34c3 preroll Herald: The Democratic People's Republic of Korea—or, as most of you know it, North Korea, is a topic which is already following us at congress for four years. It all started in 31c3 with Will Scott, one of our speakers today, giving a talk about teaching computer science in North Korea. The topic was then gone on by Florian Grunow and Niklaus Schiess, who talked about the Red Star OS and also the tablet PC called Woolim. Today, we will hear the next episode—we will hear about consumer electronics in North Korea. We will take a peek behind the curtain, learn about the Internet, and the current market situation there. Our speakers today are Will Scott, a security postdoc, as well as his friend Gabe Edwards, security consultant, and they will give us a peek behind the curtain. So, please, welcome Will and Gabe with a big round of applause, thank you for being here already. [Applause] Will: Thank you, great. So just just to put this in perspective, right, one of the disclaimers is that the words that get used, especially on this topic often have a lot of meaning. There there is a reason of that we'll be calling this DPRK or Korea throughout. That's often the words you'll hear of people who are dealing with engagement with the country. North Korea is a term that the country does not call itself, but rather is what typically more adversarial countries use to talk about it as an occupying presence. So that that language is is this weird quirk that exists here. So yeah, we're going to talk some about what consumer technology looks like and how it's evolving and what's going on there. I think we're pretty excited about this. I want to start by by setting a little bit of context. This is the science of technology complex that opened in 2015. It's in an island in a river to the south side of Pyongyang, it's still in the main city. There was a pretty major construction project; it went on for about a year before they opened this. In the lobby they've got this nice diorama of what the building looks like. It actually … this is the rest of the lobby—it looks pretty modern. They have this sort of plain pastel scheme that you actually see a lot in in modern architectural construction there. So so if you go into the new water park or the boat restaurant that they've opened in the last couple of years you see the same design styling. This building is part Science Museum—it has a bunch of sort of interactive exploratory exhibits that you might have a class of children come through to learn. It also has lecture halls, and it also has a library. And and when you look at parts of it are that are the library you see a ton of computers. Right, this this is a … technically … there, there is technology here. And and the thing that is really, I think, fascinating and revealing about where we are in terms of our understanding of this country is you look at these computers and yet again we see this thing that doesn't look familiar. This isn't Red Star, it's not quite anything that looks like the tablets we've seen. That's that's a desktop monitor. And it's not Windows or Mac. It's yet again something new. And in fact, playing with this, you find that it's Android that's that's been put in this custom bezel. It has a keyboard and mouse, but it's got an Android taskbar at the top to let you know what apps are there and it's yet another … they have special cased and customized a distribution that works for this purpose. And I think we … for each one of these that maybe we have seen, there's there's many more that we haven't. So, I want to just get us up to speed on what we do know, to start with. We've seen Red Star—this is version 3, it came out three years ago that we learned about Red Star version 3; this this thing that sort of Mac-like. There's actually been a couple other versions that have ended up on the Internet that we know stuff about. And we we have at some level a better picture of what the desktop technology looks like. We've seen version 2.5 which looks somewhat Windows like. There's been a release of the server version that runs some of the web servers from the country. And then two years ago, Florian and Niklaus' talk—they actually went in and did a bunch of analysis of it, along with on the Internet there's been blog posts of other people who've posted CVEs of various bugs that they found in this, figured out how to make it run on the external Internet by changing firewall rules, and really just like learning a lot about both the environment that this thing was working in and the properties of it. We have a bit less on the mobile side - so this is what a store in in Korea in Pyongyang sort of looks like: those are laptops on the left, tablets and phones on the right for sale. We got a talk last year, again from Niklaus and Florian, about the Woolim tablet. I think that's actually maybe on the second row in this picture. And and we got a sense of some of the information controls there in particular, right. So what they talked about was how this thing prevents some types of file copies and transferring, and some of the sort of surveillance things that are built into it. But again, we didn't get too much in terms of hardware to bite our teeth into. Finally, there's this like next layer up—the software ecosystem. This is an app store, again in Korea. You go to a place and they have nice … this is this is a nice one where they've got pictures so I can see which games it is that are for sale that they'll then plug this in my device into a computer and transfer apps onto the device. And so we get all of this and we have mostly anecdotes that are that are helping us sort of get small pictures, and I think the real problem right is there's all these devices—this is an example of a few, and and we really I think are quite far behind and having that bar lowered for people to play and understand what these things are. So, what what I want to do to like try and explain that situation that we're in is is talk about why we're there and the different sort of general groups of where these devices end up. I realize that that's talking about motives and that is often like the way that you get people mad at you, if you try and ascribe some motivation to them that they disagree with. So realize that these are bread's … broad strokes and not really indicative of everyone. But this gives you some sense of why we've still ended up in this world of not knowing much publicly. Maybe … there's a quote from … this is from Kim Jong-il that's that's relevant, and and says, you know, Koreans are quite an intelligent people and even in computer technology we excel. I think this is something that we maybe don't appreciate when we're thinking about this. It is rational for Korea to not want this stuff to come out, right? They are worried about adversarial government's trying to leverage whatever they can. It seems rational that it's in their best interest to make it difficult for this stuff to get out and for people to be able to attack them with it. That's what we've seen in, you know, against the threat model well implemented copy control and and other sort of limitations on the on the devices. In terms of foreigners who have access to these devices, I think there's sort of two classes. What we saw in the talk last year was a device that came out through a defector group. So you've got someone who left with this device and now he's trying to figure out what what's on it. And that is this adversarial relationship where the goal there is to do damage to the country. And so there's much more value in having 0-days than there is in releasing this because then the security gets fixed. And so you'll see that you know for any device that comes out there there's really the sensitivity both in terms of not wanting to identify people but also in; well if we find anything that's buggy, we want to be able to do something with it. I think in fact there's many more devices that don't come out that way but that are held by foreigners who are working constructively with the country. And for them, the the reason is somewhat different. And I think the reason for them is in many cases that they're worried about sort of the unknown unknowns of “could someone get in trouble? Will this result in my connection to the country getting disrupted? The people I like and work with getting in trouble for having given me the device that I've been done something reckless with.” Right, so we can see from like a bunch of individual perspectives why we don't have more of this technology out there. We can also understand that, you know, as the public, this creates this weird thing where we're all fascinated but don't have access. And and that I think also in the spirit of, you know, for Korea, this isn't great. Because the bugs go unpatched and they don't get a better security. So, this is the electronic goods store at the airport which somewhat counter-intuitively doesn't actually sell the tablets to foreigners but they do have some. What we're … what we're going to talk about for the rest of this talk is an effort that I guess we're sort of putting out on the web called computer … KoreaComputerCenter.org. Where we're going to try and release a bit more of this technology. And I'm going to talk through the three initial things that we're going to put up there that we hope people play with. And this is in the spirit that this we think … this makes life better both for Korea and for the outside world. For Korea, the same thing I was just saying—I think you get better security in the long run. We we I think as a community understand the value of open- source software, and in having many eyes audit and find the bugs. We've already seen that on the artifacts that have gotten out. For us, I think it's a great chance to … to do two things—one one, it spreads our understanding more consistently so we actually understand what is going on in the country and can make rational policy decisions at some high level. It's also fascinating and we get to preserve this anthropological artifact of this really amazing parallel development that has created … that that exists of of what technology is like in Korea. So, in that spirit, let's talk about what's coming out. Some of this I think is showing up on BitTorrent links that are on this site koreacomputercenter.org as we speak. The first is a phone image—there's a system partition and data partition recovery for this phon, a Pyongyang 2407. This phone was chosen because it's made by a Chinese OEM, Jin Lee, which also creates the same hardware in an Indian model. So if you've got a friend in India at least, you can get the G&E v5—it's exactly the same hardware and so these images can load onto one of these phones and then you will also be able to run this operating system. And so rather than just doing static analysis of what's there you can actually see how that fits together and what actually happens. How it works, that it does shut down when a SIM card from a different operator gets plugged in, these sorts of things. So this is this is just I guess I'll say the the basic phone system - it doesn't include most apps but it's got a bunch of the sort of operating system- level copy controls. You can get your hands on the the Red Star protection things that we're talked about last year. The second thing for apps we're going to turn to something a little bit older this is the Samjiyon tablet which is one of the first tablets that came out 2011-2012 era. This was sort of at the beginning of Korea's sort of introduction of widespread consumer electronics, so it got circulated quite a bit. It was a larger run of devices than many of them. In fact so widespread that there's there's one of these devices in the Stanford library. And so I guess the other thing I'll stress is these devices are out there and it's a matter of making sure that we're releasing these in a way where it's just like this is software but we're not necessarily getting anyone in particular in trouble because these devices we know are in a bunch of places and the attribution becomes hard at that point for anyone to like, lose contact or get in trouble. So there's there's a basic set of apps that come there. These are some of the icons there - there's a nice one that has a bunch of recipes. The the thing I'll say about these - these were made for this specific device and this is a thing that you'll see I think throughout all the software if you actually take a look at it. And so there's a lot of hard-coded paths. So as well as the APKs themselves you'll find that they reference things that they expect to be in specific parts of the SD card. Those files are included, but it's unlikely that if you just copy the APK onto a Android phone it will be able to show you much content. So it would be awesome if someone who enjoys small.i wants to twiddle some paths so that those can look for internal resources instead, and lower that bar further so that more people can play. I think the other thing that's interesting here is pretty much all of these apps use their own specific binary format that's like yet again this totally new thing where it's like someone just coded some totally one-off thing. And that's weird. And the final thing is we're gonna release a bunch of educational materials that seem to sort of end up on these devices. Education is one of the big purposes, right? You're you're giving these to the the children and teenagers who are especially excited about technology and one of the useful things that they can do is use that for for their course material. In getting a set of PDFs that are sort of like usable, we ended up having to do some work. I'm gonna turn over to Gabe to explain sort of the process we went through and getting this this last set of the the textbooks that are going to come out. Gabe: Thanks, Will. So basically when I got involved with this, the situation as far as these textbooks was that we had quite a few of these files. And there are two things you could tell on the surface - one is that they claim to be PDF files based on the filename, and some of them have titles in English or Korean - that sort of suggests what's inside. But what you see on the screen is not what we saw because none of these files were plain PDFs. So there's a bit of sort of custom DRM that's been applied to these files and it's pretty rudimentary, but it's actually been kind of remarkably decent job of what we think it was designed for. Which is that the the textbooks that come with or that come with or that are added to one device are not supposed to be able to be accessed on a different device. And as well so if you pulled the these PDF files out of the device that you send off outside the country, they're not readable. Now one thing I will say is that we know from some of the previous talks on Red Star that developers in and for the DPRK have implemented actual AES-like encryption. This is not that - it's fairly basic and we did find some some holes in it. So talk a little bit about what we did. So when we look at these files, the first thing we notice is that they don't have a PDF header. The first eight bytes have this reference or this potential reference anyway to what will might be a date in little-endian format. So this might be either December 1st or January 12th in 1978. If you have any idea what that means, please let us know because we're kind of curious. The next thing is that when we started to look at the devices, because we also had the the applications that read these files, one of them has a hard coded reference to those first four bytes. And so when you look at what that application was, we find that it's this app called UDK.Android.Reader, which if you go to the Google Play Store it's just a commercially available PDF Reader app for Android. But it's not really, because it's been modified to implement the the DRM that we're looking at here. So basically, we took the the copy of the reader that's available online, and one of the copies on one of the devices, and we'll compare them we find that the application calls out to a shared library when it wants to parse a PDF file. That library looks kind of like this - these are the ELF sections in the file and it's pretty normal. When we look at the copy that's on the DPRK version of the app, there's this one section added that kind of jumps out - like it's literally called dot-modified. So when you look into what's in that section, we see something like this - and this is really not going to be legible both because of the size of text and because it's decompiled from ARM. But we have the original decompiled code on the left, and the DPRK version on the right. And the two things I just want to highlight are - at the top the original function that would be filling a buffer to read the file has been replaced by a stub that calls this sort of custom method in the modified section. And this the version that's over in the modified section does basically the exact same thing, except that in one case it will call another function that does some decryption. And there's some other things as well in the modified section this is just sort of one example. Now the reason that this is kind of interesting to us is that it really shows us that these modifications were not made by someone who had source code. Like this is kind of crazy low-level, not crazy, but like it's it's really low-level modification of the binary itself. So when we look into those functions and what they do, what we start finding is that the shared library, the modified version of the shared library, has this 512 bytes pad which basically gets used over and over again as part of the decryption process. And one of the things about it is that for different files you will start using it at a different point. And there's also a four byte key that's different for every file, which comes from a combination of a few bytes in the file header itself, and a per-device key. So that per-device key is kind of interesting. So they're taking, well at the end of the day you want a four byte key, and they're generating it out of a six byte MAC address and the code that they use kind of looks like this. This is us reimplementing it in Go. One of the weird things about it is that some of these devices may not actually have useful MAC addresses so in some cases the MAC address that's using is actually just some hard-coded value in a file. All the time when it reads these MAC addresses it's really just reading some code or some some text out of that system etc MAC address file. So if you have that key, the process to decrypt is really simple. You take that key, you subtract some of the bytes - the ones marked with Y, and you get your four bytes to do a decryption. And the point in the pad that I mentioned for this (tilaka) starting offset is just that same value interpreted as an integer mod 512 because that's the length of the pad. In all the examples we looked at, or as far as we could tell, these headers only had keys for like one device. But looking at the the compiled code it looks like it might be possible to have like one file that can be decrypted by multiple different devices. We just haven't actually seen a file that is like. So the way that actually does decryption is byte by byte and this is a simplified view of what's going on. We're releasing a tool that will do this correctly and has all the details in it but in a nutshell what you're doing is you're doing a little bit of math to figure out where you are starting from for all these operations. And then for each byte that you want to decrypt, you take your encrypted byte, you subtract one of the per-file bytes, and then you XOR the whole thing with one of the bytes from that 512 byte pad. So, the cool thing about this from my point of view is that this process is totally reversible. So if you don't know your per-file key but you do know what the plaintext should look like, you can run this backwards. And it looks ound like that. So what if you just get a bunch of these encrypted PDF files and you have no idea what device they came from and you just want to look at them? You can also do it like. It's really quick to do you basically brute-force all of the potentialial positions to be starting from, which is really not that many many because the pad is not very big. And it's kind of a plain text at a known plaintext attack. The header a PDF file always looks like % PDF and then there's a version number. So you take 4 bytes you calculate the per- file key that you would need to to make that decrypt to % PDF and then you take the same per-file key and you see if it would be able to decrypt the next section to a version number, and wind up with a valid header. And so we've done this for all of the the files that we found, and basically wound up with plain text for all these. One of the things that we noticed after decrypting these files is that many of them have watermarks at the end - so if we look back to the talks on Red Star OS from the past years, Florian and Niklaus did some work on understanding what the watermark is. And if you want full details look at those talks. But to summarize it - every time that a file passes through a desktop system or sometimes a file gets modified the OS adds basically an encrypted form of the hard drive serial number. Now when releasing these files we want to sort of obscure their origins and not get any particular people into trouble, so we remove all those watermarks before releasing these. And that's pretty simple because the way that this works with PDF files is just that there's a known line of text at the end of the file that represents the end of the PDF, and the Red Star always puts these watermarks at the end so we just chop off the end. So once we have this we have like over 300 files of really different kinds of things, and we've kind of looked at some of them but we're going to be releasing a torrent with all of them and we'd really like to see what people come up with - just you know that that's in these files that we have noticed. Will: Have we looked at all of them? Gabe: I mean yeah, we've had like a quick look at some of them. We don't, I don't speak Korean, you know some. There's probably more to be found in that archive. So quick a look at just a couple of examples of things we found. There's many different kinds of books on these devices many of them are like computer science books, there's general-purpose knowledge kids textbooks. But because we want to understand the state of technology in in the DPRK, the part that's most interesting to us right now is computer science textbooks. So like two of the examples we have are this Java programming book and this computer science book. They've got some awesome covers and really neat art in some of them. But yeah, I'll hand that back to to Will to actually talk about the analysis of what we we found in these books and sort of where they came from. Will: Cool. Yeah, so maybe another quote from from Kim Jong-il is appropriate, saying that we need to be aware of the information technology industry and we need to meet the needs of the information technology industry. And so I think one of the things that that comes out of these text books that that I think is sort of interesting and this is the first benefit is that this can help us understand sort of where Korea is in terms of how much emphasis its placing on this aspect. For a lot of the educational materials, they seem to be organically created, they seem to be about the specific environment there's a lot of training kids how to use Red Star of various versions that you see. The textbooks, many of them are translated or follow a curriculum and a layout of foreign external materials that have been translated. So for some of the ones where we could identify what the original source was, we tried to calculate how long that had taken, because we were actually surprised sometimes this was a pretty quick. So I'll show this waterfall graph - each of these bars represents one book. Some of the titles at the bottom they're quite small and the the y-axis is the year. The bottom is when the original English version that was used seemed to come out and and the top is when the translation was released. And so what's interesting here is you see order of even the same year sometimes a couple years throughout this whole period of 2000 to 2010 where they're putting a bunch of effort into taking four-hundred, five- hundred page books. The the torrent of these text books is four-some gigs, and doing good translations fairly quickly. These are like solid translations the code examples have been often changed, there's comments in Korean in there. Like, this is this is a solid effort that we should be understanding and I think maybe partially sort of fills this gap of like, what is this disconnect between this very isolated country and the fact that it has a really strong computer capability. Cool, to end, I just want to sort of give an anecdote that maybe goes to the other side of this anthropological value that we get out of this sort of work. So you've heard about Kwangmyong - this is the internal network or Internet. And so from these educational textbooks you start to get I think more insight into sort of how this thing has progressed over over time. Here's pictures from 2001, I apologize for quality, this was what was there of an early version of Kwangmyong. This is Kwangmyong 5.1 which looks sort of like AOL. It was a dial-up application that would get you documents and information. You also see at that same time that there was an email sort of corresponding app called "hey son" - I think I got that pronunciation not too bad that was used for messaging. We've heard that there was a messaging system, we didn't really have that connected to sort of where that fit in to the puzzle. A picture that seems to be that same sort of Internal network ended up on the South Korean internet around 2005. It got reused by anonymous in 2013 when they claimed to attack the Korean government servers, but but then sort of that that turned out to be false in that it was this original 2005 post that someone made. That seems to be a similar system. And even in that 2005 post they they had sort of also their web component - that's the same logo in the upper left as they moved to sort of a web site that we've now seen evolved. It's worth noting here right Kwangmyong is a single site - it's a service for generally technical document retrieval. Here's that same site now up to the 2010-era looking a little bit nicer at least at higher quality in the picture. And so I think what we're starting to do is we're getting these insights through through seeing some of these more documents coming out about what this internal ecosystem actually looks like. There are these these services that we can start to link over time, understand what sorts of files are available and the specialties of these different groups, and and preserve some of this internal network that, you know, in this fairly unstable environment, we're at in danger of losing. To bring us up to current time, this is from 2015 - a sort of blurry picture from a Koryolink office. Koryolink's the the mobile telephony provider and to call out that they now have a same set of services on a poster advertising mobile service with internal IPs to them. And so we're seeing now that this is being introduced at a wider availability and advertised to people on their mobile devices. So we're moving beyond just wire desktop connections but this is now a thing that more people are going to have access to on personal devices. And so I think you know, internally, we're in this really exciting transitionary phase. I'm happy that that more of this ends up in the public. So, there's this site, koreacomputecenter - it should already have some links, more will show up very soon. If you are interested we encourage you to go grab that stuff try and make it the bar lower. If you have DPRK artifacts, info@ koreacomputercenter.org - we'd love to talk to you, help make stuff safe, and get more stuff out for public consumption. I think we are about that time - are you coming kicking us off; so we will take questions across the hall in the tea room. Thank you. Applause 34c3 postroll subtitles created by c3subtitles.de in the year 2018. Join, and help us!