 North Korea not only famous for chocolate, but for being a surveillance state and As a good surveillance state as has to his own operation system Because how will you do proper surveillance without your own operation system? Today we get a brief introduction How Red Star OS is working? The introduction will have a specific focus on the custom code which was inserted for Surveillance and especially how to get around it So please welcome Florian and Nick Nicklaus with a big round of applause Hey everybody. Thanks for having us We are going to give you a deep dive into Red Star OS It actually we were kind of surprised that there is not so much information on the net about Really the core of Red Star and what is it is it doing? so we thought we would change this and Give you an insight in how this operating system works and by looking into the technical aspects of Red Star You can also draw conclusions about how development in North Korea is evolving and Is maybe catching up so what we're going to talk about is First of all a short introduction into the motivation. Why are we doing this? We are going through the architecture of Red Star We are going to show you the components in the core in the operating system itself And then we will take a deep dive into the additional components all of the programs that are coming from North Korea And are supplied with the ISO of Red Star OS After that we are going to give you a deep dive into the most interesting features of Red Star OS and then we will be able to draw our own conclusions and Afterwards, we will have time for questions. We hope by the way this picture on the left You can see here is actually one of the I think it's a screensaver right from Red Star OS so Yeah Okay, so before we begin we need to do this disclaimer For your information, we have never visited DPRK. We have never been to North Korea All we know about North Korea is from public sources from the Internet's from media Whatever so what we are going to say about North Korea is Has to be speculation because we don't know exactly what happens in North Korea also the Isos that we have been analyzing are found publicly available on the Internet Maybe fake we don't think that they are fake because will Scott has shown last year on the 31c3 How Red Star looks and everything that he has been showing is basically in the ISO so we think it is legit Remember that we are not going to make fun of anybody in this talk We're not going to make fun of the developers and we are certainly not going to make fun of the people in DPRK because we think that Our presentation might have some funny aspects or something that makes you laugh, which is perfectly fine but Looking at Red Star in detail is kind of like it's it's a surveillance mess I would say and it's a security or a privacy nightmare and So the keep these aspects in mind Also, this talk is not going to focus about security We're not going to talk about security many of the publications that are available on the Internet Are about security and we are not going to focus on this in this presentation. So why are we doing this? Red Star ISOs have been leaked some time ago There is a version 2 hanging around the Internet's and there is obviously a version 3.0 Which has been leaked at the end of 2014 And we were quite surprised at the mid of the year that there is no in-depth analysis of this operating system So most of the blogs and news articles are quite superficial that you can find out there and this is kind of surprising because if there is some kind of State that doesn't put focus on transparency and free speech and they are putting out an operating system Actually, you kind of want to know how do they build their operating system? So that was one one of the major aspects for us to look into it The other aspect was on to find out how is the state of software development in DPRK? How are they developing software? Is it like? Do they have like a well-thought? Architecture, are they thinking about what they are doing? So how is the level of or the skill level of a software development in North Korea? So do these were the two Aspects that we wanted to find out so if you look at previous work as I said There is mostly superficial stuff. There is some information that Red Star S actually looks like Mac OS X We will go into this a little bit further Then we have this talk from Will Scott last year at 31c3 who was talking about computer science in DPRK Which was very very interesting and gave a pretty good insight into what's happening in DPRK And then we have a few guys a bunch of guys that looked into the browser of Red Star, which is also quite interesting. So What we are going to do now is I'm going to show you the custom basic components I'm going to talk a little bit about integrity on the system Then I will hand over to Niklaus who will be like Looking into the the core and the surveillance features and then as I said, we will have time for questions afterwards So there are different leaked versions out there as I said, we have a desktop and a server version of Red Star So you can also use Red Star as a server and it turns out that Server version 3 is actually used on the internet right now as you can see there is a server header returned Red Star 3.0 This is an IP address of the server and it is pointing into North Korea So this is one of the few websites that is publicly facing the internet from North Korea And they're obviously using the server version in version 3.0 So 3.0 might even be the latest version. There is another version 2.0 which is also has also been leaked to the internet and then there is supposedly something that looks like 2.5 we have found some South Korean documents that seem to be analyzing the system quite superficially and It looks like 2.5 actually resembles the look and feel of Windows XP So you kind of see this evolution right now from 2.5 XP going to 3.0 mimicking Mac OS X Our talk will focus on the desktop version, which is desktop 3.0 If you look at the timeline, which is a guess There's no documentation available on how they did it obviously But if you look at the the 3.0 version you see that it is Based on a Fedora 11 which came out in 2009 So our guess is that they started developing 3.0 in 2009 with this Fedora 11 release The kernel that they're using is 2638 which came out with Fedora 15 in 2011 so could be that the operating itself is a little bit older the kernel is a little bit newer and The latest package build dates that you can see in Red Star as date to June 2013 so our guess educated guess is that Red Star came out in June 2013 or a little bit later a few weeks later or months later in December 2014 We had the public leak so the ISOs have been leaked to the internet and are publicly Available right now If you look into the operating system, it's basically a fully featured general desktop system You might imagine it's based on KDE and Fedora as I already said and it tries to mimic the look and feel of Mac OS X You have an email client a calendar a word processor You've got quick time And all of that stuff you even have a disk encryption utility that the way Scott has shown last year They implemented additional kernel modules and they touched a lot of kernel modules, so They have this kernel module RT scan which Nicklaus is going to say a little bit more They have an kernel module which is called Pilseung I was told told that this means victory in Korean and that kind of is a kernel module that supplies AES encryption so they implemented an own kernel module to supply something like AES Then there is the kernel module called KDM, which is the Korean display module and KIMM Which is not what it's like it's not looking well, I'll just go on which which basically just does something with Korean letters and Displaying Korean letters on the screen Developed is a word so has been delivered by the KCC the Korean Computer Center It's quite interesting that they like since I think that a few years ago. They had an office in Berlin Like I don't know what they did there, but they obviously had a had an office in Berlin maybe for knowledge sharing whatever and If you look at the system hardening, it's quite interesting that they took care of system hardening So they implemented say linux rules with custom modules They have IP tables rolled out immediately so you don't have to activate it or put your rules into it firewall is working They even have snort installed on the system It's not running by default, but they are kind of delivering it within default And they have a lot of custom services that we're going to look into right now Quite interesting is okay, so why should North Korea mimic Mac OS X? That might be one reason right there because this young fellow sitting on the left is actually using an iMac right here So this is one reason So why should they implement their own operating system? They actually are so-called anthologies that are put out by the leader and one of anthology by Kim Yong Il says that If you translate it correctly and we try to in the process of programming it is important to develop one in our own style and with one he means basically programs and operating systems so there is this clear guidance that North Korea obviously should not rely on third-party Western operating system and programs they should develop this stuff on their own and by looking at the code and everything that we have Star by Red Star is this is exactly what they did they touched everything nearly everything on the operating system changed it a little bit added custom code and so this is actually what they are doing right there The custom applications that you have is a browser which is translates to my country you also have a Crypto tool that will Scott has shown last year, which is called Bokem Which is if you translate it kind of translates to sword You have so one office, which is an open office customized for Korean North Korean use a software manager You have music score, which is an application that you can compose music with Then you have a program which is called root setting And it basically gives you root. So if you look into the documentation It says you're not supposed to have root on the system for integrity reasons But if you want to get root you can use this tool. So this is like they're not hiding anything So there are rumors on the net that say that you're not supposed to get root on the system because it's so locked down This is not true obviously because there is intended software intended to give you administrative privileges They even kept touched KDM And so the the code base that they touched is is really really big nearly the whole operating system We are now going to give you a demo actually the first demo that we're doing is we're doing it right now because We are actually doing this presentation in Red Star OS So what you see right here is basically Red Star OS We're going to show some of the aspects to you there are many many screenshots on the internet Some of you might already know how Red Star works or might have experienced yourself. We're just going over a few interesting issues so as you have seen there is like a full-blown set of Word processing PowerPoint presentations and stuff. I'm going to open up the browser whatever And going into the preferences just to give you a quick Yeah, a quick no Yeah, so give you an insight on the Certificate authorities that are implemented in this Firefox version. It's a Firefox 3 So you see there is not so many certificate authorities right here and they all Are basically well, I guess from North Korea So the browser is a totally created to not be used outside of North Korea, which you can see you can see like in the In the in the URL bar that there is an internal IP address Which they which goes which points into the network of North Korea and all of the settings proxy settings hard-coded IP addresses or whatever all point into this Internal infrastructure of North Korea. So this browser and the email program was never intended to be used outside of North Korea Okay, what else do we have Okay, we have a quick time player So actually speaking about mimicking Mac OS X you all have seen like this whoo swoosh, right? Okay, so that perfectly mimics Mac OS X How many sound on is on yeah, okay Okay, so let me try to find I'll try it with our play right here. So this is a shell quite interesting is that When we were looking through all of this stuff there are a bunch of files that Have a certain protection and they seem to be pretty important for the system and then there is a wave file An audio wave file that actually is protected Lip warning dot waf I don't know if we can hear this I hope that your ears are not going to explode right now. I'll just try it I'll try it again Hear that Does anybody know what this is Pardon me Yeah, pig exactly and where is it coming from? Does anybody know? That's stolen from Kaspersky antivirus because in the older version of Kaspersky antivirus if you find a virus It actually will play this sound and it's exactly the way file from Kaspersky We verified this by doing checksums. Okay, so We have a copyright violation right here So what else do we have? I've been talking about this you can create your own music But I'm not going to do this now because I'm not good at making music What else do we have we have the browser did we want to show? Ah, yeah, I'm going to show you one more thing I'm not going to show you the encryption tool because will Scott has done this last year, but to give you an insight Into the crypto tool is pretty interesting if you look at the description of the Bocam 3 is Bocam is the tool that is used for disk encryption So it provides the user a tool to encrypt files or even the complete hard drive and if you look into the description It says this allows the user to store his her privacy data with encrypted which is quite nice Right. I mean like we didn't expect like to have something like this in In red star so the user can actually try at least try it to encrypt files Bocam is using out of the box crypto that comes with the camera. It also uses Pilsang Which we don't know if there are any backdoors in it or not So we have no idea if this is possible to kind of Decrypt with a master key or something if you want to look into this We would be happy if somebody with with big crypto experience would look into it Okay, so Let me get back to the presentation Ah, one thing I need to show you is this red flag on the right corner right here if you look into this and If you are going to translate I didn't click the right one So if you are going to translate all of this You will find out that all of the strings and all of the text that you see right here They kind of come or seem to be an antivirus scanner Okay, so they even implemented from scratch an antivirus scanner in red star os You can now select a folder or a file and say run a check on the file and if The file actually is a malicious file. We will come to that part later. What malicious is It will instantly be deleted from the hard drive. Okay, so this is an interesting feature having an And virus scanner in a Linux OS Okay, so let's look at the custom components We have been looking into like the user space a little bit and all of the programs that come with it There is far more stuff Download the ISO play around with it a little bit first change the language to English you will Obviously not get far if you're Korean is bad So Change the language and then just play around with it a little bit. So red star comes with interesting packages They touched KDE as I said they are getting out an integrity checker and a security demon There are signature packages right here, which Niklaus is going to talk about a little bit There are policies for say linux and I'm going to talk about Two of the integrity checking mechanisms that red star has so by looking at red star We saw that one thing was pretty important to them they wanted to preserve the integrity of the system and One way to do this is using this Process right here. It's called in check It comes with an SQLite database with hashes of files on the system like signatures for the system And you can configure it from user space. So it's not pretty hidden. It's not it's pretty transparent to the user I think there even comes a UI with it where you can like configure everything and it's run at boot And it checks the files and if it sees that the files I've been manipulated or tempered with if the checksum changes then it will issue a warning to the user So you get a small pop-up that says this file has been tempered with the security or the integrity of the system Is not where it should be So that's pretty much it what this thing does Security D is kind of interesting because security D is also process that is known to run on the Mac OS X And I think that I'm not a Mac user And I think that Mac OS X with security D is kind of keeping track of certificates and stuff like that So what they did is they re-implemented security D for Linux and they included various plug-ins and one Interesting issue with security D is that it comes with a library that provides a function called Validate OS and what this function does is it has a hard-coded list of files You can see like our way file right here. You can see configuration files and Autostart files for SCN PRC is the antivirus scanner So it checks of the if these files are untouched and if these files have been tempered with it Initiates a reboot instantly. So if you touch one of these files, your machine will reboot instantly The same library is also used From KDM so during the startup process when KDM is starting it is also doing an integrity check and if it finds that one of these file has been tempered with it actually Immediately issues a reboot and the problem is that if you start tempering with the system You will end up in reboot loops all of the time if you're doing your research because Once KDM is saying reboot the system It's going to check it again if it's rebooted and sees like it's still tempered with and it's rebooting again and again again And then your system is basically dead So what they try to do with in check and security D is kind of protect certain files Conserve the integrity of these files and if these files get tempered with they Assume that it is better to have an operating system that you cannot work with anymore Than to let still let it run or issue a warning. So Integrity is one of the main aspects They were looking for by implementing Red Star Okay, I will hand over to Niklaus and he will go into the guts and the surveillance features a little bit more Package we found was this easy package easy B package Which actually says in the description that it's an electronic signature systems But but we found that is doing a lot of weird stuff And this is actually one of the pictures which is included in the package, which is also protected We don't know really why but it says something like This is our our copyright and don't break it and don't copy it and stuff like that But it's actually doing something really different It includes several pretty interesting files. We have some configuration files. We have a kernel module We have also this red flag BMP which is the picture you just saw and we have the warning file and some Shared libraries and we are going now into detail. What's these are actually doing? So the first thing we looked at was because there is a kernel module which is loaded by default and we thought If you want to put some backdoors in it where we want to put it right in there in the kernel module probably And what it does it's actually just hooking several system calls Which provides it provides a Device which is actually an interface to the kernel. So you have different services running on the system Who are actually talking to this kernel module via this device and it has some functionality like it can protect PIDs So when you're protecting a specific process, then even root cannot kill this process Which will be quite interesting in the next slides and It also provides functionality to on one side protect files and on the other side to hide files So protect mean you cannot edit the file and hide mean you can even can't even read the file So even if you are the root user, then you can't even read those files and on the right side you see actually how the Services are interacting with this kernel module and this is one function where it's mostly mostly Protects and hides the files which we just saw which I included in this e-signature package Then like Rowan said we have this virus scanner, which at first glance at least looks like a virus scanner And this is this SCN PRC process It provides a GUI to the user so it's quite transparent So the user can see okay have something that looks like a virus scanner And I can also trigger some scans of different directories and it started by KDE in it So there's this SCN PRC desktop file, which is quite interesting because what you want to do is like disable it But you actually cannot edit this file So as soon as you edit this file and save it that the system will immediately reboot So disabling it is not so easy Like I always say already said you have different rays of scanning like you can just click on a folder and say scan this But also if you for example plug in a USB stick to the system Then it automatically will scan the files on the USB stick and this SCN PRC Service is actually loading the colon module and it starts another service which is called op PRC Which we are going to look in detail in a minute and This is quite interesting also the next service, but the petamatching We looked into this a little bit. There's another package So we have this E6CB package and you have E6CBDB package, which actually just provides this one single Angi file and this means as far as we know it means fuck in Korean And this is basically a signature file or how the code references it a pattern file It's a file with a well-defined file format and it includes several patterns Which are loaded into memory and as soon as you're scanning a file It just checks if these patterns are matching and as soon as the patterns are matched then it just immediately deletes the file and it plays the warning and This is one of the hidden files So even if you are getting root privilege on the system, you are not able to actually read this file So a user of the operating system won't be able to check Okay, what does it check and can I produce like documents? Which are which won't be detected by this because you are actually just cannot read this file and we took a look into this our Most likely our best guess is that these contains a lot of their files are a little Indian so you always have to switch the bytes and We see we saw that it looks like at least that they are utf-16 strings with Korean Chinese and some other weird characters and if we put this in Google translate then there are actually some pretty weird and disturbing Terms in those files, but we actually cannot confirm this it looks like they are actually not scanning for malware in the system So they are most likely they are checking documents and if those documents match those patterns Then they are most likely for example governments I want these files to be distributed within the internet of North Korea Then it just deletes those files, but actually we cannot we cannot confirm this because we are not quite sure if you put those strings in Google Translate that they are actually real translations But you can always update these pattern files So on the one side is SCMP or she has a built-in update process where it just updates the file itself Or you can just when you're doing operating system update by your pocket package manager and you're updating this E6 ebdb package and you also get a brand new file and The interesting part of this is that actually the developers decide what is malicious. So it's not necessarily like malicious Means that it's malware that it's bad for you, but Somewhere the developers and Officials will actually say okay. We don't want those files distributed just delete them because we think they are malicious There's this other service which I was always also talking about this op PRC This is like even more interesting than the virus scanning itself. It's running in the background So actually a user will not see that there's actually another service running You don't have any GUI or something like that You cannot trigger something with this and this is one of the protected PIDs So as the NPRC for example, you can just kill with root privileges but this is a process no one can kill on the system and This is quite interesting because you cannot unload the kernel module unless this this service will be killed So they're actually protecting each other so that no one can stop the services at all and this service Shares a lot of code with the SCN PRC. We just did some entropy checking and so okay I will talk in a minute when we are Comparing more of these files why we think that this looks like pretty much the same why they are sharing so much code Because we found something interesting with older versions of those services But the most interesting thing this service is doing is it watermarks files And now we are going to look deeper into what this watermarking means So actually as soon as this system will be started It reads your hard disk serial and then scrambles it a little bit and as soon as you are Plugging in for example usb stick in your system. Then it will trigger A watermarking process where it takes the serial Takes an hard code a desk key from the binary itself and then encrypts it and puts it into your file When you're decrypting when you're converting this hex key into a decimal representation Then you see that it's actually two dates We actually cannot confirm what those dates mean, but one of those matches Madonna's day birthday date And there are rumors that some people in north korea might really like Madonna, but this is like Just speculations, but if you have a better conspiracy if you read and just let us know Because we found some some pretty interesting stuff, but we actually cannot confirm this So technically the watermarks they have an s key e o f appended Which is most likely used by the code itself to pass the files and see if there's already a watermark in there And for jpeg and rv files, for example It just depends this watermark to the end of the file And when you have a dog x for example, then it depends it like near the header Where a bunch of null bytes and then it just puts it in there So the watermarking itself is like as soon as you open a document file with the office, then it will be watermarked And actually they have code which which watermarks files, even if you don't open those files, but it's As soon as we saw this it's like pretty buggy. It doesn't work every time But they have code for this implemented and mostly it works, but sometimes it just it just Fails and the supported types that we can confirm are dog x files Image files like jpeg and png and rv video files But the code indicates that there are several more file types available for watermarking, but we most likely didn't look into this, but the the most interesting Thing here is that all only media files are affected. So they don't watermark any binaries or something like that. That's just They're reducing their their surface to files which could be used to carry information, which is actually which could be used to to Put information which for your free speech purposes And actually what we think is that this is not a security feature So they're actually trying to watermark free speech in general So that every time you might have a document file an image or a video file Then they want to know who had this file and they watermark it so they can track the origin of the file We have a short demo Where you can see like for example, I have a usb stick I'll put it in my system And there is a file on the usb stick Which is a love letter from kim and it has a checksum which starts with five two nine And as soon as I plug this into the system, I hope that it will notice this Stay you can see okay It it recognized something like a usb stick on a system, but I won't open it and I won't open any file on the on the usb stick I just will eject it back there I hope that it worked Actually opening this is what I meant is that it's kind of buggy So it doesn't always work with the with the watermarking But most likely if you open the file itself, then it will work It will I guess we didn't have the case that it doesn't work when you open it Um, which an open stuff is and we close it again Just close this Back and then hopefully if we mount this again Then you can see it has been changed So, um, we didn't change anything in the file. Um, it was just the operating system who's changing files And this was initially the part where we, um Started to look into this more deeply because we thought the operating system who's just changing files on the which Which you're plugging into the system, um, is is kind of annoying. So Um Just to make this easier for you. Um, so what it actually does in the file We have here now the header of the file, which is a document the doc x file And it just uh added this string which is which is marked right here And this is actually the watermark. It's putting in there Up here there you can see the the plain text which is actually encrypted and then put into the file And the serial starts with b 4 8 So every time it puts the serial into the file it, uh, it prefixes it with w m Which we think is stands for watermark probably and you can see the e o f at the at the end of the file And this allows basically everyone who can access this file who can decrypt this This watermark, which is actually encoded with the hard coded key So pretty much everything everyone who has access to this iso get this can get this key and can decrypt this And this this allows it to really, um, track back to origin of the file where it came from Um, but there's a pretty pretty pretty funny example. So imagine you would have this picture And uh, you're inside of north korea and you think, okay, this is pretty cool And I want to distribute this to all of my friends. So you think, okay They might intercepting all of my email and my browser communication So you put it on a usb stick and give it to your friends so that you think, okay No one actually on the internet or on the internet, uh, Can can access this file and you give it to someone else Then at at the beginning you have this the situation where you have the original file This is the end of the jpeg file, uh, which by the definition always ends with an ffd9 hexadecimal And as soon as you give this to your friend and he he plugs the usb stick into his computer Which is running a red star os Then the file will actually change and it would look like this So uh for jpeg files, as I said, it just depends the watermark to the end of the file So you can see the ffd9 This is the actual end of the of the image file and they're appending the watermark there like you can see with the eof But where it gets interesting is when your friend is actually distributing the file to another friend Um, so what red star os is actually doing, uh, it depends also the watermark of your third friend So what you then can basically do if you, uh, technically combine this together Then you can not only see okay where the file has its origins But you can also track each and everyone who had this file and who distributed this file And with this knowledge you might be able, uh, to construct something like this Where you can actually track the distribution of all of the media files Which are distributed over the internet in north korea and you can see then in the center Okay, we have this one really weird guy who is always distributing images, which we don't like And you can see also who gets this files and trace it back to all of the persons who ever had this file And then you can just go home to him and then shut him down and take his computer and we have actually not seen any functionality but um Probably there is a functionality in the system implemented where it always sends your heart disk serial to their service So they always can probably always Be able to match your ip addresses to your heart disk serial And then they don't even have to go to your home and get your computer and check the heart disk serial Um, they just can it can do this remotely and can track all of the distribution of all malicious media files within the Within the internet of north korea Um What we what we thought is pretty pretty hard for someone who don't has access to a system other than red star s Who just has this one system and tries to disable all of this malicious functionality like the virus scanning who can't delete all of your files Someone else doesn't like or the the water marking the tracking of those files And this is actually quite quite hard because some of those services are depending on each other and can always be killed Only be killed when the other service is not running So what you actually have to do is you get you have to get root privileges Then you have to kill those two integrity checking demons Which florian was talking about so that it doesn't always reboot the system when you're changing anything Then you can talk via ioc tr chords to the kernel module and say just disable because it has this nice feature It can enable and disable it and then you can kill sc nprc op prc and the best The best thing you can do is just uh The weirdly the the lib os file is not protected by anyone So you can just exchange this with a validator s function, which always returns one which says okay everything is fine And then at the end you can delete the desktop file Which is used by kde in it to start all of these processes And then you are fine and we don't think that actually anyone in north korea who has only access to this one system Uh, it will be extremely hard to figure all of this out and completely disable it so they did a pretty good job in In building an architecture, which is quite self-protecting and They they they put a lot of effort in it to just prevent you from Disable all of the all of the malicious functionality um, we always we also took um a quick quick look on the Second version of red star s just to compare some of those services And there we can see there is actually quite an evolution from the older version to the actual the the current version and The the thing which i was talking about that the binaries are looking quite similar is that in the older version They used a lot of shared libraries And in the in the current version they they're statically linked a lot of code into the library into the binaries itself Even if they don't use it so um the code base looks looks quite the same And the the the chain of starting the processes is a little bit different So they put a lot of uh in the in its um Process which will be started at first and not like this this depending on each other infrastructure Which they have in the current version and they on the current version also they have a lot of problems with file privileges So a privilege escalations would be pretty easy even if you don't have this root setting file um, but also they have a lot of binaries who are just um Just setting like everyone can read and write this interface to the kernel module Which basically allows you even as a non-root user to disable the kernel module And then you can kill all of the binaries, but you actually cannot delete something because then it will end up in the real In the reboot loop and they actually when you are doing something malicious Then it always reboots in the old in the older version. It's just shut down the system. So um, we thought this is a pretty pretty interesting thing and there's a We we think and we saw that there's a more advanced Watermarking technique in there, which is not just appending watermarks into the files Um, but it looks like they are doing actually for video and audio files At least something like they're putting the watermarks as filters on the files So this will be a little bit harder. Um, I guess to to actually see those watermarks and read those watermarks Because it's not so obvious like when you have this uf string at the end, which is always quite weird But it uses a file this user lip user lip organ file, which is actually not present on the ISO we had And we have we're going to talk about this in the conclusion why we think this might not be there But it's actually not available. It's it's referenced a lot in the code, but we actually hadn't this hadn't had this file and we Unfortunately, we couldn't look into this more deeply Um, so what we didn't found actually were quite obvious backdoors, which we thought Would be in place and there would be pretty easy to spot Um, but we didn't see any of those. Um It doesn't mean that there are no backdoors, but we have some some speculations for this And one of the diseases that like we saw at the beginning of the talk that there are actually systems on the internet running This version of red star s so it would would be pretty weird if they would backdoor system And then put it on the internet and as far as someone gets gets actually gets the iso filing can Can look for backdoors and can find some of them and they would be actually able to exploit the system from the internet Actually the system um has a package manager and as we saw with the pattern file It has built-in update functionalities in different services. So backdoors could be just loaded via updates because um, probably they thought okay, these easels might be leaked into the outside world and You just get the iso install it update your system, which the updates are only a Possible from within the internet of north korea. So this is all with hard coded internal ip addresses So probably they thought okay only we want only our backdoors on the system, which are actually located within north korea and yeah This is like what we thought is the best guess that they were so um were Really thought that the iso might be leaked which actually happened and Another problem is that like floriano already said is that they will touched a lot of code in the operating system And we we did manage to check all of the code We mostly focused on the water marking and the bioscading stuff And there might be a lot of code that should be checked further Um, and the conclusion also is that the system is quite self-protecting. It's um, they not only implemented Several services for integrity checking themselves But also they they configured and implemented like se linux and something like that To just protect the system to make it more secure Um What is really bad what we think is this virus scanning and water marking because it actually allows you to um track not only the origin but a complete distribution within the network of those files And combined with the virus scanner where the developers are able to actually um say okay, what files are really malicious and What shouldn't be distributed within our network then it just deletes those files So these two combined are really a really really strong Framework which can help you to track malicious people within your network But two some words about security. Um, like I said, they have a lot of problems with file permissions They're actually having some documents on the server version of the of the iso In the eyes of the server version of redstone s 3.0 And there are some user guide and administration guides which are quite interesting and they are talking a lot about How to make the system secure how to run it secure and Why why they're doing different kinds of stuff just to save the integrity of the system and That are always that they have a huge chapter talking about file permissions But they actually didn't manage to fix them themselves. Which is quite weird and even the custom code uses a basic memory corruption protections like stack cookies and non executable stacks, which We saw that a lot of security vendors doesn't bother to use. So we thought this is quite funny. So Some of their code is more secure than a lot of security appliances So to wrap this up am I going can you hear me? Yes. Okay. So to wrap this up Again, we think this is a guess that primarily they try to protect and to Save the integrity of the system Which totally makes sense if you're putting out an operating system from north korea The system was in our opinion definitely built for home computers. So it's not like industrial control or Something else. It's definitely built for a home user because it mimics mac osx and gives you all of the tools Maybe the reason why we didn't find backdoors is they actually know that backdoors are bullshit Could be a reason we don't know If you want to look into red star s and help us out, especially with the crypto the pilsang kernel module which provides custom crypto With a look into the kernel to see if there is something hidden there if maybe there are backdoors there Take a look at our github and please contribute if you find something because we think that this message and all of this stuff Has to be put out to the public. So it is a well known fact that this operating system is Actually abusing free software to Actually make free speech harder in a country that is quite oppressed So with this we are at our end and we are going to take your questions now Thank you very much. We have about 15 minutes time for questions If you want to ask a questions, please come to the microphones. There's some on the right and some in the left isle If you for any reason can't come to the microphones, please raise your hand and I'll come to you with my microphone Okay, please line up there if if you want to leave Now, please do this quietly through the front door Could you raise your hand if you have questions on standing at the microphone? There are like three questions over there on the left one, please Hello, hello. Yeah So thank you very much. It was very interesting. Um, I have two questions Have you tried isolated the isolating the system in a ch fruit jail? and the second one is Were there any outbound connections like automatically outbound connections it made Okay, so for the first batch, we did not try to run it in an isolated environment We actually didn't did we install it on a live system? I don't think so, right? Did we yeah, okay, but we didn't do any observations that this changed the behavior of the system Concerning the second question. There actually is not really outbound traffic What it is doing is on the local network. It is talking a lot of net buyer stuff so there is an snmb and nmb demon running on the system and it's talking a lot of net buyers But this is basically everything we could find we have even we left it running for like two days to see if there is Like an outbound connection for one day or something like that. We couldn't see anything like that So the only stuff That that red star is talking to the to the to a network is like this windows net buyer stuff And it is if you push the button on the update feature of the virus scanner It's actually trying to initiate an update process that goes to five hard coded ip addresses that are all local So like 192 1689 Something and 172 whatever So these are the only network connections that we could trigger or that we have observed so far Thank you Okay, the next questions also from this phone from this microphone Uh two questions, uh might it be possible that it like when you install the system It gets caught from north korea. So you cannot find out if it's calling home because you don't get the Could be could be our guess is actually that um, there is far more stuff that you get when you Pull up the the operating system in north korea. So One reason is the organ file that Niklaus mentioned that is missing on the system with the additional crypto information that is used for the extended watermarking that they are applying We don't know where this file is coming from and from our perspective It totally makes sense to not distribute this file on the iso But to kind of give it as an I don't know somebody has to come to your house to install the software And then he puts like this dedicated organ file on your desktop that is specific to you For example that would totally make sense because as you know, like stuff works a little bit different It's not like downloading an iso and installing it It's probably more complex to get this onto your system if you want to use this Right, so there might be stuff that is either pushed via updates Only internal and like this organ file and other stuff that can get to your Computer, we don't know if this is possible of something is happening like with this feature And the second question is like if you look at it from the north korean view, that's like they have the problem They are quite happy. You have a nice state. Everything's working fine from what they say And now people come from south korea from western countries bring their usb sticks with like western propaganda To like have stuff like this watermarking even if it's like evil like a natural reaction from like a closed system So actually it totally makes sense to develop the system in the way they developed it It totally makes sense because it kind of reflects a little bit How the government is working because integrity is not only like a critical part for the operating system It's also a part for like the state itself Like shutting down everything and closing off everything. That's by the way the screensaver And closing down everything Also totally makes sense and tracking stuff that is distributed in the country or deleting unwanted stuff also makes sense So what we think that red star kind of resembles all of this and is like matches How culture is in in north korea actually Okay, we also have two questions of the isc which I would like to shift in Yeah, thank you. Okay. The first question is if you have any theory on how and why the iso got leaked Can you ask the question again? How and why the iso image got leaked We don't know this actually why is like we don't think that it was somebody from north korea We think that it might be a foreigner that got out like wil scott Told us last year that he was able to get a copy of it and get it out of the country There might be others that are able. I mean there is actually tourism in north korea, right? You can go there for your holidays So I guess that if you put a little bit of effort into it, it's possible to get Like nearly anything out of the country if you want to try to take the risk But we don't know who leaked the version and we don't know why it actually was leaked So there are actually rumors that it was a russian student with which was studying in north korea And he bought this on the street and it just brought it out of the country and put it on his block But we cannot confirm that this is actually true Okay, thanks. And the second question is if there has been any attempt at the custom kernel modules yet like reverse engineering or something Well, we reverse engineered rt scan, which is pretty simple because it just hooks a few function calls. That's it We have taken a look At the korean display module on a first glance it seems to do what it is supposed to do having something to do with with display management But we didn't take a look at all of the kernel modules or the rest of the remaining kernel modules because the code base is so massive That we need actually we need you guys to kind of help us out a little bit Next question from the mic, please. Yes. I have another question You said that most of the software is based off other open source software Which is uh, and you're not you don't have the source code and it didn't come with the iso So it's pretty much a massive violation of all sorts of licenses. Yeah, absolutely my question would be Could you get get an insight on what other packages are available? or From the package manager or in what other actually there is a dvd that you can Which also was leaked. I think that it was for red star 2 I'm not sure if it is also for the for the uh for the latest version But um, there is a cd with additional software and you have stuff like apache my school I don't know like all of the stuff that you basically need to run a full-blown operating system on the linux So there is additional software out out there. You can download the the The dvd and install the software on on the machine If you if you go through the rpm descriptions, you will see that They even for some of the software they wrote they kind of used a description for the For the license that says kcc, which is the korean computer center and sometimes they use gpl And sometimes they use gnu and yeah, so massive violations. Did you ask them for the source code? Actually, we think that there is an internal git in north korea where you can just check out everything So we suppose it is this way because it's like open source, right? Okay. Yeah by the way open source Very nice One more question from here Are you having a question? No. Okay, then we have one more question from the internet Yes, the question is if there is a possibility to um, fake the watermarks to get like some innocent north korean into trouble You you're probably yeah, no problem because the key is hard coded you could like, uh, you know how to scramble the the Hardware idea of the disk serial and you could perfectly forge documents. That's that would be not a problem Not not a problem at all. You just need the serial number basically Okay, and I just got another question. Uh, that is uh, does the warning dot web have a watermark? Um, no, no, it's actually it has the exact same checksum as the original file So um, actually like we didn't check if it had no it doesn't yeah, so it does not have a watermark because as niklas said Yeah, it's the same checksum as the kaspersky one Okay, thanks Okay, thank you very much Please give florian and niklas another big round of applause for the major talk