 Okay, welcome everybody. So we all don't know so much about the daily life in North Korea. It's a country with a pretty secret dictatorship, and the people living there are under constant observation. Research of leaked software and hardware is sometimes the only way to look behind this curtain. And at last year's congress, Florian and Niklaus lifted the fork on North Korea's Red Star OS and its features or its surveillance features. This year they will let us know details about North Korea's latest tablet computer. And please give a warm round of applause to Niklaus, Florian and Manu. Alright, thanks for showing up. I'm going to dive right into the Wulim, or Ulrim, how it is pronounced. We don't know any Korean. We have no idea how this is pronounced, to be honest. We had Korean people talking to us and trying to teach us on how to pronounce it. Wulim is probably the wrongest that you can get it when you write it in Latin letters, but that's not important, I guess. So let's dive right into it. First of all, a disclaimer, we had this disclaimer last year, we'll have it today. We never visited DPRK, so most of the slides contain words like probably or maybe. This is because we never visited DPRK and we don't know how this tablet, how the technology is really used, who is using it and what are the control mechanisms to extract data from these devices for the government, for example. We just have this device and have some of our sources in South Korea. So some of the stuff that we are saying is speculation. Please bear with us that this is not possible to give you like a full-brown introduction in all of that. And it's as last year not about making fun of the people in DPRK and it's also not about making fun of the people who made this piece of software. We are not focusing on security in this talk. It's only about the privacy aspect. So there are no details on security issues that might be in the tablet. This may be further research that we are going to do in the near future but this is not the focus of this talk. So what are we going to talk about? We are going to give you a little update about RedStar OS. So there has been a lot of work following our publication last year of RedStar OS. We will talk about the software and the hardware that the tablet PC is made of. We will give you an introduction of all the applications or some of the applications that are stored on the tablet PC and we actually have a live device here. So it's sitting right here. Maybe Kim Young-Un is listening already. So we have one device right here that we got out of DPRK. In the Q&A it is important that you please do not ask questions on how we exactly got this tablet PC. We will not answer them. But we have this full-blown device. It's sitting right there and I'm going to do a live demo. Then after that, Wulim is pretty locked down so there is not much a user can do to break out of the usual tools or applications that are installed on the device. So we had to find a way to gain access to the whole package, all of the APKs, all of the stuff that is stored on the device. And Manuel is going to talk about how we gained access to the device and after that we will see how the government is able to control the distribution of media with these tablet PCs and Niklaus is going to talk about that part. And after that hopefully we will have some Q&A. So to give you some RedStar S updates really fast, there have been multiple publications concerning the security of RedStar S. We didn't focus on the security last year so there are code executions, command injections and even in the server version of RedStar S there is shell shock all over the place. Then there was a cool art project that has been created by a guy who used the watermarks for files to create artifacts in pictures. So what he would do is he would take your face as a picture, create a watermark for it and then kind of disturb the picture so it has artifacts in it. The project is the URL. And what we also found is that we found a website which is called cooks.org.kp which is from DPRK and it contains all of the JPEGs that you see on that website so it's out there publicly available. You can just go to the website and grab all the JPEGs and you will see that all of these JPEGs have watermarkings applied by RedStar S. So actually this is like a finding where we can see that RedStar S is actually used and these watermarkings are existing in the wild. We could identify six different watermarks on this website which tells us that there are like six different computers where those JPEGs are kind of created, used, manipulated or whatever. Why are we doing this? So again as last year there's only some general information available about the tablet PCs that DPRK provides. We wanted to kind of get a glimpse into the tablet PCs because last year we identified some dead code that was laying around in RedStar S and it was not used by the watermarking. And we thought last year that there might be some sophisticated, more sophisticated, more advanced watermarking and this is exactly what we found in the tablet PCs. So again, as I said, Wulim kind of is the name of the tablet PC. If you translate it, it translates to Echo. If you put this into Google Translate, it translates to something completely else. I have no idea why but I think it translates to Ring or something. But Echo is probably the real name if you want to translate it and it's also a name of a waterfall in DPRK. There are probably four, at least four tablet PCs out there in DPRK. There is one for three. There is another one which is called after a mountain in DPRK and it's called Mysterious Fragrant. So it's probably, they basically name all of their pieces of technology after stuff in the nature, I guess. If you do some small research or some research on the device you will find out that the manufacturer that is doing the hardware is not coming from DPRK. It is a Chinese manufacturer and it is actually selling this piece of hardware, just the plain hardware with a stock Android on it, probably under the name of Z100 and it's a Chinese manufacturer and the product sells from 180 to 260 Euro, which is like a good price for the technology that is behind the tablet PC but you can imagine that 260 Euro is pretty much for someone sitting in DPRK and wanting to buy a tablet PC. So probably those tablet PCs are not meant to be like for the whole public, it's probably only a few people that have access to those tablet PCs but this is speculation. The software that is running on the tablet PC is coming from DPRK so what they did is basically they used an Android SDK to develop an Android for their tablet PC and then put some interesting services and interesting applications into the tablet PC. So we are going to give you a product presentation. Well, we are not going to give you a product presentation but DPRK is actually doing this. Can you switch the audio to the laptop please? So the subtitles are not coming from the original video. The subtitles has been added by a guy from South Korea who was helping us out. So this is the official commercial for Hulim. Okay, so this was an original video so we didn't do this video or something. This was really an original video that also is on the tablet PC. I will shortly go into a few points out of the video because they seem pretty important to me. First of all, don't drive and watch TV, that's a bad idea. Second of all, if you closely look at this device you will see if you know the original device that it's probably a different type. Although it is the same kind of brand. So down right in the corner you can see that it's Hulim and also on the back of the tablet are the same letters. So we are pretty sure that it is like from the same series or whatever, but it is not the same hardware as you can see right there. So probably there are multiple tablets that are running under this brand. This is important to know. The next thing which is quite interesting is that they provide rapid updates which is something that if you're in the Android world not that common, which I find like this is pretty amazing and good. The second thing is they have a free warranty service which is also pretty convenient. So that's also a nice service I would say. And one of the most important parts is that if you this is not going into like the tablet PC itself but it gives you some clues about how infrastructure is working in DPRK. So they are actually offering a DVBT broadcast on the tablet PC. So you can buy or rent or whatever, get a dongle and then have like 20 cables connected to it. So it's a little bit like Apple. And then you can view a DVBT on your device and this even sells as a feature that they say you will not be able to view any other stuff than just our own. And this is pretty interesting because if we're going back to Red Star OS and we had, I don't know if you've seen the talk but we had an antivirus scanner who was not antivirus scanning at all. It was doing something completely different and we thought like they are like tricking users. They just say this is an antivirus scanner to do something else under the hood. But if you see this, then they are basically saying we want to prevent that you see the malicious stuff from outside. So they are selling this as a feature. So it's not like they're trying to trick the people. They are saying like we are going to encrypt our TV broadcast and you will only be able to see our stuff so there is no danger from the outside coming to you. And this is pretty remarkable I think. Okay, if we're going to the architecture itself, let's take a quick look at the hardware. It's an all-winner A33 system on a chip. It comes with 8 GB of flash and it has a microSD port and a power plug to charge the tablet. It has a not-so-responsive touchscreen to be honest so if I'm going to do the live demo I probably fuck some stuff up and like tap on the wrong things and sometimes it happens, sometimes it won't. So it's a bit random so bear with me if it takes a while to open some of the applications. And if you just get the tablet by itself there are no communication ports at all. So there is normally if you buy like your usual all-winner A33 system on a chip with a board that comes with a board you probably have another chip that has like Bluetooth Wi-Fi and all of the other stuff that you need in a normal tablet PC. On this device this has been either soldered off or it never made it to production so the board does not contain any communication hardware itself. You always have to buy or rent adapters that you can plug in to use the stuff and as you could see in the video like the usual cases are and use B-Modem Wi-Fi normal networking capability or DVBT. It also has HDMI and there goes the problem. This does not have HDMI which is why we cannot connect it to the screen but in the commercial you could see that they just plug in a micro HDMI or mini-HMI and then you can basically hook it up to any HDMI device. So with this device it's not possible unfortunately. So we will have to do this projector thingy right there and I hope it will turn out fine. Okay concerning the software perspective there's an Android 4.4.2 running with an for Android 4.4.2 kind of up-to-date kernel it was built. The build date goes back to September 10th 2015 and it's pretty new. I think we got it four months ago or something like that so at the time that we were starting the research it was actually pretty new. Looking at the pre-stalled applications it's just your usual Android stuff but without the Google stuff obviously so there is not like a Play Store or something and no Google Maps or whatever that has all been stripped out and you basically have just basic functionality plus some applications from DPRK. Can I have the tablet on the big screen please for the demonstration? Should I show the video again to kind of get over the time? Yeah thanks. Okay so this is the tablet PC itself. This is the default background that you see right there. If I move the tablet around a little bit you might see that there are some cables coming out on one side. This is because we tried to find debugging ports we didn't find any we just started debugging the LCD and stuff like that so this is not really working but if you are having questions afterwards these cables are just coming out there and doing nothing right now. Okay so let me show the tablet PC real quick so the problem is that some of the applications have a serial ID that is mostly shown on the splash screen and we don't know why the serial ID is there it could be that it's just like a versioning number for the applications but it could also be a way to track who has which APK installed on the tablet and to prevent the guy getting into troubles who kind of leaked this tablet PC I'm going to pull out the tablet PC open up the application see if there's a serial number and put it back just to be sure okay so I'm going to pull it out and in again and you know that this is not like we're tricking something this is just because I want to make sure that no serial IDs are shown on the screen. Okay so the first thing that I'm going to show you over the applications these are the applications that are in factory reset mode so this comes with the application or with the tablet itself you have like your usual stuff like the camera you can see right there a file browser I'm going to go into the settings you can see that there is Ethernet modem stuff like that if I scroll down a bit you can see some of the applications running there is even flash as you can see right there flash is probably we don't know if it's really flash but it makes sense because some of most of the websites of DPRK are using flash to show videos and deliver remote exploits so that totally makes sense okay if you scroll down a bit you can see like your usual applications and archiving application and this red flag thing which is pretty interesting okay so next thing that I'm going to show you is the security stuff and the certificate authorities that are installed on the tablet they are not so many that's all of them basically and they are all from DPRK so you should bear this in mind if you get like a device like this and start browsing you probably will be man in the middle totally when you're using this in DPRK internet or intranet interesting is maybe the browser so looking at the browser there is an XSS right there it's just a normal browser you can like do some see some files on the hard drive some of them what you can do is go to the favourites and see like the bookmarks that are already there if you look at the bookmarks probably most of them are internal websites so if you click on them you see that the URL is actually an IP address and if you check on all of them you see that they are all internal IP addresses and these go perfectly going to the address space that DPRK has especially these ones right there the tablet PC if you hook it up to Wireshark and let it run is even making some outbound connections to IP addresses that go into this network segment we don't know what it is doing or what it is trying to get from there maybe the rapid updates that's a probability I don't know exactly so there is also a camera I'm not going to turn on the camera and take a picture of you so Kim Jong-un can see what we are doing right here I'm going to leave this out the next thing I'm going to show you is a game which is Robo Defense I don't know if you know Robo Defense it's perfectly available in the play store of Android and if you start the game then you might recognise that it is really drag and drop that it is really kind of the original version of this game what they did is basically they adapted a few things especially for language settings and made a new splash screen and adapted a new splash screen so if you decompile this thing you will see that it is perfectly fine the one from the play stores at least in parts so there might be a copyright violation right here I'm not sure about this what else do we have another thing that I found pretty interesting is that there is an application that enables kids to learn how to type with a keyboard that's pretty nice actually so you have your settings I'm just typing random theme I don't know what it says right there and then you can start to hook up a USB keyboard to the tablet type to learn how to type on a keyboard which is actually quite nice ok what else do we have so concerning writing there is also a full blown office suit on the tablet itself and with office suit I really mean office suit so it lets you kind of create powerpoint presentations and stuff like that and it really works and we would love to do the presentation with this tablet PC but unfortunately we cannot hook it up to HDMI so that was not possible at all ok what do we have we have a lot of propaganda obviously installed on the tablet PC so there is one application that is coming even out of Red Star and it is basically the encyclopedia and shows the writings of all of the leaders from DPRK and you can see what they have written exactly so another interesting thing is there is a lot of educational stuff on the tablet PC so there is one application that is basically a technological dictionary so you can like find information about technology and you can also there dictionaries installed that let you look into other science areas as well ok another one which is pretty interesting and maybe I would like to have your so I need to kind of come up with a hack right here probably so give me a second there we go alright so I am going to start this application again and if you see the splash screen please shout to me on which game this kind of reminds you yes I don't know if it's SimCity but when I started the application the first thing that came to my mind is this looks like SimCity and what this application is doing actually it is an architecture program so you can basically plan houses plan cities with this thing and actually kind of really do the architecture of your future house or whatever with it it even comes with an auto cd plugin so you can use it like the stuff that you create right there you can reuse it on your windows pc if you have like a cad program right there probably everything with copyright and stuff like that in the right place what else do we have there is a cooking application on it there are a bunch of more of games on it and then there is one or two pretty interesting things that came to our attention when we used the tablet for the first time so if you start the application right here trace viewer that is a pretty interesting thing because if you start it then you will see that it gathers screenshots so what it does is there is a process in the background that is actually once you open up an application it's going to take a screenshot of the application and it's going to store it in a secure way the only thing that you can do with this trace viewer is basically see your browsing history and see the pictures of the applications and the content that you started so from our perspective this is like a clear indication that they are going to tell you we know what you are doing so we see what you are doing you don't have any chance to delete any of this stuff but we see what you are doing and you cannot get rid of this information the next thing which is pretty interesting is if you try to open up a file on the tablet then you are probably not able to open any of the stuff that is coming from outside and this was the thing where we thought we need to go into detail what is happening right there and we thought this is a pretty powerful mechanism so if you just try to open one of those files in this case it's working that's bad I created this file on this tablet if I am going to open up another file like this one and you will see this message this is not signed file so obviously there is some signing mechanism on the device that prevents us from opening arbitrary files can I go back to the computer please can I have Niklaus's password please or should I ask Kim Jong-un do you have an auto erase after like 10 times entering the wrong password ok so much for the application demos I have two more applications that I cannot show on the tablet pc for reasons but I am going to show you with some of the screenshots so the first thing which is very very very interesting is that there is a tool called NUC installed on the tablet pc and it is probably used to get connection to the internal intranet of DPRK you can choose like three options dial up with a modem going via a local area connection or going over the internet or whatever it uses PANA which is like I have never seen this in the wild Wireshark knows the protocol I have never seen this so far you need to supply login credentials and then you can choose for different access points depending on the city that you are in so you can choose like a network access when you are in Pyongyang for example enter your credentials and probably get hooked up to the local intranet of DPRK the next one which is quite interesting and is running in the background is Red Flag this tool is the one that is taking the screenshots in the background it is also logging the browser history and it is responsible for grabbing the EMI, IMSI and the Android ID so there is no SIM card installed right here probably this is an indication that the same algorithm or the same mechanism is running on the smartphones that DPRK is providing it also is copying some key material around and it is doing some basic integrity checking of the system and if these integrity checks fail the system will be rebooted or shut down in addition there is a white list for applications so even if you would be able to install applications on the thing then the white list will kick in and will not let you allow to install the application so this is an incomplete list I have highlighted some of the most interesting parts like angry birds you see at the top or the robot defense down at the bottom so probably we have some copyright infringement there so the last thing that you have seen is obviously not a black box analysis anymore you have seen that there is like source code that we could decompile so we could gain access to the device and Manuel is telling you on how we achieve to gain access to the device okay can you hear me yes alright well as Florian gave you more of an overview of what you can do as a user with that tablet I am going to get a little bit more technical but I try to keep it as understandable as possible without losing too much detail as researchers we of course wanted to know well what goes on there what is that thing actually doing and how is it achieving such mechanisms that prevents you from opening arbitrary files but to find that out we needed some kind of in-depth analysis but to perform an in-depth analysis you will somehow need data the data from the tablet and I am going to show you how we got to that data and in the process of doing so you will probably get a good impression of what they do to prevent someone from tampering with their system integrity and yeah what we finally needed to achieve is to either get a memory dump of the whole tablet or we need privileged code execution on that tablet and how do we do that that's what I am going to show you because actually they did a pretty decent job in locking that tablet down at first we tried the obvious things like is there ADB enabled no it wasn't can we enable it no we couldn't are there the developer options press like five times the build number of Android and then boom you are a developer and you can do advanced configuration no they also disabled that can we install arbitrary apk files no Florian already showed that to you if you try to install any apk file like a terminal emulator that would help us executing arbitrary code that didn't work you need to have a signed apk then we turned that thing off and pushed like every button combination that we could imagine to find out if there is a recovery or download mode but as far as we can perceive that that wasn't possible then we got a little bit more creative we tried to find file open dialogues in all kinds of applications because we thought in the file manager you can only access certain files that are locked to one directory so if we can find applications that have file open dialogues we might be able to traverse directories and get access to system storage and that is actually possible there are some applications that are implementing their own file open dialogues and then you can access files from the system but still you are very limited in the files that you can access you can only access certain file types like .txt files and you won't find a lot of important system critical information on the Linux device that is stored as .txt also if we manage to do so we still need to defeat the Android sandbox somehow because usually on an Android device an application sandboxed so you can't just access any arbitrary system file we also tried attacks via archives like classical zoom link attacks or directory traversals we found an application that had a configuration file that was not signed and that contained something that looked like shell command parameters but it turns out that either they ain't or we couldn't exploit that interesting note we found an application on there Tetris and that application was coded by some Chinese guy we don't know but we found the source code for that on github and it's actually the same source code so they just stole that from github and install that to all of their tablets and as we got the source code we could perform like a more advanced kind of attack against that and we noted that it was writing I think it was something related to the score as a serialized Java object to the SD card and it didn't check for any signature so that was a way we might be able to get in there but it turns out on Android that's a more complex thing and didn't work out in our case as we saw that they implemented their own office suit we all know those attacks like XLS macro injection we also tried that but no that didn't work out as well that's only an excerpt we tried a lot of more things but what came to our minds was someone must have thought about that someone does not want that we tamper with their system and I mean on what you can see in Niklaus part that's possible so let's take a step back we all know that there are vulnerabilities in Android and if you follow the Android security bulletins you'll notice that like almost every month they're popping up new code execution vulnerabilities why can't we use one of those like one of the famous ones stage fright for example while that's in theory possible in practice it's quite hard to achieve because with this will be like black box exploiting in such a situation you usually have a device at hand on which you can touch a debugger and search like for ASLR bypasses or Rob gadgets and we couldn't do so because we only got one tablet and that wasn't pre-rooted what you can do in such a situation you can perform like on the hardware level like from what the circuit board looked like and what we knew about the tablet and from the complexity that will be involved it seemed probable that they don't use any kind of cross-platform or other way to secure their boot process so there might be a good chance that we just open up the case dump or pop off the storage and dump that using whichever protocol we need to do that well that is an option that might also lead to success but suppose you're me and you're more like that software guy rather than the hardware guy well give me a soldering iron and chances are that I'll mess this up it might be that you're ending up with a brick and considering that that is a very valuable device and to get your hands on such device it's not a feasible option at least not for us even if you're still than like soldering than me chances are that the chip might get too hard for only too little and just screwed up we turned back to the internet and we thought we might find another way to access the storage and after searching about the architecture after we popped up in the case we could see what chips it is using we found the A33 system and what we also found is this tool this was half an English half an Chinese so we pressed some buttons and we had not really an idea of what we were doing but it was supposed to give you a bootable image that you just could burn onto an SD card and plug into your device and just boot it up and we thought like no that is not going to work that would be one of the first things you turned off and we plugged in the SD card and it actually worked well we thought why did they do that then why did they all these hardening mechanisms we found in the first place it doesn't make sense we can only speculate about that but there are some pretty satisfying explanations well one would be they just forgot it but we don't think so it could be that this is a feature of the system on a chip that the system on a chip is by default if you do not cut certain hardware lines and if they just bought the hardware from a Chinese manufacturer it might be too complex to cut those hardware lines or reprogram the system on a chip so maybe that's an option and if you think again about it it's not really contradicting their security concept because what is the thing they need to defend against they need to defend against a North Korean trader who would be inside of North Korea and try to do this and imagine you're sitting in North Korea and try to access that tool with your internet access constantly being monitored or no internet access at all I think that's kind of difficult and that's probably the reason they did that still as we get code execution we weren't done yet because we booted up that image it was a functioning Linux kernel but it had no way of accessing the memory there was just missing a driver well, what could we do for one we could just plug in our logic analyzer and analyze what is that thing talking over the wire but that was still involved touching the hardware and we decided not to do so so we could also try to get hands on the data sheets that are for this kind of flash storage we had that at hand and implementing your own driver based on the data sheets sounds like a time consuming process so we went with another option our option was we thought it cannot be the case that they manufactured the manufacturer they bought that from a whole new tablet with completely new hardware they never used before at that point in time we didn't knew it was the Z100 we thought there must be a different tablet which uses almost the same architecture and maybe that one has a functioning driver so we went to the internet again and this is what we found it's a tablet for like at the point of time we bought it was like 30 bucks and we thought well 30 bucks nothing can go wrong with that and we bought it, like two of them and lucky for us they came already pre-rooted so we just could plug in ADB like dump all its contents and we were done we took the kernel and the kernel driver for the storage and put that on the external SD card we used to boot and first we plugged it in our fake or that tablet and that didn't work out quite as easy because the way the driver tries to find out how to talk to the storage controller but after putting that into IDA and reverse engineering the driver we eventually managed to find how we could talk to that storage controller the question was would that be working on the DPRK tablet so we plugged it in and booted it up and it actually did work this is the memory dump of the internal NAND storage and you can see from the partitions that it's using it's quite a normal Android device it has a bootloader partition containing the bootloader and the default kernel and RAM disk it has a system partition for some binaries a data partition for the applications and a recovery partition we couldn't trigger and now we really could start doing our analysis and that is what Niklas is going to tell you thanks so okay if some of you guys probably saw our talk last year on RedStar as there we found some really interesting features regarding the privacy evasion of those operating systems as soon as we got access to the device we were curious if there might be some similar mechanism or probably something that is even worse like this mechanism on the tablet and as soon as we were able to access most of the libraries then we saw there are actually two mechanisms on the Voolim devices one of them is basically a watermarking mechanism which is most likely the same one as in RedStar as it even looks like it's just a refactored version of two components in the RedStar as operating system and it's doing basically the same watermarking we didn't saw any code that is actually using this library so the active operating system what we saw there is not actually watermarking any files in terms of the watermarks like in RedStar as but it actually has the code there and we think that it might be just for compatibility reasons what is more interesting is that there is an even more advance and an even more restrictive way of controlling the media distribution within North Korea on the devices and it's based on digital signatures just a quick recap of what we were talking about last year what you're seeing here is a hex-tump of words document and the marked part here is basically the encrypted form of the plaintext that you're seeing below and this is basically just a watermark that allows you to identify a specific RedStar installation and just if you're curious if you want to get to know how it's working there are actually decryption tools in this repository but it's really really simple it's not rocket science how it's working but when you're doing this in the wild there's a functional file at the top and the red part here is basically the end of the actual image as a JPEG file and as soon as the user is getting for example if it's on a removable media device and you're plugging it into a RedStarS system then it depends on bytes at the end of the file if you're giving this file then to another user running RedStarS there are even more files at the end of the JPEG and what you're seeing here the green part is basically the watermark that identifies the first user and the orange watermark identifies the second user what is quite interesting here is that when you are seeing this from a government perspective just to give you an impression when you're having a normal JPEG image and you're having it on one RedStarS system put it on a removable media give it to a friend or whatever someone that you're affiliated with and it will apply to the watermark of the second system if you do it again then with your third friend or like-minded people then the image will actually contain references to all three operating system instances if then the government gets access to for example the system of the third user and gets access to this JPEG file and they want to know what is the source of this file and who has had access to this file then they're basically able with this single file to track down dissidents or traitors or whatever because it allows you to reference all the users that had access to this file what you then could do if you do this on a large scale like in a complete country for example it allows you to connect social networks it allows you to connect connections between dissidents connections between traitors what it then allows you is not only shut down users where you for example had access to a system and you found this file you're also able to shut down the sources of those files so for example users that create files or users that import files from outside of the country and you are basically able then to shut down the complete all the connections then between those suspected people what William does William is way more restrictive than what what Redstar was doing it can actually do the same thing as Redstar has done but on top of this there is another more restrictive way of not only tracing the distribution of media but the goal of William is to basically prevent the distribution of media and this is quite interesting how they are doing this and it's really effective what they are doing so what they are doing is basically use cryptographic signatures and the government has control over those signatures and if you are controlling the signatures if you are able to sign files and if you are the only entity that can sign files then you have to complete control over all media sources what should be noted here is that compared to Redstar which had just implemented the most functionality into a kernel module that just hooked the system calls in William all of this is explicit so each and every application has to do own signature checks it's not the operating system itself that provides this functionality the operating system is just providing a library but each and every application is responsible for the signature checks these are done basically with a native library in Java so each and every application can use this native library from code and the package is actually called government no media which is quite interesting it's actually called when you are for example opening a file in what we saw the office suit when you are opening a file then it's basically doing some license checks so the functions are more or less concealed like license checks when you are opening files or when you are saving files then they are in the background calling these functions in those native libraries William provides two ways of signing files these are referred to in the code as nutty sign basically called nation signing which are signatures by the government and there are self sign signatures which are done by the devices themselves if a file doesn't have a proper signature then all of these applications that are doing signature checks will prevent you from opening those files this is a quick example of how one of those native libraries looks like you have some basic functions that allow you to get some information of the device which are used then to put into signatures or check the content of existing signatures and basically provide you these easy functions like is it a valid signature or not because all of the rest of the code should do the stuff like print if the file cannot be opened and this is quite interesting because there are some applications that just have different error messages for the same situation so this is not a library but all the applications here is a quick list of most of the applications that are doing these signature checks so you can get a brief overview of what they are really focusing on when it comes to the files that they are really interested in just some quick words about the nation sign and the code mostly also refers to it as government signing it's basically an RSA signature with a 2048 bit RSA key and the public key is just stored on the device the private key is held by the government and in addition to the signatures it just does a lot of obfuscation work so also on a bit level it's trying just to shift some bits I think that it's just doing this to make it harder to sign the files yourself but it's nothing really from a security point of view it doesn't make any difference what we focus more on is the self-signing mechanism because it looks a lot more interesting because the nation signing is basically an RSA signature self-signing is a combination of symmetric encryption there's some part that is just encrypted what is notable here is that it's Rishan there the basic algorithm behind AES but they were not using AES they were using a really specific form there because they are not only using 256 bit keys but also 256 bit blocks so they are always encrypting 32 bits bytes at a time which is not possible with AES they are also doing signatures and what they are basically doing is create a signature over the hash of a file so they just mostly they have code for SHA-224 but they are mostly using 256 bits there is also a file called legalref.dat on the file we saw this red flag application this application is responsible for reading the e-mail and the imsier of the device and also the android ID these will be stored in this legal file which is basically a legal reference of each and every device this is like basically the same thing a little bit more advanced but the same thing like in Red Star S with the watermark here you have a legal identity how it's referred in the code and this is also included in the signatures it's not only a signature of the file itself but it also always puts your identity into those files so this is also quite similar to the way Red Star is watermarking files it's only implemented basically to allow you to create files on the device itself and open those so you have a camera on the device you can take pictures there and you are basically able to open those pictures on your own device a signature, technically it looks like this signatures have a fixed size of 792 bytes and so even if you are creating a text file with a single character it will always append 792 bytes to the file if you open it with for example text editor you will never see the signature because it's responsible for checking it and removing it again from the file when you open it but the top part here is the RSA signature of the hush of the file and the green part is encrypted and the most interesting content here is your IMSI and EMI of the device the rest of it is basically just null bytes they have implemented they have not implemented it with padding and they are using kind of like easy B mode but they have like really at the end of the file it's quite interesting what they have implemented but I think it's just that they didn't want to use padding and they are always encrypting 520 bytes which is not possible by default the files that are affected by this here you can see just an example of the office suit which is called chunk doc these are the files that are checked by this specific application like I said each and every application is responsible for doing the signature checks themselves so if you want to only check each and every application are responsible for doing those checks and these are basically all of the typical media files sound and video and stuff like that but also playing text files and playing html files affected and what is also affected are apk files so if you want to install an application you not only have the typical apk signing mechanism you have an additional signing mechanism with their self signing basically because it also checks apk files when you are trying to install those so if you want to install a valid apk file it would have to have two valid signatures from two completely different sources just to give you an impression of what they are actually achieving with all of this signature stuff here when you have a volume device there are two valid sources of files the government which basically controls all the files that can be distributed within the dprk and they can sign those files and they have the ultimate power of controlling what media is distributed basically what media you can open on your Wulim tablet pc the other way is that you can open files or documents for example that have been created by the device itself so you only have these two ways of sharing files if I want to for example if I have a friend with another Wulim device and he takes a picture with his camera he cannot just put it on a removable media and give it to me I am basically not able to open this file because the signature or basically the legal reference in the signature is wrong and they are really not only shutting down what is inside of North Korea at the moment like different Wulim devices and for example Redstar devices but also everything that is coming from outside of North Korea if you would want to put books or Wikipedia articles on removable media and try to import it to the dprk then you would not be able to open those with one of those Wulim tablets so all of the outside sources are basically not usable by the tablet okay so this basically wraps up our findings from Redstar we got five more minutes I have seen we would like to say thank you to a few people right here especially we would like to thank ISFING they are from South Korea it's an NGO and they are trying to get information into North Korea and these are the guys that provided us the tablet and we would like to say a big thank you to these guys and all of the guys that kind of got the tablet PC out of dprk so that helps us a lot so concerning future work we will try in the future to free some of the information that is on the tablet there are a lot of dictionaries a lot of books that you need to buy if you want to get an insight on what is happening or you don't get access at all we would like to free this information and make it available if you are in possession of technology from dprk and you want it to be analyzed please approach us we would be happy to be here next year with another talk on another hard or software of dprk we ourselves got some more stuff that we are looking into right now we hope to be back here next year so from this wrap set up I hope you had a little bit fun and it was informational now we can go into the questions thank you very much we have maybe two minutes for questions so really quick this microphone all right so the self signing of the Wulim basically just adds about 800 bytes to every file that it's ever created if you view it on another system then does that just make it a corrupt file is a JPEG plus 800 bytes of Wulim signature just an invalid JPEG or what does it become the file you're using for JPEG for example it doesn't corrupt the file but there may be file formats because in JPEG you have this really hard file structure where it can determine the end of the file then it's no problem but there might be some file types that could be corrupted by those bytes okay this microphone okay interesting talking did maybe I wasn't attentive but did you try to find the keys from the public television broadcast no well yes we kind of were observing the tablet itself the problem is that the media player that is on the tablet is actually not capable of doing dvbt and as I said in the beginning the device that you could see in the beginning is probably a different version of the tablet probably an older version so our version right here we could not find any crypto keys for dvbt or stuff like that so yeah unfortunately we don't have any keys for that also we could imagine that maybe that is done on the external on the peripheral not on the tablet itself so that we might not find at all keys on there and in addition to that you need to kind of get registered to get all of the additional hardware it's possible that they install an apk that enables you to view dvbt and that comes with the crypto keys okay one question out of those 8 gigabytes storage how much is used up by the original find system or the original OS so I would say that probably like it's not that much so probably like 6 gigabytes are probably free I will check the data usage let me see storage it's using one gigabyte so total space is like one gigabyte that is used so there is a lot of space that you can have okay we got another question from the signal angel yes there are two questions the first is are you planning to release any software dumps and do you have to smuggle the device back to North Korea I hope not for the last part like for the first part we are not going to release any dumps the problem is that the dumps will include serial numbers and fingerprints and stuff like that and that would be perfectly easy to identify the guy who leaked it to us and this is what we want to prevent for all circumstances there is one case where a guy tried to smuggle out a poster of North Korea and he went to jail for 15 years so you can imagine what happens if someone is trying to smuggle out a device like this and we want to prevent this as I said we are going to try to release some of the information that is on the tablet meaning like dictionaries like books that are stored on the device stuff like that so probably we are going to kind of go through all of this filter it a little bit and then make it available to the public because we thought that information about that stuff is really lacking right now we have one last question there seems to be quite a bit of English in the file names and code snippets and so on even in the bits that seem sort of DPRK only features do you think western developers have been involved in this project at all? very good question we know that DPRK is getting assistance some stuff in developing stuff and they even I think they even had like developers from Germany that were in exchange like a couple of years ago like plenty years ago we cannot state that they did all of this on their own but I would say it's perfectly feasible because what we have seen with Red Star and all the other stuff I think that they are capable in doing this so they probably don't need to have assistance I think that I turned all of this stuff to English to have the English language if you're trying to apply a watermark with Korean letters like the self-signing stuff and all of that stuff like the eight letters self-sign if you put that to Korean it would not be eight bytes anymore it would probably be more so that might be the problem that they were facing might be why they were using Latin letters okay, thank you very much please give a warm round of applause to those three guys