Red Star OS Watermarking

The initial publication of the watermarking mechanism was published in the following blog:

This is a mirror of the original post written by Florian Grunow (@0x79).

During the last few months information about one of North Koreas operating systems was leaked. It is a Linux based OS that tries to simulate the look and feel of a Mac. Some of it’s features have already been discussed on various blog posts and news articles. We thought we would take a short look at the OS. This blog post contains some of the results.

As you can imagine, most interesting for us was to investigate features that impact the privacy of the users. There are some publications concerning the security of the OS, this is an aspect that we will not cover in this post. We will stick to a privacy issue that we identified in this post. As ERNW has a long history of “Making the World a Safer Place”, we consider this topic an important one. The privacy of potential users (especially from North Korea) may be impacted and therefore we think that the results must be made available for the public. So, here we go …

When analyzing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of “virus scanner” (scnprc) and seems to share some code base with opprc. We will concentrate on opprc in this blog post, as it is one of the most interesting binaries at first glance.

The first thing that came to our attention when looking at the functions in the binary was this: gpsWatermarkingInformation. And there are even more functions like this that sound interesting. You can see a short extract in the picture below.

So it seems that there is some watermarking functionality included. If we look at the available functions there seems to be additional AES crypto involved. From the available functions we can also see that there is watermarking available for documents, images and even audio. By looking at the binary we were able to see that classic word documents are in the list of documents to be fingerprinted. So we thought we will give it a shot and created a simple DOCX file that we copied on a USB drive and attached the drive to the RedStar OS. Guess what: The MD5sum of the file changed. We did not open the file with the included “Sogwang Office” or touch it in any way, it just changed simply making it available to the OS. Now a DOCX file is basically a ZIP with multiple files included. If you look at a DOCX in a hex editor you will see that there are larger areas that are filled with null bytes at the beginning of the file. By looking at the same area again in a file that has once been transfered to RedStar we see some garbage inserted into the file.

The next picture shows a hexdiff with the file before it was transfered to RedStar and after it was transfered. We can see the following: The upper part is the beginning of the original file and the lower part is the beginning of the file that was transfered to RedStar OS. The tainted file has the watermark added at offset 80 and the watermark is 32 byte long. The watermark ends with the string “EOF”.

We still need to figure out what the contents of the watermark are but it seems to come from data extracted from the host’s hardware such as disk serial numbers. Keep in mind that this does not only apply for classic Word files but also for files from the South Korean Hangul word processor and all kinds of media files like audio and pictures. Watermarks for audio files seem to be created by applying a custom filter. The OS even seems capable of keeping track of which files have been opened on the system. This makes it easy to track on which system a file has been created and on which it has been opened. Concerning privacy this is a big deal.

To sum that up: Creating and using media files and documents on RedStar OS can get you into trouble if you are living in North Korea. Do not assume that the files can be kept private and cannot be traced back to the creator!

We would like to thank Iltaek for helping us out and translating some of the stuff from Korean to English. That helped a lot. 😉

Cheers,

Florian