North Korea’s Red Star OS Borrows Kaspersky’s WAV Files, Traces Files Offline

North Korea published the latest version of Red Star back in 2013, but it wasn’t until last year that code for the state-sanctioned operating system leaked online. Some intrepid investigators have spent some time pouring over the totalitarian’s build of Linux, and they discovered some interesting things.

Niklaus Schiess and Florian Grunow presented their findings to the Chaos Communication Congress recently, and the pair told the BBC that the operating system was also “pretty good” at mirroring the basic functions and design of Apple’s operating environment.

But the really intriguing aspect of Red Star 3.0 — a vast change from Red Star 2.5, which mimicked Windows XP — its ability to watermark any files uploaded to the system from storage devices or USB sticks, allowing the OS to trace where those files have been offline.

The German researchers, whose presentation can be downloaded in audio or video format, noted that the watermark was appended to the end of files. You can also view the full presentation below.









Grunow told the BBC that he and Schiess also discovered a version of the watermarking functionality within Red Star OS “that is far more sophisticated, with different cryptography”. In the presentation, the pair showed how the basic watermarking could be used to track people distributing “malicious” media files.

Schiess added that, for someone who only had access to Red Star 3.0, disabling the elements of the OS (which is built on Linux) was actually quite difficult as some of the malicious services have dependencies on each other. First you need to get root privileges, then you have to kill two “integrity checking demons” — because otherwise the OS will reboot — and from there you can begin disabling the rest of the privacy violating features.

Hilariously, Grunow said the pair found North Korea’s developers had stolen the warning sound from Kaspersky’s anti-virus suite. “In the older version of Kaspersky anti-virus if you find a virus, it plays this sound. It’s exactly the WAV file from Kaspersky, we verified this by doing checksums, so we have a copyright violation right here.”

But the privacy violations are the most intriguing aspect of the OS, behaviour that has been North Korea’s standard operating procedure for decades. The researchers said the watermarking, which is carried about by the in-built virus scanner, was a “wet dream for an oppressive regime” and a touch ironic given that Red Star is built on an open source platform.

“They are using a system that was built to promote free speech, and they are abusing it by watermarking free speech,” Grunow remarked to the BBC. There’s still a lot of work to uncover Red Star 3.0’s fog, however, and those who want to contribute or just poke around can do so by checking out the researcher’s Github.

[BBC]