient and secure system which could not be manipulated. They do this in a pretty transparent way: they inform the user if particular critical files have been changed, and if there are changes, the system will go into a reboot loop.”

"They did a pretty good job in building an architecture which is self-protecting," Schiess said. He added that Red Star OS includes an antivirus package that “actually contains a pattern-matching scanner that not even the root user can access. Tightly coupled with that is another background service that is watermarking files.”

Surveillance and censorship

The antivirus scanner, scnprc, has a user interface, and cannot be disabled without provoking a system reboot. It has a particularly crucial file called /tmp/AnGae.dat. Apparently, "Angae" translates to "fog" in Korean.

AnGae.dat contains UTF-16 strings of text in several different languages – phrases that, for example, translate into "strike with fists," "punishment," and “hungry". Any media files found by scnprc that contain any of the listed strings are automatically deleted.

The watermarking service, opprc, runs in the background out of sight, unlike the antivirus.

The researchers have now discovered that these watermarks can stack up inside a file – a new one is appended for each machine that handles the data – providing an audit trail for file distribution throughout the North Korean network. This would allow the authorities to trace the swapping of a file, perhaps containing sensitive information about the government, all the way back to its source, who along with their family will be in grave trouble if the transfer of information is unauthorized. "An oppressive state's wet dream," as Grunow described it.

The researchers have confirmed .docx, .rtf, .png, and .jpg files are watermarked, and other types may be as well. ®


The researchers encourage others with an interest to visit their Github repo – particularly the home-brewed cryptography programs Bokem (meaning Sword) and Pilsung (Victory), which may be flawed.

Broader topics

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022