When I was in Pyongyang a few years ago and had access to a cell phone, I recorded a bunch of the prerecorded messages that you hear when dialing or mis-dialing numbers. I found them to be an interesting glimpse into the view of technology seen in that corner of the world, and helpfully they were translated into English for my edification. I’ve put them up here, and reconstructed the phone tree you get when dialing 999, so that the different messages can be heard in context.
One of the exciting developments at CCC last month was a talk discussing the copy protection features in the Wulim tablet produced by the Pyongyang Information Center. This post is an attempt to reconcile the features they describe with my experience with devices around Pyongyang and provide some additional context of the environment the device exists within.
As mentioned in the talk, the Wulim tablet, and most of the devices available in Pyongyang for that matter, do a good job of defending against the primary threat model anticipated: of casual dissemination of subversive material. To that end, transfer of content between devices is strictly regulated, with watermarking to track how material has been transferred, a screenshot-based verification systems for visual inspection, and technical limitations on the ability to run externally created Applications.
One of the interesting points of note is that the Wulim, and the earlier pyongyang phone from PIC implement much of their security through a system application and kernel process named ‘Red Flag’, which shares an icon and name with the protection system on the Red Star desktop system. While the code is most likely entirely different (I haven’t actually compared), the interesting point is that these implementations come from two separate labs and entities, indicating that there is potentially coordination or joint compliance with a common set of security requirements.
The Wulim was difficult for the CCC presenters to gain access to. While there were bugs allowing them to view the file system, there was no easy way to casually circumvent the security systems in place. This indicates a general success of the threat model the system was designed to protect against and shows a significant increase in technical proficiency from the 2013/2014 devices. In the initial generations of android-based hardware, most devices had an enabled recovery mode, and the security could generally be breached without more than a computer. The alternative start-up mode found at CCC indicates that the labs are still not deeply familiar with all of the intricacies of Android, and there remain quirks in its operation that they haven’t anticipated. This will likely continue, with a pattern of an attack surface area that continues to shrink as exploits are discovered and make their way back to pyongyang.
The ‘crown jewel’ for this system, it should be noted, is an exploit that the CCC presenters did not claim to have found: the ability to create applications which can be installed on the device without modification. One of the first and most effective security mechanisms employed by the wulim and previous generations of PIC android systems is the requirement that applications be signed with a lab-issued key. While it might be possible that either the security check of applications, or information about the private key might be recovered from a device, this code has likely been checked quite well, and I expect such a major lapse in security to be unlikely.
The presence of this security means that I cannot install an Application on your tablet from an SD card, computer, or via bluetooth transfer if it has not already been pre-approved. This key is potentially shared between KCC and PIC, because the stores offering to install after-market applications around pyongyang have a single list, and are willing to try adding them to systems produced by either lab.
The Wulim is a 2015-2016 model, and evidences a feeling of confidence from the labs that they’ve got the software security at a reasonably appropriate level of security, and are more comfortable opening back up appropriate levels of connectivity between devices. 2013 and 2014 models of tablets and phones were quite limited in connectivity, with bluetooth as a ‘high-end’ option only available on the flag-ship models, and wifi connectivity removed completely. In contrast, the Wulim has models with both bluetooth and wifi, as well as the capability for PPPOE based connectivity to intranet services broader than a single network.
This connectivity extends in two additional ways of note:
- First, there continue to be rumors of mobile data services being tested for broader availability within the country, and the Gateway mechanism in the wulim presents yet another clue towards how this will manifest down the road. While the wulim tablet does not have 3G connectivity, the same software stack has been seen on phones (for instance the pyongyang phone series with the most recent generation ‘2610’ released in 2015).
- Second, the same basic android system is being used for wider installations, and is on display in the science and technology exhibition center. In that context, a custom deployment of tablets with modified software have been installed in both tablet and desktop configuration (desktop through USB peripheral keyboards and mice), and are connected through a LAN-local wifi network for searching the library resources on-site.
The screenshot ‘trace viewer’ mentioned in the CCC talk is really just a file-system viewer of images taken by the same red flag security tool integrated into the system. The notable points here are that screen shots are taken at regular interval on images not in a predefined white-list, so even if new signed applications are created, there will be an alternative system were their presence can be detected even if they’ve been uninstalled by the user prior to inspection. It’s worth noting that it is more effective against the transmission of images and videos containing subversive content then against applications. Applications in android will likely be able to take advantage of screen-security APIs to prevent themselves from appearing in the list. Or, more to the point, once external code is running, the system age is typically 2-3 years behind current android and one of several root methods can be used to escalate privileges and disable the security measures on the device.
While the CCC talk indicates that images and videos can only be viewed on the device they have been created on, this was not what I observed. It was relatively common for citizens to transfer content between devices, including road-maps and pictures of family and friends. The watermarking may be able to indicate lineage, but these sorts of transfer were not restricted or prevented.
Very little underlying data was released from the CCC talk, although they indicate the intention to release some applications and data available on the tablet they have access to. This is unfortunate. The talk, and the general environment has already signaled to Pyongyang that devices are available externally, and much of their reaction to this reality has already occurred. In particular, devices are no longer sold to foreigners within the country regularly, as they were in 2013/14 – with a couple exceptions where a limited software release (without the protections imposed on locals) and on older hardware can be obtained.
The only remaining risk then is the fear of retribution against the individual who brought the device out of the country. The CCC presenters were worried that the device they have may have a serial number tied to an individual. This has not been my experience, and I believe it is highly unlikely. Cellphones with connectivity do need to be attached to a passport at the point of sale, but tablet, as of spring 2015 continue to be sold without registration. The serial numbers observed by the CCC presenters are version numbers common to the image placed on all of the tablets of that generation released.
At the 2015 Chaos Communication Congress, Florian and Niklaus presented an analysis of Red Star OS 3.0, the system which leaked online a year ago.
In their talk they provide technical backing for several observations about the system which have gained some press attention. The first is that the Operating System is designed without obvious backdoors and doing a reasonable job of security. This implies that it is aimed at a serious, internal market. The second point is that there is tracking of accessed content, also known as digital watermarking, occurring in the system. This can be seen as a malicious attempt of control over users of the system, which is the dominant interpretation made by the press. However, it’s worth pointing out that interpretation is dependent on a lot of context about how the system is used that we don’t have.
We know that RedStar is developed by KCC, the Korea Computer Center, which is one of the large government technology labs. We also know that a part of KCC’s business has been industrial contract work. They’ve run external branches intermittently, and work with foreign clients. So far, as pointed out in Florian’s talk, the only computers observed to run Red Star are some of the Publicly Internet facing servers, run in the country, like naenara.com.kp. It is not unreasonable to expect that these servers are operated by KCC as a contract service for the relevant entities.
First, I want to take a somewhat skeptical look at the purpose of this watermarking. I’ll admit that it absolutely introduces the capacity for surveillance, but I think in this case it’s a largely irrelevant point from a human rights perspective. First, this OS as far as we know is only being used in industrial settings. We’ve seen older versions of RedStar in e-libraries and show-computer-labs around the country, but so far version three has not been deployed to these semi-public machines. Computers available in stores that would be bought for personal ownership are universally running Windows, and that’s also what we see in the personal laptops of the PUST students. The Surveillance chain insinuated in the talk assumes that most machines are running the new OS, which is absolutely not the case.
Instead, we can see this development to be a reaction to two things that we know to be pressing issues in the country: The ability to clean up after viruses that have spread through an industrial network. KCC also develops its own antivirus software, and students at PUST often express concern about malware and gaining security against attacks from foreign state-level actors. This seems like a reasonable concern, given that such attacks have been admitted to. Having lineage on files passed around on USB sticks lets you find what other computers on your network have been infected. In this same vein we can see the digital watermarking as a digital auditing capability within an office, and here it is no more intrusive than the practices commonly in place in most global companies. To put this succinctly: the capability is one which we use, and know to have value – but we’re scared that it has a potential for misuse, though we haven’t seen evidence of that yet.
Recently, Joshua Stanton made the claim that this evidence of watermarking in RedStar should cause us to reconsider current academic engagement with the country. In particular, he points to a long-standing interaction with Syracuse university. The cited report on this collaboration mentions
Areas of particular interest included a secure fax program (this is now being marketed through a Japanese company), machine translation programs, digital copyright and watermarking programs, and graphics communication via personal digital assistants.
One trap this line of reasoning falls into is the common perception that North Korea is all one entity, somehow all working malevolently together to subvert whatever assistance is provided. In reality, the country like any other has many
different organizations and bureaus with different groups jockeying for power and substantial bureaucracy. The fact that the report mentions PIC, a rival computing center, is probably enough to indicate that the syracuse interaction wasn’t attached to KCC. Several other arguments can be made to separate this instance from the observed watermarking:
- The actual collaboration, as noted in the same report was on systems assurance. As a Computer Scientist, I’m willing to say that digital watermarking is not in that scope.
- Students at Kim Chaek have had a standard undergraduate computer science education, but have no exposure to linux programming. The standard curriculum that Kim Chaek graduates I’ve interacted with have had only covers programming in a windows environment.
- Digital Watermarking information is easily accessible on the internet. There’s no reason to expect that the US academics had any more knowledge or conveyed anything better than the books and online resources that KCC would easily be able to access and translate on its own.
I’m a strong believer of these arguments, and they cause me to remain in support of the syracuse-style (and PUST for that mater) interactions with university students in Pyongyang. I think there is a strong personal benefit in building these relationships. Without engagement, it’s really hard to change perceptions. These are some of the rare opportunities we have to access the future middle-class and well-connected people in Pyongyang and give them something more personal than just the evil US government to think of when they think of the US. In addition, these interactions are how the rest of the world learns about the state of technology in the country and is even able to have the conversation about whether Red Star is a surveillance tool.
A bit of background: I spoke on my research at ICOPUST2, the previous instance of this conference held two years ago, and my first time visiting the university. The conference by design is a multi-track affair covering the full breadth of academics (from computer science to agriculture) taught at the university.
This year, I acted as the session chair for the computer science track of the conference, which proved to be quite rewarding. I’m encouraged by the continued academic engagement present at the conference and occurring at the university as a whole.
I got around to taking screenshots of RedStar 3, which hasn’t really made its way onto the internet yet. It really does look mac-like, and is using a skin that as far as I can tell is custom made rather than being modified from an existing Linux theme. Apps are packaged using a mac-like folder structure as well, with ‘contents’ and ‘Resources’ folders within the application folder.