ChaosPad V1.1
Full screen

Server Notice:

hide

01/27/2022 19:10:08

33c3-talk-8143 Version 8 Saved Jan 27, 2022

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
 
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
 
======================================================================
 
 
OK. Welcome everybody. So we all don't know. So much about the daily life in North Korea. It's a country with a pretty secret dictatorship and the people. Living there under constant observation. Research of fleet, software and hardware is sometimes the only way to look behind this curtain. And last year, Congress. Florian and Nicholas lifted the fork on North Korea's Red Star OS, and its features are its surveillance features. This year, they will let us know details about North Korea's latest tablet computer and please give a warm round of applause to Nicholas, Florian and Manu. All right. Thanks for showing up. I'm going to dove right into the limb or limb or limb how it is pronounced, we don't know any Korean. We have no idea how this is pronounced, to be honest. We had like Korean people talking to us and trying to teach us on how to pronounce it. William is probably like the wrong us that you can get it when you write it in Latin letters. But that's not important, I guess. So let's dove right into it. First of all, a disclaimer, we had this disclaimer last year. We will have it today. We never visited DPRK. So if we so most of the slides contain like words like probably or maybe this is because we never visit the DPRK and we don't know how this tablet, how the technology is really used, who is using it and what are like the control mechanisms to to extract data from these devices for the government, for example. We just have this device and have some of our sources in South Korea. So some of the stuff that we are saying is speculation please bear with us that this is not possible to give you like a full blown introduction and all of that. And it's as last year not about making fun of the people in DPRK, and it's also not about making fun of the people who made this piece of software. We are not focusing on security in this talk. It's only about the privacy aspect, so there are no details on security issues that might be in the tablet. This may be further resea
rch that we are going to do in the near future, but this is not the focus of this of this talk. So what are we going to talk about? We are going to give you a little update about Red Star. So there is has been a lot of work following our publication last year of Red Star or as we've been talking about the software and the hardware that the tablet PC is made of. We will give you an introduction of all the applications or some of the applications that are stored on the tablet PC. And we actually have a life device here, so it's sitting right here. Maybe Kim Jong UN is listening already. So we have one device right here that we got out of DPRK in the Q and A. It is important that you please do not ask questions on how we exactly got this tablet PC. We will not answer them. So but we have like this full blown device. It's sitting right there and I'm going to do a live demo. Then after that, like volume is pretty locked down, so there is not much a user can do to kind of break out of the usual tools or applications that are installed on the device. So we had to find a way to gain access to like the whole package, all of the APKs, all of the stuff that is stored on the device and monolayer is going to talk about how we gained access to the device. And after that, we will see how the government is able to control the distribution of media with these tablet PCs, and Nikolaus is going to talk about that part. And after that, hopefully we will have some Q&A. So to give you some Redstone updates really fast. There have been multiple publications concerning the security of Red Star as we didn't focus on the security last year of our code execution command injections and even in the server version of Redstone as the shellshock all over the place. Then there was a cool art project that has been created by a guy who made who used the watermarks for files to create artifacts in pictures. So what he would do is like he would take like your face as a picture, create a watermark for i
t and then kind of disturb the picture. So it becomes that it has artifacts in the so you can visit the project. Inter alia, that org is the URL. And what we also found is that we found a website which is called Cook's dot org dot copy, which is from DPRK, and it contains all of the JPEGs that you see on that website. So it's out there publicly available. You can just go to the website and grab all the JPEGs, and you will see that all of these JPEGs have watermarking supplied by Redstone. So actually, this is like a finding where we can see the Red Star as is actually used and these water markings are existing in the wild. We could identify six different watermarks on this website, which is which tells us that there are like six different computers where those JPEGs are kind of created, used, manipulated or whatever. Um, why are we doing this? So again, as last year, there's only some general information available about the tablet PCs is the DPRK provides, and we wanted to kind of get a glimpse into the tablet PCs because we last year we identified some dead code that was laying around in red stylus and it was not used by the watermarking. And we thought last year that there might be some sophisticated, more sophisticated, more advanced watermarking. And this is exactly what we found in the. Cabinet picks. So again, as I said, William, kind of is the name of the tablet PC, if you translated, it translates to Echo. If you put this into Google Translate, it translate to something completely else. I have no idea why, but I think it translates to ring or something. But Echo is probably the the real name if you want to translate it and is also a name of a waterfall in the DPRK. There are probably for at least four tablet PCs out there in DPRK. We have hands on for three. There is another one which is called after a mountain in DPRK, and it's called mysterious fragrant. So it's probably the day they basically name all of their pieces of technology after stuff in the natur
e. I guess if you do some small research or some some some research on the device, you will find out that the manufacturer that is doing the hardware is not coming from DPRK. It is the Chinese manufacturer, and it is actually selling this piece of hardware just to play in hardware with a stock android on it, probably under the name of Zap 100. And it's a Chinese manufacturer and the products sold from 180 to 260 euro, which is like a good price for such a for the technology that is behind the tablet PC. But you can imagine the 260 euro is pretty much for someone sitting in DPRK and wanting to buy a tablet PC. So probably those tablet PCs are not meant to be like fold the whole public. It's probably only a few people that have access to those tablet PCs. But this is speculation the software that is running on the tablet PC is coming from DPRK. So what they did is basically they use an Android SDK to develop Android for their tablet PC and then put some interesting services and interesting applications into the tablet PC. So we are going to give you a product presentation. Well, we are not going to give you a product presentation, but DPRK is actually doing this. Can you switch the audio to the laptop, please? So the subtitles are not coming from the original video, the subtitles has been edited by a guy from South Korea who was helping us out. So this is the official commercial for William. Said. I say. You. You. And I listen. All right. OK, so this was an original video, so we didn't do this video or something. This was really an original video that also is on the tablet PC. I will shortly go into a few points out of the video because they seem pretty important to me. First of all, don't drive and watch TV. That's a bad idea. Second of all, if you closely look at those at this device, you will see if you know the original device. That is probably probably a different type, although it is the same kind of brand. So down right in the corner you can see like that is al
l rim. And also on the back of the tablet is the same are the same letters. So we are pretty sure that it is like from the same series or whatever, but it is not the same hardware as you can see right there. So probably there are multiple tablets that are running under this brand. This is important to know. The next thing which is quite interesting is that they provide rapid updates, which is something that if you're in the Android world, not that common, which I find like this is pretty amazing and good. The second thing is they have a free warranty service, which is also pretty convenient. So that's also a nice service, I would say. And one of the most important parts is that if you this is not going into like the tablet PC itself, but it gives you some clues about how infrastructure is working in DPRK. So they are actually offering a DVD broadcast on the tablet PC so you can buy or rent or whatever or get a dongle and then have like 20 cables connected to it. So it's a little bit like Apple. And then you can view a DVD on your device, and this even sells as a feature that they say you will not be able to view any other stuff than just our own. And this is pretty interesting because if we're going back to Red Star OS and we had I don't know if you've seen the talk, but we had an antivirus scanner who was not antivirus scanning at all. It was doing something completely different. And we thought, like, they are like tricking users. They just say this is an antivirus scanner to do something else under the hood. But if you see this, then they are basically saying, we want to prevent that. You see the malicious stuff from outside. So they are selling this as a feature. So it's not like they're trying to trick the people. They are saying like, we are going to encrypt, decrypt our our TV broadcasts, and you will only be able to see our stuff. So there is no danger from the outside coming to you. And this is pretty remarkable. I think I think, OK, if we're going to the ar
chitecture itself, let's take a quick look at the hardware. It's an all when a thirty three system on a chip. It comes with eight gigabytes of flash and it has a micro SD port and a power plug to charge the tablet. It has a not so responsive touch screen, to be honest. So if I'm going to do the live demo, I probably fucked some stuff up and like, tap on the wrong things and some sometimes it happens, sometimes it won't. So it's a bit random. So bear with me if it takes a while to open some of the applications. And if you just get the the tablet by itself, there are no communication ports at all. So there is normally if you buy like your usual all winner A33 system on a chip with a board that comes with a board, you probably have another chip that has like Bluetooth, Wi-Fi and all of the other stuff that you need in in a normal tablet PC on this device. This has been either soldered off or it never made it to production, so the board does not contain any communication hardware itself. You always have to buy or rent adapters that you can plug in to use the stuff. And as you have and could see in the video, like the usual cases and use be modem Wi-Fi IT normal networking capability, or DVT. It also has HDMI it and that was the problem. This does not have HDMI, which is why we cannot connected to the to the screen, but they are in the commercial. You could see that they just plug in a micro HDMI or mini HDMI, and then you can basically hook it up to any HDMI device. So with this device, it's not possible, unfortunately. So we will have to do this projector thing here right there, and I hope it will turn out fine. OK? Concerning the software perspective, there's an Android four for two running with and for Android for to kind of up to date kernel. It was built. The build date goes back to September 10th, 2015, so it's pretty new. I think we got it four months ago or something like that. So at the time that we were starting the research, it was actually pretty new. Lookin
g at the pre-settled applications, it's just your usual, uh, Android stuff, but without the Google stuff, obviously. So there is not like a Play Store or something and no Google Maps or whatever that has all been stripped out and you basically have just basic functionality, plus some applications from DPRK. Can I have the tablet on the big screen, please, for the demonstration? Tradition of the video, again, to kind of get over things. OK, so this is the tablet PC itself. This is the default background that you see right there. If I move the tablet around a little bit, you might see that there are some cables coming out on one side. This is because we try to find debugging parts. We didn't find any. We just started debugging the LCD and stuff like that. But just so this is not really working. So. But if you are having questions afterwards, these cables are just coming out, then doing nothing right now. OK. So let me show the tablet PC real quick. So the problem is that some of the applications have a serial ID that is mostly shown on the splash screen, which is and we don't know why this Serial ID is there. It could be that it's just like a versioning number for the applications, but it could also be a way to track who has which app installed on the tablet and to prevent the guy getting into trouble who kind of leaked this tablet PC. I'm going to pull out the tablet PC, open up the application. See, that's a serial number and put it back, just to be sure, OK? So I'm going to pull it out. And then again, you know that this is not like we're tricking something. This is just because I want to make sure that no serial ideas are shown on the screen. OK, so the first thing that I'm going to show you is an overview over the applications. This is these are the applications that are in the factory reset mode. So this comes with the application or with the with the tablet itself. You have like your usual stuff, like the camera you can see right there, a file browser. I'm goin
g to go into the settings. You can see that there is an Ethernet modem and stuff like that. If I scroll down a bit, you can see some of the applications running there is even flash, as you can see right there. Flash is probably we don't know if it's really flash, but it makes sense because some of or most of the applique all the websites of DPRK are using Flash to show videos and deliver remote exploits. Um, so that totally makes sense. OK. If you scroll down a bit, you can see like your usual applications and archiving application and this red flag thing, which is pretty interesting. OK. So next thing I'm going to show you is the security stuff and the certificate authorities that are installed on the tablet. They are not so many. That's all of them, basically, and they are all from DPRK. So you should bear this in mind if you get like a device like this and start browsing. You probably will be men in the middle, totally when you're using this and DPRK internet or internet. OK, the next thing interesting is maybe the browser. So looking at the browser, there is a Nexus S right there. Um, it's just a normal browser. You can like to do something to see some files on the hard drive, some of them. What you can do is go to the favorites and see, like the bookmarks that that are already there. If you look at the bookmarks there, probably most of them are internal websites. So if you click on them, you see that the the the URL is actually an IP address. And if you check on all of them, you see that they are all internal IP addresses and these go perfectly go into the address space that DPRK has, especially these ones right there on the tablet PC. If you hook it up to Wireshark and let it run is even making some outbound connections to IP addresses that go into this network segment. We don't know what what it is doing or what it is trying to get from there. Maybe the rapid updates, that's the probability. I don't know. Exactly. So there's also a camera. I'm not going to tu
rn on the camera and take a picture of you so Kim Jong UN can see what we're doing right here. I'm going to leave this out. The next thing I'm going to show you is a game. Which is a robot defense, I don't know if, you know, robot defense, it's perfectly available in the Play Store for Android. And if you start the game, then you might recognize that it is really a drag and drop. You know that it is really the kind of the original version of this game. And what they did is basically they adapted a few things, especially for language settings, and made a new splash screen and adopted a new splash screen. So if a decompile this thing, you will see that it is perfectly fine, the one from the play store's at least in parts. So there might be a copyright violation right here. I'm not sure about this. OK, what else do we have? Another thing that I found pretty interesting is that there is an application that enables kids to learn how to type with a keyboard. That's pretty nice, actually. So you have your settings. I'm just typing random theme. I don't know what what it says right there. And then you can start to hook up a USB keyboard to the tablet and let the kids kind of type to learn how to type on a keyboard, which is actually quite nice. OK, what else do we have? So concerning writing, there is also a full blown office sued on the tablet itself. And with office, Seward, I really mean office, huge. So it lets you kind of create PowerPoint presentations and stuff like that, and it really works, and we would laugh. We would have loved to do the presentation with this tablet PC, but unfortunately we cannot hook it up to two HDMI, so that was not possible at all. OK, what do we have? We have a lot of propaganda obviously installed on the tablet PC. So there is one application that is coming even out of Red Star, and it is basically the encyclopedia and shows the writings of all of the leaders from DPRK. And you can see what they have written. Exactly. So another interesti
ng thing is is there is a lot of educational stuff on the tablet PC. So there is one application that is basically a technological dictionary so you can like, find information about technology and you can also their dictionaries install that lets you look into other science areas as well. OK, another one, which is pretty interesting, and maybe I would like to have your so I need to kind of come up with a hack right here. Probably. So give me a second. Um, and we go. All right. So I'm going to start this application again. Um, and if you see the splash screen, please show to me on which game this kind of reminds you. Yes. I don't know if it's SIM City, but when I started the application, the first thing that came to my mind is this looks like SIM City. And what this application is doing, actually, it is an architecture program, so you can basically plan houses, plan cities with this thing and actually kind of really do the architecture of your future house or whatever with it. It even comes with an auto seed plug in so you can use it like the stuff that you create right there. You can reuse it on your Windows PC if you have, like a CAD program right there. Um, probably everything with copyright and stuff like that in the right place. What else do we have? There is a cooking application on it. There are a bunch of more of games on it. And then there is one or two pretty interesting things that came to our attention when we use the tablet for the first time. So if you. Start the application right here, Trace Viewer, that is a pretty interesting thing, because if you started, then you will see that it gathers screenshots. So what it does is there is a process in the background that is actually once you open up an application, it's going to take a screenshot of the application and it's going to store it in a secure way. And the only thing that you can do with this trace view is basically see your browsing history and see the pictures of the applications that and the cont
ents that you started. So from our perspective, this is like a clear indication that they're going to tell you we know what you are doing, so we see what you are doing. You don't have any chance to delete any of this stuff. But we see what you're doing and you cannot get rid of this information. The next thing which is pretty interesting is if you try to open up a file on the the tablet, then you're probably not able to open any of the stuff that is coming from outside. And this was the thing where we thought we need to go into detail what is happening right there and we thought, this is a pretty powerful mechanism. So if you just try to open one of those fine, OK, in this case, it's working. That's bad because I created this file on this tablet. If I'm going to open up another file like this one? And you will see this message. This is not signed file. OK, so obviously there is some signing mechanism on the device that prevents us from opening arbitrary files. OK. Can I go back to the computer, please? Can I have Nicholas, his password, please? Should I ask Kim Jong UN? Do you have an auto erase after like 10 times entering the wrong password? Not. Caps lock. OK, so much for the application demos, I have two more applications that I cannot show on the tablet PC for reasons, but I'm going to show you with some of the screenshots. So the first thing which is very, very, very interesting is that there is a tool called nuck installed on the tablet PC, and it is probably used to get connection to the internet internet of DPRK. You can choose like three options dial up with a modem going by a local area connection or going over the internet or whatever it uses. Panna, which is like, I've never seen this in the wild. Wireshark knows the protocol. I've never seen this so far. You need to supply login credentials and then you can choose four different access points, depending on the city that you're in. So you can choose like a network access when you're in Pyongyang, for ex
ample, enter your credentials and probably get hooked up to the local intranet of DPRK. The next one, which is quite interesting and is running in the background, is Red Flag. This tool is the one that is taking the screenshots in the background. It's also logging the browser history, and it is responsible for grabbing the Imai Mzee and the Android ID, so there is no SIM card installed right here. Probably this is an indication that the same algorithm or the same mechanism is running on the smartphones that DPRK is providing. It also is copying some key metric material around and doing some basic integrity checking of the system. And if these integrity checks fail, the system will be rebooted or shut down. In addition, there is a whitelist for applications. So you even if you would be able to install applications on the thing, then the whitelist will kick in and will not let you allow to install the application. So this is an incomplete list. I have highlighted some of the the most interesting parts like Angry Birds you see at the top or the robot defense down at the bottom. So probably we have some copyright infringements down. So the last thing that you've seen is, um, obviously not a black box analysis anymore, and you have seen that there is like source code that we could decompile so we could gain access to the device. And Manuel is telling you on how we achieve to gain access to the device. OK. Can you hear me? Yes. All right. Well, that's Florian gives you more of an overview of what you can do as a user with that tablet. I'm going to get a little bit more technical, but I try to keep it as understandable as possible without losing too much detail as researchers. We, of course, wanted to know well, what goes on on there? What is that thing actually doing and how is it achieving such mechanisms that prevents you from opening arbitrary files? But to find that out, we needed some kind of in-depth analysis. But to perform an in-depth analysis, you'll some your da
ta, the data from the tablet, and I'm going to show you how we got to that data and then the process of doing so. You'll probably get a good impression of what they do to prevent someone from tampering with their system integrity. And yeah, what we finally needed to achieve is either get a memory dump of this whole tablet or we need privileged code execution on that tablet. And how do we do that? That's what I'm going to tell you. Because actually, they did a pretty decent job in locking their tablet down. At first we tried the obvious things like Is there be enabled? No, it wasn't. Can we enable it? No, we couldn't. Are there the developer options? You know, then you press like five times the number of Android and then Boom, you're a developer and you can do like advanced configuration. No, they also disabled that. Can we install arbitrary APK files, no flow and always show that to you? If you try to install any APK file like a terminal emulator that would help us executing arbitrary code, that didn't work. You need to have signed Epic. Then we turn that thing off and push like every button combination that we could imagine to find out if there's a recovery or download mode. But as far as we, we can pursue that, that wasn't possible. Then we got a little bit more creative. We tried to find a file, open dialog and all kinds of applications because we thought and the family, you know, you can only access certain files that are locked to one directory. So if we can find like applications that have file open dialogs, we might be able to traverse directories and get access to system storage. And that is actually possible. There are some applications that are implementing their own file open dialogs. And then you can access files from the system. But still, you're very limited in the files that you can access. Like you can only access certain file types like data files, and you won't find a lot of important system critical information on an Linux device that is stored as
 data 60. Also, if we manage to do so, we still need to defeat the Android sandbox somehow because usually on an Android device, an application in the sandbox. So you can't just access any arbitrary system file. We also tried attacks by archives like classical Zoom link attacks or directory reversals. But they weren't possible as well. We found an application that had a configuration file that was not signed and that contained something that looked like shell command parameters. But it turns out that either they ain't or we couldn't exploit that. Interesting note we found an application on the tetras, and that application was coded by some kind, by some Chinese guy. We don't know. But we found the source code for that on GitHub. And it's actually the same source code. So they just stole it from GitHub and installed it to all of their tablets. And as we got the source code, we could perform like a more advanced kind of attack against that. And we noted that it was riding. I think it was something related to the score as a serialized Java object to the SD card. And it didn't check for any signature. So that was a way we might be able to get in there. But it turns out on Android, that's a more complex thing and it didn't work out in our case. As we saw that they implement that their own office sued. We all know those attacks like the last micro injection. We also tried that, but no, that didn't work out as well. That's only an excerpt. We tried a lot of more things, but what came to our minds was someone must have thought about that. Someone does not one that we tamper with their system. And I mean. On what you can see in Nicholas part, that's that's possible. So let's take a step back. We all know that there are vulnerabilities in Android. And if you follow the Android security bulletins, you'll notice that like almost every month, they're popping up new code execution vulnerabilities. Why can't we use one of those like like one of the famous ones, Stagefright, for ex
ample? While that's in theory possible in practice, it's quite hard to achieve because. This would be like black box exploding. In such a situation, you usually have a device at hand on which you can attach a debugger and search like for SRT bypasses or wrap gadgets. And we couldn't do so because we only got one tablet and that wasn't pretty rude it. What you can do in such a situation, you can perform in an attack on the hardware level, like from what the circuit board looked like and what we knew about the tablet and from the complexity that will be involved. It seems probable that they don't use any kind of trusted platform, module or other way to secure their boot process. So there might be a good chance that we just open up the case, dump or pop off the storage and dump that using whichever protocol we need to do that. Well, that is an option that might also lead to success. But suppose you're me and you're more like that software guy rather than the hardware guy. Well, give me a solar Ireland, and chances are that I'll mess this up. It might be that you're ending up with a break and considering that that is a very valuable device and to get your hands on such a device. It's not a feasible option, at least not for us. Even if you're more skilled in like soldiering than me, chances are that the that the chip might get too hard for only too little and you're screwed up. We turn back to the internet. We thought we might find another way to to access the storage. And after searching about the architecture after we popped open the case, we could see what chips that is using. We found the A33 system on a chip. And what we also found is this tool. This was half in English, half in Chinese. So we press some buttons and we're not really an idea of what we were doing. But it was suppose to give you a bootable image that you just just that you're just could burn onto an SD card and plug into your device and just boot it up. And we felt like, no, that was not going to work
. That would that would be one of the first things that turned off. And we're plugging the SD card and that actually worked. Well, we thought why? Why did they do that, then why they they all these hard mechanisms we found in the first place? It doesn't make sense. We can only speculate about that. But there are some pretty satisfying explanations. Well, one would be they just forgot it, but we don't think so. It could be that this is a feature of the system on a chip that the system on a chip is by default, booting from SD card if you do not cut certain hot bill lines. And if they just bought the hardware from a Chinese manufacturer, it might be too complex to cut those hardware lines or reprogram the system on a chip. So maybe that's an option. And if you think again about it, it's not really contradicting their security concept because what is the thing they need to defend against? They need to defend against a North Korean trader or something who would be inside of North Korea and try to do this. And imagine, just imagine you're sitting in North Korea and try to access that tool with your internet access constantly being monitored or no internet access at all. I think that's kind of difficult, and that's probably the reason they did that. Still, as we get code execution, we weren't done yet because we brought it up that it mentioned it was a functioning Linux kernel, but it had no way of accessing the memory. There was just missing a driver. Well, what could we do? For one, we could just plug in our logic analyzer and analyze what is that thing talking over the wire. But that would still involve touching the hardware, and we decided not to do so. So we could also try to get hands on the data sheets that were that are for this, for this kind of flash storage. We have that at hand and implementing their own driver based on the data sheet sounds like a time consuming process. So we went with another option. Our option was we thought it cannot be the case that they 
manufactured the manufacturer. They bought that from a whole new tablet with completely new hardware they never used before. At that point in time, we didn't know what was the exact 100. We thought there must be a different tablet, which uses almost the same architecture, and maybe that one has a functioning driver. So we went to the internet again, and this is what we found. It's a tablet for. Like at the point of time we bought, it was like thirty bucks and we thought, well, 30 bucks, nothing can go wrong with that. And we bought it like two of them. And lucky for us, they came already. Pretty it. So we just could plug in a tab and like dump all its contents. And we were done. We took the kernel and the kernel driver for the storage and put that on the external SD card, we used to boot. And first we plugged it in our fake or that tablet. And that didn't work out quite as easy because the way the driver tries to find out how to talk to the storage controller. But after putting that into IDA and reverse engineering the driver, we eventually managed to find how we could talk to that storage controller. The question was, would that be working on the DPRK Typekit? So we plug it in and booted it up and it actually did work. This is the memory dump of the of the internal NAND storage, and you can see from the partitions that it's using. It's quite normal Android device. It's like has a bootloader partition containing the bootloader. It has a boot partition containing the default kernel and ramdisk. It has a system partition for some binaries, a data partition for the applications and the recovery partition we couldn't trigger. And now we really could start doing our analysis. And that is what my class is going to tell you. Thanks. OK, if some of you guys who probably saw our talk last year on red stories there, we found some really interesting features regarding the privacy evasion of those operating systems. As soon as we got access to the device, we were curious if the
re might be some similar mechanism or probably something that is even worse, like this mechanism on the tablets. And as soon as we were able to access most of the libraries, then we saw there are actually two mechanisms on the ruling devices. One of them is basically a watermarking mechanism, which is most likely the same one as in Red Star as it even looks like. It's just refactored version of two components in the Red Star s operating system, and it's doing basically the same watermarking. We didn't saw any code that is actually using this library. So the active operating system, what we saw there, it's not actually watermarking any files in terms of the watermarks, like in Red Star s, but it actually has the code there and we think that it might be just for compatibility reasons. What was more interesting is that there is an even more advanced and even more restrictive way of controlling the media distribution within North Korea on the devices. And it's based on digital signatures. Just a quick recap of what we were talking about last year. What you're seeing here is an example of a word document, and the mocked part here is basically the encrypted form of the plain text that you're seeing below. And this is basically just a watermark that allows you to identify a specific red star installation. And just if you're curious if you want to get to know how it's working there actually decryption tools in this repository. But it's really, really simple. It's not rocket science, how it's working, but when you're doing this in the wild, basically, when you have the original file at the top and read part, here is a basically the end of the actual image as a JPEG file and as soon as the user is getting. For example, if it's on a removable media device and you're plugging it into a red star system, then it depends on bytes at the end of the file. And if you're giving this file, then to another user running Red Star s, there are even more files at the end of the JPEG. And wh
at you're seeing here are the green part is basically the watermark that identifies the first user and the orange watermark identifies the second user. What is quite interesting here is that when you are seeing this from a government perspective, just to give you an impression when you're having a normal JPEG image and you're having it on one red star system, put it on a removable media, give it to a friend or whatever someone that you're affiliated with, and it will apply the watermark of the second system. If you do it again, then with your friend or like minded people, then took the image will actually contain references to all three operating system instances. If then, the government gets access to, for example, the system of the third user and gets access to this JPEG file and they want to know, OK, what is the source of this file and who has had access to this file? Then they are basically able with this single file to track down dissidents or traitors or whatever, because it allows you to reference all the users that have access to this file. And what you think you could do if you do this on a large scale, like in a complete country, for example, it allows you to connect social networks. It allows you to connect connection between connections between dissidents, connections between creators and what what it then allows you is not only shut down users where you, for example, have access to a system and you found this file, you're also able to shut down the sources of those files. So, for example, users that create files or users that import files from outside of the country and you are basically able then to shut down to complete all the connections then between those suspected people and what William does, William is way more restrictive than what one red star was doing. It can actually do the same thing as the Red Star has done. But on top of this, there is another more restrictive way of not only tracing the distribution of media, but the the the goal of ru
ling is to basically prevent the distribution of media. And this is quite interesting how they are doing this, and it's really effective what they are doing. So what it's what they are doing basically is use cryptographic signatures and the government has control over those signatures. And if you are controlling the signatures, if you are able. Who signed files and if you are the only entity that can sign files, then you have to complete control over all media sources. And what is what should be noted here is that compared to Red Star, which had just implemented the most functionality into a kernel module that just hooked the system calls it Wuling, all of this is explicit. So each and every application has to do own signature checks. It's not the operating system itself that provides this functionality. The operating system is just providing a library, but each and every application is responsible for the signature checks. These are done basically within native library in Chava, so each and every application can use this native library from within the trauma source code. The package is actually called government no media, which is quite interesting. It's actually called when you are, for example, opening a file in what what we saw the office sued. When you're opening a fire, then it's basically doing some license checks. So the functions are, uh, more or less concealed like license checks when you're opening files or when you're saving files than there are in the background calling these functions in those native libraries. William provides two ways of signing files. These are referred to in the code as not sign. Basically, call nation signing, which are signatures by the government, and there are self signed signatures which are done by the devices themselves. If a file doesn't have a proper signature, then all of these applications that are doing signature checks will prevent you from opening those files. This is a quick example of how one of those native librari
es looks like you have some basic functions that allow you to get some information of the of the of the device, which are used then to put into signatures or check the content of existing signatures and basically provide you with these easy functions, like is it a valid signature or not? Because all of the, uh, the the rest of the code should should do the stuff like print if the file cannot be opened. And this is quite interesting because there are some applications that just have different error messages for the same situation. So this is not a library, but all the applications. Here's a quick list of most of the applications that are doing these signature checks, so you can get a brief overview of what they are really focusing on when it comes to the files that they are really interested in. Just some quick words about the nation's line, and the code mostly also refers to it as government signing. It's basically an RSA signature with a 2048 bit or as a key. And the public is just stored on the device, the private keys held by the government. And in addition to the signatures, it just do. It does a lot of obfuscation work. So also on a bit level is trying just to shift some bits. We think that it's just doing this to make it harder to sign to find the files yourself, but it's nothing really. From a security point of view, it's it doesn't make any difference. What we focus more on is the safe signing mechanism because it looks a lot more interesting because the nation's signing is basically a signature. Self signing is a combination of symmetric encryption, and so there is some power that is just encrypted. What is notable here is that its mission there. It's the basic algorithm behind a yes, but they are not using a yes. They are using a really specific form there because they're not only using 256 bit keys, but also 256 bit blocks. So they always encrypting 32 bits bytes at a time, which is not possible with a yes. They are also doing RSA signatures. And what the
y're basically doing is create a signature over the hash of a file. So they just mostly they've called for Sha two hundred and twenty four, but they are mostly using two hundred and fifty six bits. There's also a file called Legal Ref Dot Dot on the fire. We saw this red flag application. This application is responsible for reading the Imai and the emcee of the of the device and also the Android idea. These will be stored in this legal ref file, which is basically a legal reference of each and every device. This is like basically the same thing, a little bit more advanced, but the same thing like in Red Star s with the watermark. Here you have a legal identity, how it's referred into the code, and this is also included in the signatures. It's not only a signature of the fine itself, but it also always puts your identity into those files. So this is also quite similar to the way red star watermarking files, and it's only implemented basically to allow you to create files on the device itself and open doors. Though you have a camera on the device, you can take pictures there and you are basically able to open those pictures on your own device. A signature. Technically, it looks like this signatures are fixed to have a fixed price of seven hundred and ninety two bytes. So even if you are creating a text file, which is a character, it will always append seven hundred and ninety two bytes to the file. If you open it with, uh, for example, text editor, you will never see the signature because it's responsible for checking it and removing it again from the file when you open it. But the top part here is the Shaw. The R is a signature of the of the hash of the file, and the green part is encrypted and it the most interesting content here is your Z and MRI of the device. The rest of it is basically just no bytes and they have implemented. They have not implemented it with padding and they are using kind of like Easy B mode, but they have like really at the end of the file. I
t's quite interesting what they've implemented, but I think it's just that they didn't want to use padding because they always encrypting 520 bytes, which is not possible by default. And the files that are affected by this Hurricane Z, just an example of the office suite, which is called Dock. These are files that are checked by this specific application. Like I said, each and every IP. Is responsible for doing the signature checks themselves. So if you want to only check specific application types, then you as an application are responsible for doing those checks. And these are basically all of the typical media files, sound and video and stuff like that, but also plain text files and plain HDMI files are affected. And what has also affected our APK files? So if you want to install an application, you not only have the typical APK signing mechanism, you have an additional sliding mechanism with their reserved signing, basically because the oil also checks APK files when you're trying to install those. So if you want to install a valid APK file, it would have to have two valid signatures from two completely different sources. Just to give you an impression of what they are, they're actually achieving with all of this signature stuff here. When you have a Boolean device, there are two valid sources of files. You can have the government, which which basically controls all the files that can be distributed within the DPRK, and they can find those files and they have the ultimate power of controlling what media is distributed. Basically, what media like you can open on your will and tablet PC. The other way is that you can open files or documents, for example, that have been created by the file by the device itself. So you only have these two ways of sharing files if I want to. For example, if I have a friend with another Boolean device and he takes a picture with his camera. He cannot just put it on a removable media and give it to me. And I'm basically not able to ope
n this file because the signature is or basically the legal reference in the signature is wrong. And they're really not only shutting down what is inside of North Korea at the moment, like different Boolean devices and flecks of red star devices, but also everything that is coming from outside of North Korea. If you would want to put books or Wikipedia articles on removable media and try to import it to the DPRK, then you would not be able to open those with one of those William tablets. So all of the outside sources are basically not usable by the public. OK, so this basically wraps up our findings from Red Star. We got five more minutes I have seen we would like to say thank you to a few people right here, especially we would like to thank. I think they are from South Korea is an NGO and they are trying to get information into North Korea. And these are the guys that provided us the tablet. And we would like to say a big thank you to these guys and all of the guys that kind of got the tablet PC out of DPRK. So that helped us a lot. Yeah. So concerning future work, we will try in the future to free some of the information that is on the tablet, there are a lot of dictionaries, a lot of books that you need to buy if you want to get an insight on what is happening or you don't get access at all. We would like to free this information and make it available if you are in possession of technology from DPRK and you want it to be analyzed. Please approach us. We would be happy to be here next year with another talk on another heart or software of DPRK. We ourselves got some more stuff that we are looking into right now. We hope to be back here next year, so from this wraps it up. I hope you had a little bit fun and it was informational. Now we can go into the questions. Thank you very much. We have maybe two minutes for questions, so really quick this microphone. All right. So the self signing of the wall and basically just adds about 800 bytes to every file that it's eve
r created. If you view it on another system, then does that just make it a corrupt file? Is a JPEG plus 800 bytes of Gulam Signature just an invalid JPEG? Or what does it become? I mean, it depends on the file you're using for cherry pick. For example, it doesn't corrupt the file, but there may be file formats because a JPEG you have like this really hard file structure where it can determine the end of the file, then it's no problem. But there might be some file types that could be corrupted by those funds. OK to microphone? Yeah. OK. Interesting talking did. Maybe I was attentive or it was certainly not. Not cool, but did you try to find the keys from the public television broadcast? Yep, no. Well, yes, we kind of were observing the tablet itself. The problem is that the media player that is on the tablet is actually not capable of doing DVDs. And as I said in the beginning, the device that you could see in the beginning is probably a different version of the tablet, probably an older version. So our version right here, we could not find any crypto keys for DVDs or stuff like that. So yeah, unfortunately, we don't have any keys for that also. Also, we could imagine that maybe that is done on the external, on the peripheral, not on the tablet itself, so that we might not find it all keys on there. And in addition to that, you need to kind of get registered to get all of the additional hardware. It's possible that they install an APK that enables you to view DVDs and that comes with the CryptoKitties. OK, thanks so much. OK, one question. Out of those eight gigabytes of storage, how much is used up by the original file system of the original OS and. So I would say that probably like it's it's not that much, so probably like six gigabytes, probably free. I will check the data usage. Let me see storage. It's using one gigabyte. So a total space is like one gigabyte that is used. So there is a lot of space that you can don't have. OK, I got another question from the si
gnal angel. Yes, there are two questions. The first is, are you planning to release any software dumps? And do you have to smuggle the device back to North Korea? I hope not for the last part. Like for the first part, we are not going to release any dumps. The problem is that the dumps will include serial numbers and fingerprints and stuff like that. And that would be perfectly easy to identify the guy who leaked it to us. And this is what we want to prevent for all circumstances. That is the one case where a guy who tried to smuggle out a poster of of North Korea and he went to jail for 15 years. So you can imagine what happens if someone is trying to smuggle out a device like this and we want to prevent this. As I said, we are going to try to release some of the information that is on the tablet, meaning like dictionaries like books that are stored on the device. Stuff like that. So probably we are going to kind of go through all of this, filter it a little bit and then make it available to the public because we thought that information about that stuff is really lacking right now. OK, we have one last question. Hi, there seems to be quite a bit of English in the file names and numbers and so on. And even in the bits, the same sort of, let's say, DPRK only features. Do you think Western developers have been involved in this project at all? Very good question. We know that DPRK is getting assistance for some stuff in developing stuff, and they even I think they even had like developers from Germany that were in exchange like a couple of years ago, like years ago. We cannot state that they did all of this on their own. But I would say it's perfectly feasible because what we have seen with Red Star and all the other stuff, I think that they're capable in doing this, so they probably don't need to have assistance. I think that like I turned like all of the stuff to English to have, like the English language, if you are trying to apply a watermark with like Korean lett
ers like this sort of signing stuff and all of that stuff, like the form that the the eight letters that of sign, Nazi sign and stuff like that, if you put that to Korean, it would not be a bite anymore. It would probably be more so that might be like the the problem that they were facing. And that might be why they were using Latin letters. Mm hmm. Thanks. OK, thank you very much. Please give a warm round of applause to those guys.