-
34c3 preroll
-
Herald: The Democratic People's Republic
of Korea—or, as most of you know it,
-
North Korea, is a topic which is
already following us at congress
-
for four years. It all started
in 31c3 with Will Scott,
-
one of our speakers today, giving a
talk about teaching computer science in
-
North Korea. The topic was then gone on by
Florian Grunow and Niklaus Schiess, who
-
talked about the Red Star OS and also the
tablet PC called Woolim. Today, we will
-
hear the next episode—we will hear about
consumer electronics in North Korea. We
-
will take a peek behind the curtain, learn
about the Internet, and the current market
-
situation there. Our speakers today
are Will Scott, a security postdoc, as
-
well as his friend Gabe Edwards, security
consultant, and they will give us a peek
-
behind the curtain. So, please, welcome
Will and Gabe with a big round of applause,
-
thank you for being here already.
[Applause]
-
Will: Thank you, great. So just just to
put this in perspective, right, one of the
-
disclaimers is that the words that get
used, especially on this topic often have
-
a lot of meaning. There there is a reason
of that we'll be calling this DPRK or
-
Korea throughout. That's often the words
you'll hear of people who are dealing with
-
engagement with the country. North Korea
is a term that the country does not call
-
itself, but rather is what typically more
adversarial countries use to talk about it
-
as an occupying presence. So that that
language is is this weird quirk that
-
exists here. So yeah, we're going to talk
some about what consumer technology looks
-
like and how it's evolving and what's
going on there. I think we're pretty
-
excited about this. I want to start by by
setting a little bit of context. This is
-
the science of technology complex that
opened in 2015. It's in an island in a
-
river to the south side of Pyongyang, it's
still in the main city. There was a pretty
-
major construction project; it went on for
about a year before they opened this. In
-
the lobby they've got this nice
diorama of what the building looks like.
-
It actually … this is the rest of the
lobby—it looks pretty modern.
-
They have this sort of plain pastel
scheme that you actually see a lot in in
-
modern architectural construction there.
So so if you go into the new water park or
-
the boat restaurant that they've opened in
the last couple of years you see the same
-
design styling. This building is part
Science Museum—it has a bunch of sort of
-
interactive exploratory exhibits that you
might have a class of children come
-
through to learn. It also has lecture
halls, and it also has a library. And and
-
when you look at parts of it are that are
the library you see a ton of computers.
-
Right, this this is a … technically … there,
there is technology here. And and the
-
thing that is really, I think, fascinating
and revealing about where we are in terms
-
of our understanding of this country is
you look at these computers and yet again
-
we see this thing that doesn't look
familiar. This isn't Red Star, it's not
-
quite anything that looks like the tablets
we've seen. That's that's a desktop
-
monitor. And it's not Windows or Mac. It's
yet again something new. And in fact,
-
playing with this, you find that it's
Android that's that's been put in this
-
custom bezel. It has a keyboard and mouse,
but it's got an Android taskbar at the top
-
to let you know what apps are there and
it's yet another … they have special cased
-
and customized a distribution that works
for this purpose. And I think we … for
-
each one of these that maybe we have seen,
there's there's many more that we haven't.
-
So, I want to just get us up to speed on
what we do know, to start with. We've seen
-
Red Star—this is version 3, it came out
three years ago that we learned about Red
-
Star version 3; this this thing that sort
of Mac-like. There's actually been a
-
couple other versions that have ended up
on the Internet that we know stuff about.
-
And we we have at some level a better
picture of what the desktop technology
-
looks like. We've seen version 2.5 which
looks somewhat Windows like. There's been
-
a release of the server version that runs
some of the web servers from the country.
-
And then two years ago, Florian and
Niklaus' talk—they actually went in and
-
did a bunch of analysis of it, along
with on the Internet there's been
-
blog posts of other people who've posted
CVEs of various bugs that they found in
-
this, figured out how to make it run on
the external Internet by changing firewall
-
rules, and really just like learning a lot
about both the environment that this thing
-
was working in and the properties of it.
We have a bit less on the mobile side - so
-
this is what a store in in Korea in
Pyongyang sort of looks like: those are
-
laptops on the left, tablets and phones on
the right for sale. We got a talk last
-
year, again from Niklaus and Florian, about
the Woolim tablet. I think that's actually
-
maybe on the second row in this picture.
And and we got a sense of some of the
-
information controls there in particular,
right. So what they talked about was how
-
this thing prevents some types of file
copies and transferring, and some of the
-
sort of surveillance things that are built
into it. But again, we didn't get too much
-
in terms of hardware to bite our teeth
into. Finally, there's this like next
-
layer up—the software ecosystem. This is
an app store, again in Korea. You go to a
-
place and they have nice … this is this is
a nice one where they've got pictures so I
-
can see which games it is that are for
sale that they'll then plug this in my
-
device into a computer and transfer apps
onto the device. And so we get all of this
-
and we have mostly anecdotes that are that
are helping us sort of get small pictures,
-
and I think the real problem right is
there's all these devices—this is an
-
example of a few, and and we really I
think are quite far behind and having that
-
bar lowered for people to play and
understand what these things are. So, what
-
what I want to do to like try and explain
that situation that we're in is is talk
-
about why we're there and the different
sort of general groups of where these
-
devices end up. I realize that
that's talking about motives and that
-
is often like the way that you get
people mad at you, if you try and
-
ascribe some motivation to them that
they disagree with. So realize that these
-
are bread's … broad strokes and not really
indicative of everyone. But this gives you
-
some sense of why we've still ended up in
this world of not knowing much publicly.
-
Maybe … there's a quote from … this is
from Kim Jong-il that's that's relevant, and
-
and says, you know, Koreans are quite an
intelligent people and even in computer
-
technology we excel. I think this is
something that we maybe don't appreciate
-
when we're thinking about this. It is
rational for Korea to not want this stuff
-
to come out, right? They are worried about
adversarial government's trying to
-
leverage whatever they can. It seems
rational that it's in their best interest
-
to make it difficult for this stuff to get
out and for people to be able to attack
-
them with it. That's what we've seen in,
you know, against the threat model well
-
implemented copy control and and other
sort of limitations on the on the devices.
-
In terms of foreigners who have access to
these devices, I think there's sort of two
-
classes. What we saw in the talk last year
was a device that came out through a
-
defector group. So you've got someone who
left with this device and now he's trying
-
to figure out what what's on it. And that
is this adversarial relationship where the
-
goal there is to do damage to the country.
And so there's much more value in having
-
0-days than there is in releasing this
because then the security gets fixed. And
-
so you'll see that you know for any device
that comes out there there's really the
-
sensitivity both in terms of not wanting
to identify people but also in; well if we
-
find anything that's buggy, we want to be
able to do something with it. I think in
-
fact there's many more devices that don't
come out that way but that are held by
-
foreigners who are working constructively
with the country. And for them, the the
-
reason is somewhat different. And I think
the reason for them is in many cases that
-
they're worried about sort of the unknown
unknowns of “could someone get in trouble?
-
Will this result in my connection to the
country getting disrupted? The people
-
I like and work with getting in trouble
for having given me the device that I've
-
been done something reckless with.”
Right, so we can see from like
-
a bunch of individual perspectives why
we don't have more of this technology
-
out there. We can also understand
that, you know, as the public, this
-
creates this weird thing where
we're all fascinated but don't
-
have access. And and that I think
also in the spirit of, you know,
-
for Korea, this isn't great. Because the
bugs go unpatched and they don't get a
-
better security. So, this is the
electronic goods store at the airport
-
which somewhat counter-intuitively doesn't
actually sell the tablets to foreigners
-
but they do have some. What we're … what
we're going to talk about for the rest of
-
this talk is an effort that I guess we're
sort of putting out on the web called
-
computer … KoreaComputerCenter.org. Where
we're going to try and release a bit more
-
of this technology. And I'm going to talk
through the three initial things that
-
we're going to put up there that we hope
people play with. And this is in the
-
spirit that this we think … this makes life
better both for Korea and for the outside
-
world. For Korea, the same thing I was
just saying—I think you get better
-
security in the long run. We we I think as
a community understand the value of open-
-
source software, and in having many eyes
audit and find the bugs. We've already
-
seen that on the artifacts that have
gotten out. For us, I think it's a great
-
chance to … to do two things—one one,
it spreads our understanding more
-
consistently so we actually understand
what is going on in the country and can
-
make rational policy decisions at some
high level. It's also fascinating and we
-
get to preserve this anthropological
artifact of this really amazing parallel
-
development that has created … that
that exists of of what technology is
-
like in Korea. So, in that spirit,
let's talk about what's coming out.
-
Some of this I think is showing up on
BitTorrent links that are on this site
-
koreacomputercenter.org as we speak. The
first is a phone image—there's a system
-
partition and data partition recovery for
this phon, a Pyongyang 2407. This phone
-
was chosen because it's made by a Chinese
OEM, Jin Lee, which also creates the same
-
hardware in an Indian model. So if you've
got a friend in India at least, you can
-
get the G&E v5—it's exactly the same
hardware and so these images can load onto
-
one of these phones and then you will also
be able to run this operating system. And
-
so rather than just doing static analysis
of what's there you can actually see how
-
that fits together and what actually
happens. How it works, that it does shut
-
down when a SIM card from a different
operator gets plugged in, these sorts of
-
things. So this is this is just I guess
I'll say the the basic phone system - it
-
doesn't include most apps but it's got a
bunch of the sort of operating system-
-
level copy controls. You can get your
hands on the the Red Star protection
-
things that we're talked about last year.
The second thing for apps we're going to
-
turn to something a little bit older this
is the Samjiyon tablet which is one of the
-
first tablets that came out 2011-2012 era.
This was sort of at the beginning of
-
Korea's sort of introduction of widespread
consumer electronics, so it got circulated
-
quite a bit. It was a larger run of
devices than many of them. In fact so
-
widespread that there's there's one of
these devices in the Stanford library. And
-
so I guess the other thing I'll stress is
these devices are out there and it's a
-
matter of making sure that we're releasing
these in a way where it's just like this
-
is software but we're not necessarily
getting anyone in particular in trouble
-
because these devices we know are in a
bunch of places and the attribution
-
becomes hard at that point for
anyone to like, lose
-
contact or get in trouble. So there's
-
there's a basic set of apps that come
there. These are some of the icons there -
-
there's a nice one that has a bunch of
recipes. The the thing I'll say about
-
these - these were made for this specific
device and this is a thing that you'll see
-
I think throughout all the software if you
actually take a look at it. And so there's
-
a lot of hard-coded paths. So as well as
the APKs themselves you'll find that they
-
reference things that they expect to be in
specific parts of the SD card. Those files
-
are included, but it's unlikely that if
you just copy the APK onto a Android phone
-
it will be able to show you much content.
So it would be awesome if someone who
-
enjoys small.i wants to twiddle some paths
so that those can look for internal
-
resources instead, and lower that bar
further so that more people can play. I
-
think the other thing that's interesting
here is pretty much all of these apps use
-
their own specific binary format that's
like yet again this totally new thing
-
where it's like someone just coded some
totally one-off thing. And that's weird.
-
And the final thing is we're gonna release
a bunch of educational materials that seem
-
to sort of end up on these devices.
Education is one of the big purposes,
-
right? You're you're giving these to the
the children and teenagers who are
-
especially excited about technology and
one of the useful things that they can do
-
is use that for for their course material.
In getting a set of PDFs that are sort of
-
like usable, we ended up having to do some
work. I'm gonna turn over to Gabe to
-
explain sort of the process we went
through and getting this this last set of
-
the the textbooks that are
going to come out.
-
Gabe: Thanks, Will. So basically when I
got involved with this, the situation as
-
far as these textbooks was that we had
quite a few of these files. And there are
-
two things you could tell on the surface -
one is that they claim to be PDF files
-
based on the filename, and some of them
have titles in English or Korean -
-
that sort of suggests
-
what's inside. But what you see on the
screen is not what we saw because none of
-
these files were plain PDFs. So there's a
bit of sort of custom DRM that's been
-
applied to these files and it's pretty
rudimentary, but it's actually been kind
-
of remarkably decent job of what we think
it was designed for. Which is that the the
-
textbooks that come with or that come with
or that are added to one device are not
-
supposed to be able to be accessed on a
different device. And as well so if you
-
pulled the these PDF files out of the
device that you send off outside the
-
country, they're not readable. Now one
thing I will say is that we know from some
-
of the previous talks on Red Star that
developers in and for the DPRK have
-
implemented actual AES-like encryption.
This is not that - it's fairly basic and
-
we did find some some holes in it. So talk
a little bit about what we did. So when we
-
look at these files, the first thing we
notice is that they don't have a PDF
-
header. The first eight bytes have this
reference or this potential reference
-
anyway to what will might be a date in
little-endian format. So this might be
-
either December 1st or January 12th in
1978. If you have any idea what that
-
means, please let us know because we're
kind of curious. The next thing is that
-
when we started to look at the devices,
because we also had the the applications
-
that read these files, one of them has a
hard coded reference to those first four
-
bytes. And so when you look at what that
application was, we find that it's this
-
app called UDK.Android.Reader, which if
you go to the Google Play Store it's just
-
a commercially available PDF Reader app
for Android. But it's not really, because
-
it's been modified to implement the the
DRM that we're looking at here. So
-
basically, we took the the copy of the
reader that's available online, and one of
-
the copies on one of the devices, and
we'll compare them we find that the
-
application calls out to a shared library
when it wants to parse a PDF file. That
-
library looks kind of like this
- these are the ELF sections in the file
-
and it's pretty normal. When we look at
the copy that's on the DPRK version of the
-
app, there's this one section added that
kind of jumps out - like it's literally
-
called dot-modified. So when you look into
what's in that section, we see something
-
like this - and this is really not going
to be legible both because of the size of
-
text and because it's decompiled from ARM.
But we have the original decompiled code
-
on the left, and the DPRK version on the
right. And the two things I just want to
-
highlight are - at the top the original
function that would be filling a buffer to
-
read the file has been replaced by a stub
that calls this sort of custom method in
-
the modified section. And this the version
that's over in the modified section does
-
basically the exact same thing, except
that in one case it will call another
-
function that does some decryption. And
there's some other things as well in the
-
modified section this is just sort of one
example. Now the reason that this is kind
-
of interesting to us is that it really
shows us that these modifications were not
-
made by someone who had source code.
Like this is kind of crazy low-level, not
-
crazy, but like it's it's really low-level
modification of the binary itself. So when
-
we look into those functions and what they
do, what we start finding is that the
-
shared library, the modified version of
the shared library, has this 512 bytes pad
-
which basically gets used over and over
again as part of the decryption process.
-
And one of the things about it is that for
different files you will start using it at
-
a different point. And there's also a four
byte key that's different for every file,
-
which comes from a combination of a few
bytes in the file header itself, and a
-
per-device key. So that per-device key is
kind of interesting. So they're taking,
-
well at the end of the day you want a four
byte key, and they're generating it out of
-
a six byte MAC address and the code that
they use kind of looks like this.
-
This is us reimplementing it
in Go. One of
-
the weird things about it is that some of
these devices may not actually have useful
-
MAC addresses so in some cases the MAC
address that's using is actually just some
-
hard-coded value in a file. All the time
when it reads these MAC addresses it's
-
really just reading some code or some some
text out of that system etc MAC address
-
file. So if you have that key, the process
to decrypt is really simple. You take that
-
key, you subtract some of the bytes - the
ones marked with Y, and you get your four
-
bytes to do a decryption. And the point in
the pad that I mentioned for this (tilaka)
-
starting offset is just that same value
interpreted as an integer mod 512 because
-
that's the length of the pad. In all the
examples we looked at, or as far as we
-
could tell, these headers only had keys
for like one device. But looking at the
-
the compiled code it looks like it might
be possible to have like one file that can
-
be decrypted by multiple different
devices. We just haven't actually seen a
-
file that is like. So the way that
actually does decryption is byte by byte
-
and this is a simplified view of what's
going on. We're releasing a tool that will
-
do this correctly and has all the details
in it but in a nutshell what you're doing
-
is you're doing a little bit of math to
figure out where you are starting from for
-
all these operations. And then for each
byte that you want to decrypt, you take
-
your encrypted byte, you subtract one of
the per-file bytes, and then you XOR the
-
whole thing with one of the bytes from
that 512 byte pad. So, the cool thing
-
about this from my point of view is that
this process is totally reversible. So if
-
you don't know your per-file key but you
do know what the plaintext should look
-
like, you can run this backwards. And it
looks ound like that. So what if you just
-
get a bunch of these encrypted PDF files
and you have no idea what device they came
-
from and you just want to look at them?
You can also do it like. It's really
-
quick to do you basically
brute-force all of the potentialial
-
positions to be starting from, which
is really not that many many because the
-
pad is not very big. And it's kind of a
plain text at a known plaintext attack.
-
The header a PDF file always looks like %
PDF and then there's a version number. So
-
you take 4 bytes you calculate the per-
file key that you would need to to make
-
that decrypt to % PDF and then you take
the same per-file key and you see if it
-
would be able to decrypt the next section
to a version number, and wind up with a
-
valid header. And so we've done this for
all of the the files that we found, and
-
basically wound up with plain text for all
these. One of the things that we noticed
-
after decrypting these files is that many
of them have watermarks at the end - so if
-
we look back to the talks on Red Star OS
from the past years, Florian and Niklaus
-
did some work on understanding what the
watermark is. And if you want full details
-
look at those talks. But to summarize it -
every time that a file passes through a
-
desktop system or sometimes a file gets
modified the OS adds basically an
-
encrypted form of the hard drive serial
number. Now when releasing these files we
-
want to sort of obscure their origins and
not get any particular people into
-
trouble, so we remove all those watermarks
before releasing these. And that's pretty
-
simple because the way that this works
with PDF files is just that there's a
-
known line of text at the end of the file
that represents the end of the PDF, and
-
the Red Star always puts these watermarks
at the end so we just chop off the end. So
-
once we have this we have like over 300
files of really different kinds of things,
-
and we've kind of looked at some of them
but we're going to be releasing a torrent
-
with all of them and we'd really like to
see what people come up with - just you
-
know that that's in these files that we
have noticed.
-
Will: Have we looked at all of them?
Gabe: I mean yeah, we've had like a quick
-
look at some of them. We don't, I don't
speak Korean, you know some. There's
-
probably more to be found in that archive.
So quick a look at just a couple of
-
examples of things we found. There's many
different kinds of books on these devices
-
many of them are like computer science
books, there's general-purpose knowledge
-
kids textbooks. But because we want to
understand the state of technology in in
-
the DPRK, the part that's most interesting
to us right now is computer science
-
textbooks. So like two of the examples we
have are this Java programming book and
-
this computer science book. They've got
some awesome covers and really neat art in
-
some of them. But yeah, I'll hand that
back to to Will to actually talk about the
-
analysis of what we we found in these
books and sort of where they came from.
-
Will: Cool. Yeah, so maybe another quote
-
from from Kim Jong-il is appropriate,
saying that we need to be aware of the
-
information technology industry and we
need to meet the needs of the information
-
technology industry. And so I think one of
the things that that comes out of these
-
text books that that I think is sort of
interesting and this is the first benefit
-
is that this can help us understand sort
of where Korea is in terms of how much
-
emphasis its placing on this aspect. For a
lot of the educational materials, they
-
seem to be organically created, they seem
to be about the specific environment
-
there's a lot of training kids how to use
Red Star of various versions that you see.
-
The textbooks, many of them are translated
or follow a curriculum and a layout of
-
foreign external materials that have been
translated. So for some of the ones where
-
we could identify what the original source
was, we tried to calculate how long that
-
had taken, because we were actually
surprised sometimes this was a pretty
-
quick. So I'll show this waterfall graph -
each of these bars represents one book.
-
Some of the titles at the bottom they're
quite small and the the y-axis is the
-
year. The bottom is when the original
English version that was used seemed to
-
come out and and the top is when the
translation was released. And so what's
-
interesting here is you
see order of even the
-
same year sometimes a couple years
throughout this whole period of 2000 to
-
2010 where they're putting a bunch of
effort into taking four-hundred, five-
-
hundred page books. The the torrent of
these text books is four-some gigs, and
-
doing good translations fairly quickly.
These are like solid translations the code
-
examples have been often changed, there's
comments in Korean in there. Like, this is
-
this is a solid effort that we should be
understanding and I think maybe partially
-
sort of fills this gap of like, what is
this disconnect between this very isolated
-
country and the fact that it has a really
strong computer capability. Cool, to end,
-
I just want to sort of give an anecdote
that maybe goes to the other side of this
-
anthropological value that we get out of
this sort of work. So you've heard about
-
Kwangmyong - this is the internal network
or Internet. And so from these educational
-
textbooks you start to get I think more
insight into sort of how this thing has
-
progressed over over time. Here's pictures
from 2001, I apologize for quality, this
-
was what was there of an early version of
Kwangmyong. This is Kwangmyong 5.1 which
-
looks sort of like AOL. It was a dial-up
application that would get you documents
-
and information. You also see at that same
time that there was an email sort of
-
corresponding app called "hey son" - I
think I got that pronunciation not too bad
-
that was used for messaging. We've heard
that there was a messaging system, we
-
didn't really have that connected to sort
of where that fit in to the puzzle. A
-
picture that seems to be that same sort of
Internal network ended up on the South
-
Korean internet around 2005. It got reused
by anonymous in 2013 when they claimed to
-
attack the Korean government servers, but
but then sort of that that turned out to
-
be false in that it was this original 2005
post that someone made. That seems to be a
-
similar system. And even in that 2005 post
they they had sort of also their web
-
component - that's the same logo
in the upper left as they moved
-
to sort of a web site
that we've now seen
-
evolved. It's worth noting here right
Kwangmyong is a single site - it's a
-
service for generally technical document
retrieval. Here's that same site now up to
-
the 2010-era looking a little bit nicer at
least at higher quality in the picture.
-
And so I think what we're starting to do
is we're getting these insights through
-
through seeing some of these more
documents coming out about what this
-
internal ecosystem actually looks like.
There are these these services that we can
-
start to link over time, understand what
sorts of files are available and the
-
specialties of these different groups, and
and preserve some of this internal network
-
that, you know, in this fairly unstable
environment, we're at in danger of losing.
-
To bring us up to current time, this is
from 2015 - a sort of blurry picture from
-
a Koryolink office. Koryolink's the the
mobile telephony provider and to call out
-
that they now have a same set of services
on a poster advertising mobile service
-
with internal IPs to them. And so we're
seeing now that this is being introduced
-
at a wider availability and advertised to
people on their mobile devices. So we're
-
moving beyond just wire desktop
connections but this is now a thing that
-
more people are going to have access to on
personal devices. And so I think you know,
-
internally, we're in this really exciting
transitionary phase. I'm happy that that
-
more of this ends up in the public. So,
there's this site, koreacomputecenter - it
-
should already have some links, more will
show up very soon. If you are interested
-
we encourage you to go grab that stuff try
and make it the bar lower. If you have
-
DPRK artifacts, info@
koreacomputercenter.org - we'd love to
-
talk to you, help make stuff safe, and get
more stuff out for public consumption. I
-
think we are about that time - are you
coming kicking us off; so we will take
-
questions across the hall in
the tea room. Thank you.
-
Applause
-
34c3 postroll
-
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!