32c3 Fresh light has been shed on North Korea's Red Star OS, which – we're told – silently tracks the exchange of files between computers.
It was discovered in July that the software appends a fingerprint derived from the computer's hardware to files when they are opened.
Further analysis of the Nork government's operating system, which is based on Fedora Linux, was revealed by security researchers Florian Grunow and Niklaus Schiess at the 32nd annual Chaos Communications Congress in Germany this week.
Speaking to The Register ahead of their presentation titled "Lifting the Fog on Red Star OS," Grunow said he believed it was “quite important to look into an operating system that is built by a state” especially if that state is as secretive and repressive as North Korea.
A new version of Red Star OS, 3.0, shows that the impoverished country was not completely technologically illiterate, the researchers said: the software has the look and feel of Apple's OS X along with an in-house email client, calendar app, word processor, media player, a slide presentation program – which Grunow and Schiess used to give their talk – and a disk encryption tool.
Grunow said the Red Star developers "touched everything on the operating system," and strived to prevent someone from tampering with the code. One assumes said mechanisms are needed to stop people from disabling the file-tracking features. The operating system is standard issue to the few North Koreans who are allowed anywhere near a computer.
“DPRK put a lot of effort into having control over the system,” said Grunow, “and basically they wanted to build a resilient and secure system which could not be manipulated. They do this in a pretty transparent way: they inform the user if particular critical files have been changed, and if there are changes, the system will go into a reboot loop.”
"They did a pretty good job in building an architecture which is self-protecting," Schiess said. He added that Red Star OS includes an antivirus package that “actually contains a pattern-matching scanner that not even the root user can access. Tightly coupled with that is another background service that is watermarking files.”
Surveillance and censorship
The antivirus scanner,
scnprc, has a user interface, and cannot be disabled without provoking a system reboot. It has a particularly crucial file called
/tmp/AnGae.dat. Apparently, "Angae" translates to "fog" in Korean.
AnGae.dat contains UTF-16 strings of text in several different languages – phrases that, for example, translate into "strike with fists," "punishment," and “hungry". Any media files found by
scnprc that contain any of the listed strings are automatically deleted.
The watermarking service,
opprc, runs in the background out of sight, unlike the antivirus.
The researchers have now discovered that these watermarks can stack up inside a file – a new one is appended for each machine that handles the data – providing an audit trail for file distribution throughout the North Korean network. This would allow the authorities to trace the swapping of a file, perhaps containing sensitive information about the government, all the way back to its source, who along with their family will be in grave trouble if the transfer of information is unauthorized. "An oppressive state's wet dream," as Grunow described it.
The researchers have confirmed .docx, .rtf, .png, and .jpg files are watermarked, and other types may be as well. ®
The researchers encourage others with an interest to visit their Github repo – particularly the home-brewed cryptography programs
Bokem (meaning Sword) and
Pilsung (Victory), which may be flawed.