 The Democratic People's Republic of Korea, or as most of you know it, North Korea, is a topic which is already following us at Congress for four years. It all started in 31c3 with Will Scott, one of our speakers today, giving a talk about teaching computer science in North Korea. The topic was then gone on by Florian Grunow and Niklas Schuss, who talked about the Red Star OS and also the tablet PC called Wulen. Today, we will hear the next episode. We will hear about consumer electronics in North Korea. We will take a peek behind the curtain, learn about the internet and the current market situation there. Our speakers today are Will Scott, a security postdoc, as well as his friend Gabe Edwards, security consultant, and they will give us a peek behind the curtain. So, please welcome Will and Gabe with a big round of applause. Thank you for being here already. Thank you. Great. So, just to put this in perspective, one of the disclaimers is that the words that get used, especially on this topic, often have a lot of meaning. There is a reason that we will be calling this DPRK or Korea throughout. That's often the word here of people who are dealing with engagement with the country. North Korea is a term that the country does not call itself but rather is what typically more adversarial countries use to talk about it as an occupying presence. So, that language is this weird quirk that exists here. So, yeah, we're going to talk some about what consumer technology looks like and how it's evolving and what's going on there. I think we're pretty excited about this. I want to start by setting a little bit of context. This is the Science and Technology Complex that opened in 2015. It's in an island in a river to the south side of Pyongyang. It's still in the main city. There was a pretty major construction project. It went on for about a year before they opened this. In the lobby, they've got this nice diorama of what the building looks like. This is the rest of the lobby. It looks pretty modern. They have this sort of plain pastel scheme that you actually see a lot in modern architectural construction there. So, if you go into the new water park or the boat restaurant that they've built in the last couple of years, you see the same design styling. This building is part Science Museum. It has a bunch of sort of interactive exploratory exhibits that you might have a class of children come through to learn. It also has lecture halls. And it also has a library. And when you look at parts of it that are the library, you see a ton of computers, right? This is a technically, there is technology here. And the thing that is really, I think, fascinating and revealing about where we are in terms of our understanding of this country is you look at these computers and yet again we see this thing that doesn't look familiar. This isn't Red Star. It's not quite anything that looks like the tablets we've seen. That's a desktop monitor. And it's not Windows or Mac. It's yet again something new. And in fact, you know, playing with this, you find that it is, it's Android. That's been put in this custom bezel. It has a keyboard and mouse. But it's got an Android taskbar at the top to let you know what apps are there. And it's yet another, they have a special case to customize the distribution that works for this purpose. And I think we, for each one of these that maybe we have seen, there's many more that we haven't. So I want to just get us up to speed on what we do know to start with. We've seen Red Star. This is version three. It came out three years ago that we learned about Red Star version three. This thing that's sort of Mac-like. There's actually been a couple other versions that have ended up on the internet that we know stuff about. And we have at some level a better picture of what the desktop technology looks like. We've seen version 2.5, which looks somewhat Windows-like. There's been a release of the server version that runs some of the web servers from the country. And then two years ago, Florian and Niklas' talk, they actually went in and did a bunch of analysis of it, along with, on the internet, there have been blog posts of other people who've posted CVEs of various bugs that they found in this, figured out how to make it run on the external internet by changing firewall rules. And really just like learning a lot about both the environment that this thing was working in and the properties of it. We have a bit less on the mobile side. So this is what a store in Korea in Pyongyang sort of looks like. Those are laptops on the left, tablets and phones on the right for sale. We got to talk last year, again, from Niklas and Florian, about the ULIM tablet. I think that's actually maybe on the second row in this picture. And we got a sense of some of the information controls there in particular, right? So what they talked about was how this thing prevents some types of file copies and transferring and some of the sort of surveillance things that are built into it. But again, we didn't get too much in terms of hardware to bite our teeth into. Finally, there's this next layer up, the software ecosystem. This is an app store, again, in Korea. You go to a place and they have nice, this is a nice one where they've got pictures so I can see which games. It is our for sale that they'll then plug a device into a computer and transfer apps onto the device. And so we get all of this and we have mostly anecdotes that are helping us sort of get small pictures. And I think the real problem, right, is there's all these devices. This is an example of a few. And we really, I think, are quite far behind in having that bar lowered for people to play and understand what these things are. So what I want to do to try and explain that situation that we're in is talk about why we're there and the different sort of general groups of where these devices end up. I realize that that's talking about motives and that is often the way that you get people mad at you if you try and ascribe some motivation to them that they disagree with. So realize that these are broad strokes and not really indicative of everyone but this gives you some sense of why we've still ended up not knowing much publicly. Maybe there's a quote from, this is from Kim Jong-il that's relevant and says, you know, Koreans are quite an intelligent people and even in computer technology we excel. I think this is something that we maybe don't appreciate when we're thinking about this. It is rational for Korea to not want this stuff to come out, right? They are worried about adversarial governments trying to leverage whatever they can. It seems rational that it's in their best interest to make it difficult for this stuff to get out and for people to be able to attack them with it. That's what we've seen in, you know, against the threat model well implemented copy control and other sort of limitations on the devices. In terms of foreigners who have access to these devices I think there's sort of two classes. What we saw in the talk last year was a device that came out through a defector group. So you've got someone who left with this device and now is trying to figure out what's on it. And that is this adversarial relationship where the goal there is to do damage to the country and so there's much more value in having zero days than there is in releasing this because then the security gets fixed. And so you'll see that, you know, for any device that comes out there there's really this sensitivity both in terms of not wanting to identify people but also in well if we find anything that's bloggy to do something with it. I think in fact there's many more devices that don't come out that way but that are held by foreigners who are working constructively with the country. And for them the reason is somewhat different and I think the reason for them is in many cases that they're worried about sort of the unknown unknowns of could someone get in trouble will this result in my connection to the country getting disrupted, the people I like and work with getting in trouble they've given me the device that I've done something reckless with. So we can see from a bunch of individual perspectives why we don't have more of this technology out there we can also understand that as the public this creates this weird thing where we're all fascinated but don't have access and that I think also in the spirit of for Korea this isn't great because the bugs go unpatched and they don't get a better security. So this is the electronic goods store at the airport which somewhat counterintuitively doesn't actually sell the tablets to foreigners but they do have some. What we're going to talk about for the rest of this talk is an effort that I guess we're sort of putting out on the web called KoreaComputerCenter.org where we're going to try and release a bit more of this technology and I'm going to talk through the three initial things that we're going to put up there that we hope people play with and this is in the spirit that this we think this makes life better both for Korea and for the outside world. For Korea the same thing I was just saying I think you get better security in the long run I think as a community understand the value of open source software and in having many eyes audit and find the bugs we've already seen that on the artifacts that have gotten out for us I think it's a great chance to to do two things one it spreads our understanding more consistently so we actually understand what is going on in the country and can make rational policy decisions at some high level it's also fascinating and we get to preserve this anthropological artifact of this really amazing parallel development that exists of what technology is like in Korea so in that spirit let's talk about what's coming out some of this I think is showing up on BitTorrent links that are on this site KoreaComputerCenter.org as we speak the first is a phone image there's a system partition and data partition recovery for this phone a Pyongyang 2407 because it's made by a Chinese OEM Jinli which also creates the same hardware in an Indian model so if you've got a friend in India at least you can get the GNE V5 it's exactly the same hardware and so these images can load onto one of these phones and then you will also be able to run this operating system and so rather than just doing static analysis of what's there and how that fits together and what actually happens how it works that it does shut down when a SIM card from a different operator gets plugged in these sorts of things so this is just I guess I'll say the basic phone system it doesn't include most apps but it's got a bunch of the sort of operating system level copy controls you can get your hands on the red star protection things that were talked about last year the second thing for apps we're going to turn to something a little bit older this is the Samsung tablet which is one of the first tablets that came out 2011-2012 era this was sort of at the beginning of Korea's sort of introduction of widespread consumer electronics so it got circulated quite a bit it was a larger run of devices than many of them in fact so widespread that there's one of these devices in the Stanford library and so I guess the other thing I'll stress is and it's a matter of making sure that we're releasing these in a way where it's just like this is software but we're not necessarily getting anyone in particular in trouble because these devices we know are in a bunch of places and the attribution becomes hard at that point for anyone to lose contact or get in trouble so there's a basic set of apps that come there these are some of the icons there's a nice one that has a bunch of recipes the thing I'll say about these these were made for this specific device and this is a thing that you'll see I think throughout all the software if you actually take a look at it and so there's a lot of hard coded paths so as well as the APKs themselves you'll find that they reference things that they expect to be in specific parts of the SD card those files are included but it's unlikely that if you just copy the APK onto a android phone it will be able to show you much content so it would be awesome if someone who enjoys SmallEye wants to twiddle some paths so that those can look for internal resources instead and lower that bar further so that more people can play I think the other thing that's interesting here is pretty much all of these apps use their own specific binary format that's yet again this totally new thing where it's like someone just coded some totally one off thing that's weird and the final thing is we're going to release a bunch of educational materials that seem to sort of end up on these devices education is one of the big purposes right you're giving these to the children and teenagers who are especially excited about technology and one of the useful things that they can do is use that for their course material in getting a set of PDFs that are sort of like usable we ended up having to do some work I'm going to turn it over to Gabe to explain sort of the process we went through in getting this last set of the textbooks that are going to come out so basically when I got involved with this the situation as far as these textbooks was that we had quite a few of these files and there are two things you can tell on the surface one is that they claim to be PDF files based on the file name and some of them have titles in English or Korean that sort of suggests what's inside but what you see on the screen is not what we saw because none of these files were playing PDFs so there's a bit of sort of custom DRM that's been applied to these files and it's pretty rudimentary but it's actually been kind of a remarkably decent job of what we think it was designed for which is that the textbooks that come with or that are added to one device are not supposed to be able to be accessed on a different device and as well so if you pull these PDF files out of the device and send them off outside the country they're not readable now one thing I will say is that we know from some of the previous talks on Redstar that developers in and for the DPRK have implemented actual AES like encryption this is not that it's fairly basic and we did find some holes in it so I'll talk a little bit about what we did so when we look at these files the first thing we notice is that they don't have a PDF header the first 8 bytes have this reference or this potential reference anyway to what might be a date in little endian format so this might be either December 1st or January 12th in 1978 if you have any idea what that means please let us know because we're kind of curious the next thing is that when we started to look at the devices because we also had the applications that read these files one of them has a hard coded reference to those first 4 bytes and so when you look at what that application was we find that it's this app called udk.android.reader which if you go to the Google Play Store it's just a commercially available PDF reader app for Android but it's not really because it's been applied to implement the DRM that we're looking at here so basically we took the copy of the reader that's available online and one of the copies on the devices and when we compare them we find that the application calls out to a shared library when it wants to parse a PDF file that library looks kind of like this these are the elf sections in the file and it's pretty normal when we look at the copy that's on the dprk version of the app there's this one section added that kind of jumps out like it's literally called dot modified so when you look into what's in that section we see something like this and this is really not going to be legible both because of the size of the text and because it's decompiled from ARM but we have the original decompiled code on the left and the dprk version on the right and the two things I just want to highlight are at the top the original function that would be filling a buffer to read the file has been replaced by a stub that calls this sort of custom method in the modified section and the version that's over in the modified section does basically the exact same thing except that in one case it will call another function that does some decryption as well in the modified section this is just sort of one example now the reason that this is kind of interesting to us is that it really shows us that these modifications were not made by someone who had source code this is kind of crazy low level not crazy but it's really low level modification of the binary itself so when we look into those functions and what they do what we start finding is that the modified version of the shared library has this 512 bytes pad which basically gets used over and over again as part of the decryption process and one of the things about it is that for different files you will start using it at a different point and there's also a 4 byte key that's different for every file which comes from a combination of a few bytes in the file header itself and a per device key so that per device key is kind of interesting so they're taking, well at the end of the day you want a 4 byte key and they're generating it out of a 6 byte MAC address and the code that they use kind of looks like this this is us replanting it in go one of the weird things about it is that some of these devices may not actually have useful MAC addresses so in some cases the MAC address it's using some hard coded value in the file all the time when it reads these MAC addresses it's really just reading some code or some text out of that systemetc MAC address file so if you have that key the process of decryption is really simple you take that key you subtract some of the bytes the ones marked with Y and you get your 4 bytes that you will use for decryption and the point in the pad that I mentioned like it's starting off that is just that same value interpreted as an integer mod 512 because that's the length of the pad in all of the examples we looked at or as far as we could tell these headers only had keys for like one device but looking at the compiled code it looks like it might be possible to have like one file that could be decrypted by multiple different devices we just haven't actually seen a file that is like that so the way that it actually does decryption is byte by byte and this is a simplified view of what's going on we're releasing a tool that will do this correctly and has all the details in it but in a nutshell what you're doing is you're doing a little bit of math to figure out where you are starting from for all these operations and then for each byte that you want to decrypt you take your encrypted byte and you extract one of the profile bytes and then you XOR the whole thing with one of the bytes from that 512 byte pad so the cool thing about this from my point of view is that this process is totally reversible so if you don't know your profile key but you do know what the plain text should look like you can run this backwards and it looks kind of like that so what if you just get a bunch of these encrypted PDF files and you have no idea what device they came from and you just want to look at them you can also do it like this it's really quick to do you basically brute force all of the potential positions to be starting from which is really not that many because the pad is not very big and it's kind of a plain text a known plain text attack the header of a PDF file always looks like percent sign PDF so you take four bytes you calculate the profile key that you would need to make that decrypt to percent PDF and then you take the same profile key and you see if it would be able to decrypt the next section to a version number and wind up with a valid header and so we've done this for all of the the files that we found and basically wind up with plain text for all of these files one of the things that we noticed after decrypting these files is that many of them have watermarks at the end so if we look back to the talks on redstarOS from the past years Florian and Niklaus did some work on understanding what the watermark is and if you want full details look at those talks but to summarize it every time that a file passes through a desktop system sometimes if the file gets modified the OS adds basically encrypted form of the hard drive serial number now when releasing these files we want to sort of obscure their origins and not get any particular people into trouble so we remove all those watermarks before releasing these and that's pretty simple because the way that this works with PDF files is just that there's a known line of text at the end of the file and redstar always puts these watermarks at the end so we just chop off the end so once we have this we have over 300 files of really different kinds of things and we've kind of looked at some of them but we're going to be really seeing a torrent with all of them and we'd really like to see what people come up with just that's in these files that we have noticed we've looked at all of them we've had a quick look at some of them but I don't speak Korean you know some there's probably more to be found in that archive so quick look at just a couple of examples of things we found there's many different kinds of books on these devices many of them are like computer science books there's general purpose knowledge, kids text books but because we want to understand the state of technology and the DPRK the part that's most interesting to us right now is computer science text books so like two of the examples we have are this Java programming book and this computer science book they've got some awesome covers and really need art in some of them but yeah I'll hand that back to Will to actually talk about the analysis of what we found in these books and sort of where they came from cool yeah so maybe another quote from Kim Jong-il is appropriate saying that we need to be aware of the information technology industry and we need to meet the needs of the information technology industry and so I think one of the things that comes out of these text books that I think is sort of interesting and this is the first benefit is that this can help us understand sort of where Korea is in terms of how much emphasis it's placing on this aspect for a lot of the educational materials they seem to be organically created they seem to be about the specific environment there's a lot of training kids how to use red star of various versions that you see the text books many of them are translated or follow a curriculum and a layout of foreign external materials that have been translated so for some of the ones where we could identify what the original source was we tried to calculate how long that had taken because we were actually surprised sometimes this was pretty quick so I'll show this waterfall graph each of these bars represents one book some of the titles at the bottom they're quite small and the y-axis is the year the bottom is when the original English version that was used seemed to come out and the top is when the translation was released and so what's interesting here is you see order of even the same year sometimes a couple years throughout this whole period of 2000 to 2010 where they're putting a bunch of effort into taking 400-500 page books the torrent of these text books is for some gigs and doing good translations fairly quickly these are solid translations the code examples have been often changed there's comments in Korean in there this is a solid effort that we should be understanding and I think maybe partially sort of fills this gap of what is this disconnect between this very isolated country and the fact that it has a really strong computer capability cool to end I just want to sort of give an anecdote that maybe goes to the other side of this anthropological value that we get out of this sort of work so you've heard about Kwong Myeong this is the internal network or intranet and so from these educational textbooks you start to get more insight into sort of how this thing has progressed over time here's pictures from 2001 I apologize for quality this was what was there of an early version of Kwong Myeong this is Kwong Myeong 5.1 which looks sort of like AOL it was a dial-up application that would get you documents and information you also see at that same time that there was an email sort of corresponding app I think I got that pronunciation not too bad that was used for messaging we've heard that there was a messaging system we didn't really have that connected to sort of where that fit in to the puzzle a picture that seems to be that same sort of internal network ended up on the South Korean internet around 2005 it got reused by Anonymous in 2013 when they claimed to attack the Korean government servers but then sort of that turned out to be false and that it was this original 2005 post that someone made that seems to be a similar system and even in that 2005 post they had sort of also their web component that's the same logo in the upper left as they've moved to sort of a website that we've now seen evolve it's worth noting here Kwong Myeong is a single site it's a service for generally technical document retrieval here's that same site now up to the 2010 era looking a little bit nicer at least that higher quality in the picture and so I think what we're starting to do is we're getting these insights through seeing some of these more documents coming out about what this internal ecosystem actually looks like there are these services that we can start to link over time understand what sorts of files are available and the specialties of these different groups and preserve some of this internal network that in this fairly environment we're at in danger of losing to bring us up to current time this is from 2015 a sort of blurry picture from a Coriolink office Coriolinks the mobile telephony provider and to call out that they now have a same set of services on a poster advertising mobile service with internal IPs to them and so we're seeing now that this is being introduced at wider availability and advertised to people on their mobile devices beyond just wired desktop connections but this is now a thing that more people are going to have access to on personal devices and so I think you know internally we're in this really exciting transitionary phase I'm happy that more of this ends up in the public so there's the site create computer center it should already have some links more will show up very soon if you are interested we encourage you to go grab that stuff try and make the bar lower if you have DPRK artifacts info at createcomputerscenter.org we'd love to talk to you help make stuff safe and get more stuff out for public consumption I think we are about at time are you coming to kick us off so we will take questions across the hall in the tea room thank you