27 Jan 2016

Analysis of North Korea's computer system reveals spy files



The first in-depth analysis of North Korea's internal computer operating system has revealed extensive spying tools capable of tracking documents shared offline and deleting suspicious files without permission, according to two German researchers.

The system, Red Star OS, was designed by the notoriously secret state to superficially mimic Apple's OS X, but hidden extra features allow it to watermark files uploaded to the computer and link them permanently to a user.

The covert tools were discovered by Florian Grunow and Niklaus Schiess, who presented their findings yesterday at the Chaos Communication Congress tech conference in Hamburg.

Mr Grunow and Mr Schiess, from German IT security company ERNW GmbH, spent a month pouring over the code of Red Star OS version 3.0, which was first leaked about a year ago.

The system's coders "did a pretty good job" of mimicking the basic design and functionality of Apple computers, Mr Grunow tells the BBC, but with a twist.

Any files uploaded to the system via a USB stick or other storage device can be watermarked, allowing the state to trace the journey of that file from machine to machine. Red Star can also identify undesirable files and delete them without permission.
'Far more sophisticated'

The watermarking function was designed in response to the proliferation of foreign films and music being shared offline, says Mr Grunow. Sharing files by USB stick is a headache for spy-states such as North Korea, as it makes it more difficult to identify who is doing the sharing.

"It enables you to keep track of where a document hits Red Star OS for the first time and who opened it in the chain. Basically, it allows the state to track documents," he says.

The system will link files to the system's individual serial number, although it is not known how easily the state can link those serial numbers to the system's users. One was would be registering the number at the point of purchase.

"I guess buying a computer in North Korea is not like buying something off the shelf in Europe, you may have to register with your ID. But that is speculation," Mr Grunow says.

One element puzzling Mr Grunow is the discovery of an extended version of the watermarking software which he and Mr Schiess do not fully understand, but which he says may help identify individual users.

"What we have seen is the basic watermarking, but we found evidence of an extended mechanism that is far more sophisticated, with different cryptography," he says.

"It could be that this file is your individual fingerprint and they register this fingerprint to you, and that could help them track down individual users."

Red Star also makes it nearly impossible for users to modify the system for their benefit. Changes such as an attempt to disable its antivirus software or internet firewall will be detected and prompt the system to reboot.
Watermarking free speech

The idea for an internal operating system was first conceived by Kim Jong-il, according to Mr Grunow. "He said North Korea must create their own operating system and that is what they've done.

"If you look at North Korea, Red Star resembles how the state is operating. It's pretty locked down, they focus on integrity a lot and they have mechanisms to track users."

As with many things about the world's most insular state, the extent to which Red Star is used in North Korea is not known. It is likely installed in libraries and other public buildings, says Mr Grunow, where operating systems can be decided by the state.

Red Star was built using Linux, a free and open-source platform which can be modified at will, and was designed that way to make it as accessible as possible. There is an inherent irony in North Korea's use of the system, says Mr Grunow.

"They are using a system that was built to promote free speech, and they are abusing it by watermarking free speech," he says.

More ironic still is the name of the file used by Red Star to hunt for suspicious files on the machine: "The pattern file we found which is used by the so-called anti-virus software is called Angae," says Mr Grunow.

"That translates to fog or mist - as in, to obfuscate or not be transparent. We have no idea why they picked this name, but it fits, doesn't it?"

http://www.bbc.co.uk/news/world-asia-35188570