34c3 preroll
Herald: The Democratic People's Republic
of Korea—or, as most of you know it,
North Korea, is a topic which is
already following us at congress
for four years. It all started
in 31c3 with Will Scott,
one of our speakers today, giving a
talk about teaching computer science in
North Korea. The topic was then gone on by
Florian Grunow and Niklaus Schiess, who
talked about the Red Star OS and also the
tablet PC called Woolim. Today, we will
hear the next episode—we will hear about
consumer electronics in North Korea. We
will take a peek behind the curtain, learn
about the Internet, and the current market
situation there. Our speakers today
are Will Scott, a security postdoc, as
well as his friend Gabe Edwards, security
consultant, and they will give us a peek
behind the curtain. So, please, welcome
Will and Gabe with a big round of applause,
thank you for being here already.
[Applause]
Will: Thank you, great. So just just to
put this in perspective, right, one of the
disclaimers is that the words that get
used, especially on this topic often have
a lot of meaning. There there is a reason
of that we'll be calling this DPRK or
Korea throughout. That's often the words
you'll hear of people who are dealing with
engagement with the country. North Korea
is a term that the country does not call
itself, but rather is what typically more
adversarial countries use to talk about it
as an occupying presence. So that that
language is is this weird quirk that
exists here. So yeah, we're going to talk
some about what consumer technology looks
like and how it's evolving and what's
going on there. I think we're pretty
excited about this. I want to start by by
setting a little bit of context. This is
the science of technology complex that
opened in 2015. It's in an island in a
river to the south side of Pyongyang, it's
still in the main city. There was a pretty
major construction project; it went on for
about a year before they opened this. In
the lobby they've got this nice
diorama of what the building looks like.
It actually … this is the rest of the
lobby—it looks pretty modern.
They have this sort of plain pastel
scheme that you actually see a lot in in
modern architectural construction there.
So so if you go into the new water park or
the boat restaurant that they've opened in
the last couple of years you see the same
design styling. This building is part
Science Museum—it has a bunch of sort of
interactive exploratory exhibits that you
might have a class of children come
through to learn. It also has lecture
halls, and it also has a library. And and
when you look at parts of it are that are
the library you see a ton of computers.
Right, this this is a … technically … there,
there is technology here. And and the
thing that is really, I think, fascinating
and revealing about where we are in terms
of our understanding of this country is
you look at these computers and yet again
we see this thing that doesn't look
familiar. This isn't Red Star, it's not
quite anything that looks like the tablets
we've seen. That's that's a desktop
monitor. And it's not Windows or Mac. It's
yet again something new. And in fact,
playing with this, you find that it's
Android that's that's been put in this
custom bezel. It has a keyboard and mouse,
but it's got an Android taskbar at the top
to let you know what apps are there and
it's yet another … they have special cased
and customized a distribution that works
for this purpose. And I think we … for
each one of these that maybe we have seen,
there's there's many more that we haven't.
So, I want to just get us up to speed on
what we do know, to start with. We've seen
Red Star—this is version 3, it came out
three years ago that we learned about Red
Star version 3; this this thing that sort
of Mac-like. There's actually been a
couple other versions that have ended up
on the Internet that we know stuff about.
And we we have at some level a better
picture of what the desktop technology
looks like. We've seen version 2.5 which
looks somewhat Windows like. There's been
a release of the server version that runs
some of the web servers from the country.
And then two years ago, Florian and
Niklaus' talk—they actually went in and
did a bunch of analysis of it, along
with on the Internet there's been
blog posts of other people who've posted
CVEs of various bugs that they found in
this, figured out how to make it run on
the external Internet by changing firewall
rules, and really just like learning a lot
about both the environment that this thing
was working in and the properties of it.
We have a bit less on the mobile side - so
this is what a store in in Korea in
Pyongyang sort of looks like: those are
laptops on the left, tablets and phones on
the right for sale. We got a talk last
year, again from Niklaus and Florian, about
the Woolim tablet. I think that's actually
maybe on the second row in this picture.
And and we got a sense of some of the
information controls there in particular,
right. So what they talked about was how
this thing prevents some types of file
copies and transferring, and some of the
sort of surveillance things that are built
into it. But again, we didn't get too much
in terms of hardware to bite our teeth
into. Finally, there's this like next
layer up—the software ecosystem. This is
an app store, again in Korea. You go to a
place and they have nice … this is this is
a nice one where they've got pictures so I
can see which games it is that are for
sale that they'll then plug this in my
device into a computer and transfer apps
onto the device. And so we get all of this
and we have mostly anecdotes that are that
are helping us sort of get small pictures,
and I think the real problem right is
there's all these devices—this is an
example of a few, and and we really I
think are quite far behind and having that
bar lowered for people to play and
understand what these things are. So, what
what I want to do to like try and explain
that situation that we're in is is talk
about why we're there and the different
sort of general groups of where these
devices end up. I realize that
that's talking about motives and that
is often like the way that you get
people mad at you, if you try and
ascribe some motivation to them that
they disagree with. So realize that these
are bread's … broad strokes and not really
indicative of everyone. But this gives you
some sense of why we've still ended up in
this world of not knowing much publicly.
Maybe … there's a quote from … this is
from Kim Jong-il that's that's relevant, and
and says, you know, Koreans are quite an
intelligent people and even in computer
technology we excel. I think this is
something that we maybe don't appreciate
when we're thinking about this. It is
rational for Korea to not want this stuff
to come out, right? They are worried about
adversarial government's trying to
leverage whatever they can. It seems
rational that it's in their best interest
to make it difficult for this stuff to get
out and for people to be able to attack
them with it. That's what we've seen in,
you know, against the threat model well
implemented copy control and and other
sort of limitations on the on the devices.
In terms of foreigners who have access to
these devices, I think there's sort of two
classes. What we saw in the talk last year
was a device that came out through a
defector group. So you've got someone who
left with this device and now he's trying
to figure out what what's on it. And that
is this adversarial relationship where the
goal there is to do damage to the country.
And so there's much more value in having
0-days than there is in releasing this
because then the security gets fixed. And
so you'll see that you know for any device
that comes out there there's really the
sensitivity both in terms of not wanting
to identify people but also in; well if we
find anything that's buggy, we want to be
able to do something with it. I think in
fact there's many more devices that don't
come out that way but that are held by
foreigners who are working constructively
with the country. And for them, the the
reason is somewhat different. And I think
the reason for them is in many cases that
they're worried about sort of the unknown
unknowns of “could someone get in trouble?
Will this result in my connection to the
country getting disrupted? The people
I like and work with getting in trouble
for having given me the device that I've
been done something reckless with.”
Right, so we can see from like
a bunch of individual perspectives why
we don't have more of this technology
out there. We can also understand
that, you know, as the public, this
creates this weird thing where
we're all fascinated but don't
have access. And and that I think
also in the spirit of, you know,
for Korea, this isn't great. Because the
bugs go unpatched and they don't get a
better security. So, this is the
electronic goods store at the airport
which somewhat counter-intuitively doesn't
actually sell the tablets to foreigners
but they do have some. What we're … what
we're going to talk about for the rest of
this talk is an effort that I guess we're
sort of putting out on the web called
computer … KoreaComputerCenter.org. Where
we're going to try and release a bit more
of this technology. And I'm going to talk
through the three initial things that
we're going to put up there that we hope
people play with. And this is in the
spirit that this we think … this makes life
better both for Korea and for the outside
world. For Korea, the same thing I was
just saying—I think you get better
security in the long run. We we I think as
a community understand the value of open-
source software, and in having many eyes
audit and find the bugs. We've already
seen that on the artifacts that have
gotten out. For us, I think it's a great
chance to … to do two things—one one,
it spreads our understanding more
consistently so we actually understand
what is going on in the country and can
make rational policy decisions at some
high level. It's also fascinating and we
get to preserve this anthropological
artifact of this really amazing parallel
development that has created … that
that exists of of what technology is
like in Korea. So, in that spirit,
let's talk about what's coming out.
Some of this I think is showing up on
BitTorrent links that are on this site
koreacomputercenter.org as we speak. The
first is a phone image—there's a system
partition and data partition recovery for
this phon, a Pyongyang 2407. This phone
was chosen because it's made by a Chinese
OEM, Jin Lee, which also creates the same
hardware in an Indian model. So if you've
got a friend in India at least, you can
get the G&E v5—it's exactly the same
hardware and so these images can load onto
one of these phones and then you will also
be able to run this operating system. And
so rather than just doing static analysis
of what's there you can actually see how
that fits together and what actually
happens. How it works, that it does shut
down when a SIM card from a different
operator gets plugged in, these sorts of
things. So this is this is just I guess
I'll say the the basic phone system - it
doesn't include most apps but it's got a
bunch of the sort of operating system-
level copy controls. You can get your
hands on the the Red Star protection
things that we're talked about last year.
The second thing for apps we're going to
turn to something a little bit older this
is the Samjiyon tablet which is one of the
first tablets that came out 2011-2012 era.
This was sort of at the beginning of
Korea's sort of introduction of widespread
consumer electronics, so it got circulated
quite a bit. It was a larger run of
devices than many of them. In fact so
widespread that there's there's one of
these devices in the Stanford library. And
so I guess the other thing I'll stress is
these devices are out there and it's a
matter of making sure that we're releasing
these in a way where it's just like this
is software but we're not necessarily
getting anyone in particular in trouble
because these devices we know are in a
bunch of places and the attribution
becomes hard at that point for
anyone to like, lose
contact or get in trouble. So there's
there's a basic set of apps that come
there. These are some of the icons there -
there's a nice one that has a bunch of
recipes. The the thing I'll say about
these - these were made for this specific
device and this is a thing that you'll see
I think throughout all the software if you
actually take a look at it. And so there's
a lot of hard-coded paths. So as well as
the APKs themselves you'll find that they
reference things that they expect to be in
specific parts of the SD card. Those files
are included, but it's unlikely that if
you just copy the APK onto a Android phone
it will be able to show you much content.
So it would be awesome if someone who
enjoys small.i wants to twiddle some paths
so that those can look for internal
resources instead, and lower that bar
further so that more people can play. I
think the other thing that's interesting
here is pretty much all of these apps use
their own specific binary format that's
like yet again this totally new thing
where it's like someone just coded some
totally one-off thing. And that's weird.
And the final thing is we're gonna release
a bunch of educational materials that seem
to sort of end up on these devices.
Education is one of the big purposes,
right? You're you're giving these to the
the children and teenagers who are
especially excited about technology and
one of the useful things that they can do
is use that for for their course material.
In getting a set of PDFs that are sort of
like usable, we ended up having to do some
work. I'm gonna turn over to Gabe to
explain sort of the process we went
through and getting this this last set of
the the textbooks that are
going to come out.
Gabe: Thanks, Will. So basically when I
got involved with this, the situation as
far as these textbooks was that we had
quite a few of these files. And there are
two things you could tell on the surface -
one is that they claim to be PDF files
based on the filename, and some of them
have titles in English or Korean -
that sort of suggests
what's inside. But what you see on the
screen is not what we saw because none of
these files were plain PDFs. So there's a
bit of sort of custom DRM that's been
applied to these files and it's pretty
rudimentary, but it's actually been kind
of remarkably decent job of what we think
it was designed for. Which is that the the
textbooks that come with or that come with
or that are added to one device are not
supposed to be able to be accessed on a
different device. And as well so if you
pulled the these PDF files out of the
device that you send off outside the
country, they're not readable. Now one
thing I will say is that we know from some
of the previous talks on Red Star that
developers in and for the DPRK have
implemented actual AES-like encryption.
This is not that - it's fairly basic and
we did find some some holes in it. So talk
a little bit about what we did. So when we
look at these files, the first thing we
notice is that they don't have a PDF
header. The first eight bytes have this
reference or this potential reference
anyway to what will might be a date in
little-endian format. So this might be
either December 1st or January 12th in
1978. If you have any idea what that
means, please let us know because we're
kind of curious. The next thing is that
when we started to look at the devices,
because we also had the the applications
that read these files, one of them has a
hard coded reference to those first four
bytes. And so when you look at what that
application was, we find that it's this
app called UDK.Android.Reader, which if
you go to the Google Play Store it's just
a commercially available PDF Reader app
for Android. But it's not really, because
it's been modified to implement the the
DRM that we're looking at here. So
basically, we took the the copy of the
reader that's available online, and one of
the copies on one of the devices, and
we'll compare them we find that the
application calls out to a shared library
when it wants to parse a PDF file. That
library looks kind of like this
- these are the ELF sections in the file
and it's pretty normal. When we look at
the copy that's on the DPRK version of the
app, there's this one section added that
kind of jumps out - like it's literally
called dot-modified. So when you look into
what's in that section, we see something
like this - and this is really not going
to be legible both because of the size of
text and because it's decompiled from ARM.
But we have the original decompiled code
on the left, and the DPRK version on the
right. And the two things I just want to
highlight are - at the top the original
function that would be filling a buffer to
read the file has been replaced by a stub
that calls this sort of custom method in
the modified section. And this the version
that's over in the modified section does
basically the exact same thing, except
that in one case it will call another
function that does some decryption. And
there's some other things as well in the
modified section this is just sort of one
example. Now the reason that this is kind
of interesting to us is that it really
shows us that these modifications were not
made by someone who had source code.
Like this is kind of crazy low-level, not
crazy, but like it's it's really low-level
modification of the binary itself. So when
we look into those functions and what they
do, what we start finding is that the
shared library, the modified version of
the shared library, has this 512 bytes pad
which basically gets used over and over
again as part of the decryption process.
And one of the things about it is that for
different files you will start using it at
a different point. And there's also a four
byte key that's different for every file,
which comes from a combination of a few
bytes in the file header itself, and a
per-device key. So that per-device key is
kind of interesting. So they're taking,
well at the end of the day you want a four
byte key, and they're generating it out of
a six byte MAC address and the code that
they use kind of looks like this.
This is us reimplementing it
in Go. One of
the weird things about it is that some of
these devices may not actually have useful
MAC addresses so in some cases the MAC
address that's using is actually just some
hard-coded value in a file. All the time
when it reads these MAC addresses it's
really just reading some code or some some
text out of that system etc MAC address
file. So if you have that key, the process
to decrypt is really simple. You take that
key, you subtract some of the bytes - the
ones marked with Y, and you get your four
bytes to do a decryption. And the point in
the pad that I mentioned for this (tilaka)
starting offset is just that same value
interpreted as an integer mod 512 because
that's the length of the pad. In all the
examples we looked at, or as far as we
could tell, these headers only had keys
for like one device. But looking at the
the compiled code it looks like it might
be possible to have like one file that can
be decrypted by multiple different
devices. We just haven't actually seen a
file that is like. So the way that
actually does decryption is byte by byte
and this is a simplified view of what's
going on. We're releasing a tool that will
do this correctly and has all the details
in it but in a nutshell what you're doing
is you're doing a little bit of math to
figure out where you are starting from for
all these operations. And then for each
byte that you want to decrypt, you take
your encrypted byte, you subtract one of
the per-file bytes, and then you XOR the
whole thing with one of the bytes from
that 512 byte pad. So, the cool thing
about this from my point of view is that
this process is totally reversible. So if
you don't know your per-file key but you
do know what the plaintext should look
like, you can run this backwards. And it
looks ound like that. So what if you just
get a bunch of these encrypted PDF files
and you have no idea what device they came
from and you just want to look at them?
You can also do it like. It's really
quick to do you basically
brute-force all of the potentialial
positions to be starting from, which
is really not that many many because the
pad is not very big. And it's kind of a
plain text at a known plaintext attack.
The header a PDF file always looks like %
PDF and then there's a version number. So
you take 4 bytes you calculate the per-
file key that you would need to to make
that decrypt to % PDF and then you take
the same per-file key and you see if it
would be able to decrypt the next section
to a version number, and wind up with a
valid header. And so we've done this for
all of the the files that we found, and
basically wound up with plain text for all
these. One of the things that we noticed
after decrypting these files is that many
of them have watermarks at the end - so if
we look back to the talks on Red Star OS
from the past years, Florian and Niklaus
did some work on understanding what the
watermark is. And if you want full details
look at those talks. But to summarize it -
every time that a file passes through a
desktop system or sometimes a file gets
modified the OS adds basically an
encrypted form of the hard drive serial
number. Now when releasing these files we
want to sort of obscure their origins and
not get any particular people into
trouble, so we remove all those watermarks
before releasing these. And that's pretty
simple because the way that this works
with PDF files is just that there's a
known line of text at the end of the file
that represents the end of the PDF, and
the Red Star always puts these watermarks
at the end so we just chop off the end. So
once we have this we have like over 300
files of really different kinds of things,
and we've kind of looked at some of them
but we're going to be releasing a torrent
with all of them and we'd really like to
see what people come up with - just you
know that that's in these files that we
have noticed.
Will: Have we looked at all of them?
Gabe: I mean yeah, we've had like a quick
look at some of them. We don't, I don't
speak Korean, you know some. There's
probably more to be found in that archive.
So quick a look at just a couple of
examples of things we found. There's many
different kinds of books on these devices
many of them are like computer science
books, there's general-purpose knowledge
kids textbooks. But because we want to
understand the state of technology in in
the DPRK, the part that's most interesting
to us right now is computer science
textbooks. So like two of the examples we
have are this Java programming book and
this computer science book. They've got
some awesome covers and really neat art in
some of them. But yeah, I'll hand that
back to to Will to actually talk about the
analysis of what we we found in these
books and sort of where they came from.
Will: Cool. Yeah, so maybe another quote
from from Kim Jong-il is appropriate,
saying that we need to be aware of the
information technology industry and we
need to meet the needs of the information
technology industry. And so I think one of
the things that that comes out of these
text books that that I think is sort of
interesting and this is the first benefit
is that this can help us understand sort
of where Korea is in terms of how much
emphasis its placing on this aspect. For a
lot of the educational materials, they
seem to be organically created, they seem
to be about the specific environment
there's a lot of training kids how to use
Red Star of various versions that you see.
The textbooks, many of them are translated
or follow a curriculum and a layout of
foreign external materials that have been
translated. So for some of the ones where
we could identify what the original source
was, we tried to calculate how long that
had taken, because we were actually
surprised sometimes this was a pretty
quick. So I'll show this waterfall graph -
each of these bars represents one book.
Some of the titles at the bottom they're
quite small and the the y-axis is the
year. The bottom is when the original
English version that was used seemed to
come out and and the top is when the
translation was released. And so what's
interesting here is you
see order of even the
same year sometimes a couple years
throughout this whole period of 2000 to
2010 where they're putting a bunch of
effort into taking four-hundred, five-
hundred page books. The the torrent of
these text books is four-some gigs, and
doing good translations fairly quickly.
These are like solid translations the code
examples have been often changed, there's
comments in Korean in there. Like, this is
this is a solid effort that we should be
understanding and I think maybe partially
sort of fills this gap of like, what is
this disconnect between this very isolated
country and the fact that it has a really
strong computer capability. Cool, to end,
I just want to sort of give an anecdote
that maybe goes to the other side of this
anthropological value that we get out of
this sort of work. So you've heard about
Kwangmyong - this is the internal network
or Internet. And so from these educational
textbooks you start to get I think more
insight into sort of how this thing has
progressed over over time. Here's pictures
from 2001, I apologize for quality, this
was what was there of an early version of
Kwangmyong. This is Kwangmyong 5.1 which
looks sort of like AOL. It was a dial-up
application that would get you documents
and information. You also see at that same
time that there was an email sort of
corresponding app called "hey son" - I
think I got that pronunciation not too bad
that was used for messaging. We've heard
that there was a messaging system, we
didn't really have that connected to sort
of where that fit in to the puzzle. A
picture that seems to be that same sort of
Internal network ended up on the South
Korean internet around 2005. It got reused
by anonymous in 2013 when they claimed to
attack the Korean government servers, but
but then sort of that that turned out to
be false in that it was this original 2005
post that someone made. That seems to be a
similar system. And even in that 2005 post
they they had sort of also their web
component - that's the same logo
in the upper left as they moved
to sort of a web site
that we've now seen
evolved. It's worth noting here right
Kwangmyong is a single site - it's a
service for generally technical document
retrieval. Here's that same site now up to
the 2010-era looking a little bit nicer at
least at higher quality in the picture.
And so I think what we're starting to do
is we're getting these insights through
through seeing some of these more
documents coming out about what this
internal ecosystem actually looks like.
There are these these services that we can
start to link over time, understand what
sorts of files are available and the
specialties of these different groups, and
and preserve some of this internal network
that, you know, in this fairly unstable
environment, we're at in danger of losing.
To bring us up to current time, this is
from 2015 - a sort of blurry picture from
a Koryolink office. Koryolink's the the
mobile telephony provider and to call out
that they now have a same set of services
on a poster advertising mobile service
with internal IPs to them. And so we're
seeing now that this is being introduced
at a wider availability and advertised to
people on their mobile devices. So we're
moving beyond just wire desktop
connections but this is now a thing that
more people are going to have access to on
personal devices. And so I think you know,
internally, we're in this really exciting
transitionary phase. I'm happy that that
more of this ends up in the public. So,
there's this site, koreacomputecenter - it
should already have some links, more will
show up very soon. If you are interested
we encourage you to go grab that stuff try
and make it the bar lower. If you have
DPRK artifacts, info@
koreacomputercenter.org - we'd love to
talk to you, help make stuff safe, and get
more stuff out for public consumption. I
think we are about that time - are you
coming kicking us off; so we will take
questions across the hall in
the tea room. Thank you.
Applause
34c3 postroll
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!