Okay welcome everybody. So we all don't know so much about the daily life in North Korea.

It's a country with a pretty secret dictatorship and the people living there are under constant

observation. Research of leaked software and hardware is sometimes the only way to look behind this curtain. And last year's Congress Florian and Niklaus lifted the fork on North Korea's

Red Star OS and its features or its surveillance features. This year they will let us know details about North Korea's latest tablet computer and please give a warm round of applause to Niklaus, Florian and Manu. All right thanks for showing up. I'm going to dive right into

the Wulim or Ulrim how it is pronounced. We don't know any Korean. We have no idea

how this is pronounced to be honest. We had like Korean people talking to us and trying to teach us on how to pronounce it. Wulim is probably like the wrongest that you can get it when you write it in Latin letters but that's not important I guess. So let's dive right into it. First of all a disclaimer. We had this disclaimer last year. We'll have it today.

We never visited DPRK so if we so most of the slides contain like words like probably or maybe. This is because we never visited DPRK and we don't know how this tablet how the technology is really used who is using it and what are like the control mechanisms to extract

data from these devices for the government for example. We just have this device and have some of our sources in South Korea. So some of the stuff that we are saying is speculation. Please bear with us that this is not possible to give you like a full blown introduction in all of that. And it's as last year not about making fun of the people in DPRK and it's also not

about making fun of the people who made this piece of software. We are not focusing on security in this talk. It's only about the privacy aspect so there are no details on security issues that might be in the tablet. This may be further research that we are going to do in the near

future but this is not the focus of this of this talk. So what are we going to talk about? We are going to talk give you a little update about Red Star OS. So there is has been a lot of work following our publication last year of Red Star OS. We will talk about the software and

the hardware that the tablet PC is made of. We will give you an introduction of all the applications or some of the applications that are stored on the tablet PC. And we actually have a live device here. So it's sitting right here. Maybe Kim Young-un is listening already. So we have one device right here that we got out of DPRK.

In the Q&A it is important that you please do not ask questions on how we exactly got this tablet PC. We will not answer them. So but we have like this full-blown device. It's sitting right there and I'm going to do a live demo. Then after that like Wulim is pretty locked down

so there is not much a user can do to kind of break out of the usual tools or applications that are installed on the device. So we had to find a way to gain access to like the whole package, all of the APKs, all of the stuff that is stored on the device. And Manuel is going to talk about how we gained access to the device. And after that we will see how the government

is able to control the distribution of media with these tablet PCs. And Niklaus is going to talk about that part. And after that hopefully we will have some Q&A. So to give you some updates really fast, there have been multiple publications concerning the security of Redstar OS. We didn't focus on the security last year so there are code executions, command injections

and even in the server version of Redstar OS there is shell shock all over the place. Then there was a cool art project that has been created by a guy who made who used the watermarks for files to create artifacts in pictures. So what he would do is like he would

take your face as a picture, create a watermark for it and then kind of disturb the picture so it becomes, it has artifacts in it. So you can visit the project interales.org is the URL. And what we also found is that we found a website which is called kooks.org.kp which is

from DPRK and it contains all of the JPEGs that you see on that website so it's out there publicly available. You can just go to the website and grab all the JPEGs and you will see that all of these JPEGs have watermarking supplied by Redstar OS so actually this is like a finding where we can see that Redstar OS is actually used and these watermarkings are existing in the

wild. We could identify six different watermarks on this website which is, which tells us that there are like six different computers where those JPEGs are kind of created, used, manipulated or whatever. Why are we doing this? So again as last year there's only some general information

available about the tablet PCs that DPRK provides and we wanted to kind of get a glimpse into the tablet PCs because we last year we identified some dead code that was laying around in Redstar OS and it was not used by the watermarking and we thought last year that there might be some

more sophisticated, more advanced watermarking and this is exactly what we found in the tablet PCs. So again as I said Wulim kind of is the name of the tablet PC. If you translate it, it translates to Echo. If you put this into Google Translate, it translates to something completely else. I have

no idea why but I think it translates to Ring or something but Echo is probably the real name if you want to translate it and it's also a name of a waterfall in DPRK. There are probably four, at least four tablet PCs out there in DPRK. We have hands-on for three. There is another one

which is called after a mountain in DPRK and it's called Mysterious Fragrant. So it's probably, they basically name all of their pieces of technology after stuff in the nature I guess. If you do some small research or some research on the device, you will find out that the

manufacturer that is doing the hardware is not coming from DPRK. It is a Chinese manufacturer and it is actually selling this piece of hardware, just the plain hardware with a stock android on it probably under the name of Z100 and it's a Chinese manufacturer and the product sell from 180 to 260 euro which is like a good price for the technology that is behind the

tablet PC but you can imagine that 260 euro is pretty much for someone sitting in DPRK and wanting to buy a tablet PC. So probably those tablet PCs are not meant to be like for the whole public. It's probably only a few people that have access to those tablet PCs

but this is speculation. The software that is running on the tablet PC is coming from DPRK. So what they did is basically they used an android SDK to develop an android for their tablet PC and then put some interesting services and interesting applications into the tablet PC.

So we are going to give you a product presentation. Well we are not going to give you a product presentation but DPRK is actually doing this. Can you switch the audio to the laptop please? So the subtitles are not coming from the original video. The subtitles has been

added by a guy from South Korea who was helping us out. So this is the official commercial for Wulim. Okay so this was an original video. So we didn't do this video or something.

This was really an original video that also is on the tablet PC. I will shortly go into a few points out of the video because they seem pretty important to me. First of all don't drive and watch TV. That's a bad idea. Second of all if you closely look at this device you will

see if you know the original device that it's probably a different type. Although it is the same kind of brand. So down right in the corner you can see like that is Ulrim and also on the back of the tablet is the same are the same letters. So we are pretty sure that it is like from the

same series or whatever but it is not the same hardware as you can see right there. So probably there are multiple tablets that are running under this brand. This is important to know. The next thing which is quite interesting is that they provide rapid updates which is something that if you're in the Android world not that common which I find like this is pretty amazing

and good. The second thing is they have a free warranty service which is also pretty convenient. So that's also a nice service I would say. And one of the most important parts is that if you this is not going into like the tablet PC itself but it gives you some clues about how infrastructure is working in DPRK. So they are actually offering a DVBT

broadcast on the tablet PC. So you can buy or rent or whatever get a dongle and then have like 20 cables connected to it. So it's a little bit like Apple. And then you can view a DVBT on your device and this even sells as a feature that they say you will not be able to view

any other stuff than just our own. And this is pretty interesting because if we're going back to Red Star OS and we had I don't know if you've seen the talk but we had an antivirus scanner who was not antivirus scanning at all. It was doing something completely different and we thought like they are like tricking users. They just say this is an antivirus

scanner to do something else under the hood. But if you see this then they're basically saying we want to prevent that you see the malicious stuff from outside. So they are selling this as a feature. So it's not like they're trying to trick the people. They are saying like we are going to encrypt our TV broadcasts and you will only be able to see our stuff so there is

no danger from the outside coming to you. And this is pretty remarkable I think. Okay if we're going to the architecture itself let's take a quick look at the hardware. It's an allwinner A33 system on a chip. It comes with 8 gigabyte of flash and it has a microSD port and a power plug to charge the tablet. It has a not so responsive touch screen to be

honest. So if I'm going to do the live demo I probably fuck some stuff up and like tap on the wrong things and sometimes it happens sometimes it won't. So it's a bit random. So bear with me if it takes a while to open some of the applications. And if you just get the

tablet by itself there are no communication ports at all. So there is normally if you buy like your usual allwinner A33 system on a chip with a board that comes with a board you probably have another chip that has like Bluetooth, Wi-Fi and all of the other stuff that you need in a normal tablet PC. On this device this has been either soldered off or it never made it to

production. So the board does not contain any communication hardware itself. You always have to buy or rent adapters that you can plug in to use the stuff. And as you could see in the

normal networking capability or DVBT it also has HDMI and there goes the problem. This does not have HDMI which is why we cannot connect it to the to the screen. But there in the commercial you could see that they just plug in a micro HDMI or mini HDMI and then you can basically

hook it up to any HDMI device. So with this device it's not possible unfortunately. So we will have to do this projector thingy right there and I hope it will turn out fine. Okay concerning the software perspective there's an Android 442 running with an for Android 442 kind of up-to-date kernel. It was built the build date goes back to September 10th 2015 so

it's pretty new. I think we got it four months ago or something like that so at the time that we were starting the research it was actually pretty new. Looking at the pre-stalled applications it's just your usual Android stuff but without the Google stuff obviously. So there is not

like a Play Store or something and no Google Maps or whatever that has all been stripped out and you basically have just a basic functionality plus some applications from DPRK. Can I have the tablet on the big screen please for the demonstration? Should I show the video again

to kind of get over the... yeah thanks. Okay so this is the tablet PC itself. This is the default background that you see right there. If I move the tablet around a little bit you might see that there are some cables coming out on one side. This is because we tried to find debugging ports. We didn't find any we just started debugging the LCD and stuff like that

but just so this is not really working so but if you are having questions afterwards these cables are just coming out there and doing nothing right now. Okay so let me show the tablet PC real quick. So the problem is that some of the applications have a serial ID that

is mostly shown on the splash screen which is and we don't know why the serial ID is there. It could be that it's just like a versioning number for the applications but it could also be a way to track who has which APK installed on the tablet and to prevent the guy getting into troubles who kind of leaked this tablet PC I'm going to pull out the tablet PC, open up the

application, see if there's a serial number and put it back just to be sure. Okay so I'm going to pull it out and in again and you know that this is not like we're tricking something this is just because I want to make sure that no serial IDs are shown on the screen. Okay so the first

thing that I'm going to show you is an overview over the applications. These are the applications that are in a factory reset mode so this comes with the application or with the with the tablet itself. You have like your usual stuff like the camera you can see right there a file browser. I'm going to go into the settings you can see that there is Ethernet

modem stuff like that. If I scroll down a bit you can see some of the applications running there is even flash as you can see right there. Flash is probably we don't know if it's really flash but it makes sense because some of or most of the applications or the websites

of DPRK are using flash to show videos and deliver remote exploits so that totally makes sense. Okay if you scroll down a bit you can see like your usual applications and archiving application and this red flag thing which is pretty interesting. Okay so next thing I'm going to

show you is the security stuff and the certificate authorities that are installed on the tablet. There are not so many that's all of them basically and they are all from DPRK so you should bear this in mind if you get like a device like this and start browsing you probably

will be man in the middle totally when you're using this in DPRK internet or intranet. Okay the next thing interesting is maybe the browser so looking at the browser there is an XSS right there it's just a normal browser you can like do some see some files on the hard drive some of them what you can do is go to the favorites and see like the bookmarks

that that are already there if you look at the bookmarks there are probably most of them are internal websites so if you click on them you see that the URL is actually an IP address and if you check on all of them you see that they are all internal IP addresses and these go

perfectly go into the address space that DPRK has especially these ones right there. The tablet PC if you hook it up to Wireshark and let it run is even making some outbound connections to IP addresses that go into this network segment we don't know what what it is doing or what it is trying to get from there maybe the rapid updates that's a probability

I don't know exactly so there's also a camera I'm not going to turn on the camera and take a picture of you so Kim Jong-un can see what we're doing right here I'm going to leave this out the next thing I'm going to show you is a game which is Robo Defense I don't know if you

know Robo Defense it's perfectly available in the Play Store for Android and if you start the game then you might recognize that it is really drag and drop yeah that it is really the

kind of the original version of this game and what they did is basically they adapted a few things especially for language settings and made a new splash screen and adapted a new splash screen so if you decompile this thing you will see that it is perfectly fine the one from the Play Store at least in parts so there might be a copyright violation right here I'm not sure about this

okay what else do we have another thing that I found pretty interesting is that there is an application that enables kids to learn how to type with a keyboard that's pretty nice actually

so you have your settings I'm just typing random theme I don't know what what it says right there and then you can like start to hook up a USB keyboard to the tablet and let the kids kind of type to learn how to type on the keyboard which is actually quite nice okay what else do we have yep so concerning writing there is also a full-blown office suit on the tablet itself

and with office suit I really mean office suit so it lets you kind of create powerpoint presentations and stuff like that and it really works and we would love we would have loved to

do the presentation with this tablet pc but unfortunately we cannot hook it up to to hdmi so that was not possible at all okay what do we have we have a lot of propaganda obviously installed on the tablet pc so there is one application that is coming even out of red star

and it is basically the encyclopedia and shows the writings of all of the leaders from dprk and you can see what they have written exactly so another interesting thing is is there is a lot of educational stuff on the tablet pc so there is one application that is basically a technological

dictionary so you can like find information about technology and you can also there are dictionaries installed that lets you look into other science areas as well okay another

one which is pretty interesting and maybe I would like to have your so I need to kind of come up with a hack right here probably so give me a second there we go all right

so I'm going to start this application again and if you see the splash screen please shout to me on which game this kind of reminds you yes I don't know if it's simcity but when I

started the application the first thing that came to my mind is this looks like simcity and what this application is doing actually it is an architecture program so you can basically plan houses plan cities with this thing and actually kind of really do the architecture of your future house or whatever with it it even comes with an auto ced a plugin so you can use

it like the stuff that you create right there you can reuse it on your windows pc if you have like a ced program right there probably everything with copyright and stuff like that in the right place what else do we have there is a cooking application on it there are a bunch of more of

games on it and then there is one or two pretty interesting things that came to our attention when we used the tablet for the first time so if you start the application right here trace viewer that is a pretty interesting thing because if you start it then you will see that it gathers

screenshots so what it does is there is a process in the background that is actually once you open up an application it's going to take a screenshot of the application and it's going to store it in a secure way and the only thing that you can do with this trace viewer is basically see your browsing history and see the pictures of the applications

that and the contents that you've started so from our perspective this is like a clear indication that they're going to tell you we know what you're doing so we see what you're doing you don't have any chance to delete any of this stuff but we see what you're doing and you cannot get rid of this information the next thing which is pretty interesting is

if you try to open up a file on the the tablet then you're probably not able to open any of the stuff that is coming from outside and this was the thing where we thought we need to go

into detail what is happening right there and and we thought this is a pretty powerful mechanism so if you just try to open one of those fine okay in this case it's working that's bad because i created this file on this tablet if i'm going to open up another file like this one and you will see this message this is not signed file okay so obviously there

is some signing mechanism on the device that prevents us from opening arbitrary files okay can i go back to the computer please can i have niklaus's password please or should i ask him do you have an auto erase after like

10 times entering the wrong password okay so much for the application demos i have two

more applications that i cannot show on the tablet pc for reasons but i'm going to show you with some of the screenshots so the first thing which is very very very interesting is that there is a tool called nak installed on the tablet pc and it is probably used to get connection to the internal intranet of uh dprk you can choose like three options dial up with

the modem going via a local area connection or going over the internet or whatever it uses pana which is like i've never seen this in the wild wire shark knows the protocol i've never seen this so far you need to supply login credentials and then you can choose for different

access points depending on the city that you're in so you can choose like a network access when you're in pyongyang for example enter your credentials and probably get hooked up to the local internet of dprk the next one which is quite interesting and is running in the background is red flag this tool is the one that is taking the screenshots in the background it's also

logging the browser history and it is responsible for grabbing the ima imz and the android id so there is no sim card installed right here probably this is an indication that the same algorithm or the same mechanism is running on the smartphones that dprk is providing it also is copying some key material around and it's doing some basic integrity checking of

the system and if these integrity checks fail the system will be rebooted or shut down in addition there is a whitelist for applications so you even if you would be able to install applications on the thing then the whitelist will kick in and will not let you allow to install the application so this is an incomplete list i have highlighted some of the the the most

interesting parts like angry birds you see at the top or the robo defense down at the bottom so probably we have some copyright infringements there so the last thing that you've seen is obviously not a black box analysis anymore you have seen that there is like source code that

we could decompile so we could gain access to the device and manual is telling you on how we achieve to gain access to the device okay can you hear me yes all right well as florian gave

you more of an overview of what you can do as a user with that tablet i'm going to get a little bit more technical but i try to keep it as understandable as possible without losing too detail as researchers we of course wanted to know well what goes on on there what is that

thing actually doing and how is it achieving such mechanisms that prevent you from opening arbitrary files but to find that out we needed some kind of in-depth analysis but to perform an in-depth analysis you'll somehow need data the data from the tablet and i'm going to show

you how we got to that data and in the process of doing so you'll probably get a good impression of what they do to prevent someone from tampering with their system integrity and yeah what we finally needed to achieve is either get a memory dump of the whole tablet or we need privileged code execution on that tablet and how did we do that that's what i'm

showing you because actually they did a pretty decent job in locking that tablet down at first we tried the obvious things like is there adb enabled no it wasn't can we enable it no we

couldn't are there the developer options you know them you press like five times the build number of android and then boom you're a developer and you can do like advanced configuration no they also disabled that can we install arbitrary apk files no flowy and always show that to you

if you try to install any apk file like a terminal emulator that would help us executing arbitrary code that didn't work you need to have assigned apk then we turned that thing off and pushed like every button combination that we could imagine to find out if there's a

that wasn't possible then we got a little bit more creative we tried to find file open dialogues in all kinds of applications because we thought in the file manager you can you can only access certain files that are locked to one directory so if we can find

like applications that have file open dialogues we might be able to traverse directories and get access to system storage and that is actually possible there are some applications that are implementing their own file open dialogues and then you can access files from the system but

still you're very limited in the files that you can access like you can only access certain file types like dot txt files and you won't find a lot of important system critical information on a linux device that is stored as dot txt also if we manage to do so we still need to repeat the android sandbox somehow because

usually on an android device an application is sandboxed so you can't just access any arbitrary system file we also tried attacks via archives like classical zoom link attacks or directory traversals but they weren't possible as well we found an application that had a configuration

file that was not signed and that contains something that looked like shell command parameters but it turns out that either they ain't or we couldn't exploit that interesting note we found an application on there tetris and that application was

coded by some kind by some chinese guy we don't know but we found the source code for that on github and it's actually the same source code so they just saw that from github and installed that to their to all of their tablets and as we got the source code we could perform like a more advanced kind of attack against that and we noted that it was writing i think it was

something related to the score as a serialized java object to the sd card and it didn't check for any signature so that was the way we might be able to get in there but it turns out on android that's a more complex thing and didn't work out in our case as we saw that they implemented

their own office suit we all know those attacks like xls macro injection we also tried that but no that didn't work out as well that's only an excerpt we tried a lot of more things but what came to our minds was someone must have thought about that someone does not want that

we tamper with their system and i mean on what you can see in nicholas part that's that's possible so let's take a step back we all know that there are vulnerabilities in android and if you follow the android security bulletins you'll notice that like almost every month they're popping up

new code execution vulnerabilities why can't we use one of those like like one of the famous ones stage fright for example while that's in theory possible in practice it's quite hard to achieve because with this would be like black box exploiting in such a situation you usually

have a device at hand on which you can attach a debugger and search like for aslr bypasses or rob gadgets and we couldn't do so because we only got one tablet and that wasn't pre-routed what you can do in such a situation you can perform an attack on the hardware level

like from what the circuit board looked like and what we knew about the tablet and from the complexity that would be involved it seemed probable that they don't use any kind of trusted platform module or other way to secure their boot process so there might be a good chance that we just open up the case dump or pop off the the storage and dump that using whichever

protocol we need to do that well that is an option that might also lead to success but suppose you're me and you're more like that software guy rather than the hardware guy well give me a soldering iron and chances are that i'll mess this up it might be that you're

up with a brick and considering that that is a very valuable device and to get your hands on such a device it's not a feasible option at least not for us even if you're more skilled in like soldering than me chances are that that the chip might get too hard for only too little

and you're screwed up we turned back to the internet and we thought we might find another way to to access the storage and after searching about the architecture after we popped open the

case we could see what chips it is using we found the a33 system on a chip and what we also found is this tool this was half in english half in chinese so we pressed some buttons and were had not really an idea of what we were doing but it was supposed to give you a bootable

image that you just that you just could burn onto an sd card and plug into your device and just boot it up and we thought like no that is not gonna work that would that would be one of the first things you turned off and we plugged in the sd card and that actually worked well

we thought why why did they do that then why did they all these hardening mechanisms we found in the first place it doesn't make sense we can only speculate about that but there are

some pretty satisfying explanations well one would be they just forgot it but we don't think so um it could be that this is a feature of the system on a chip that the system on a chip is by default booting from sd card if you do not cut certain hardware lines and if they just bought the hardware from a chinese manufacturer it might be too complex to cut those hardware

lines or reprogram the system on a chip so maybe that's an option and if you think again about it it's not really contradicting their security concept because what is the thing they need to defend against they need to defend against a north korean trader or something

who would be inside of north korea and try to do this and imagine you're imagine you're sitting in north korea and try to access that tool with your internet access constantly being monitored or no internet access at all i think that's kind of difficult and that's probably the reason they did

that still as we get code execution we weren't done yet because we booted up that image and it was a functioning linux kernel but it had no way of accessing the memory there was just missing a driver well what could we do for one we could just plug in our logic analyzer and

analyze what is that thing talking over the wire but that would still involve touching the hardware and we decided not to do so so we could also try to get hands on the data sheets that were that are for this for this kind of flash storage we hadn't that at hand and implementing

your own driver based on the data sheet sounds like a time-consuming process so we went with another option our option was we thought it cannot be the case that they manufactured the manufacturer they bought that from a whole new tablet with completely new hardware they never used before at that point in time we didn't knew it was the z100 we thought there must be

a different tablet which uses almost the same architecture and maybe that one has a functioning driver so we went to the internet again and this is what we found it's a tablet for like at the point of time we bought it was like 30 bucks and we thought well 30 bucks

nothing can go wrong with that and we bought it like two of them and lucky for us they came already pre-routed so we just could plug in adb and like dump all its contents and we were done we took the kernel and the kernel driver for the storage and put that on the external

sd card we used to boot and first we plugged it in our fake or in that tablet and that didn't work out quite as easy because the way the driver tries to find out how to talk to the storage controller but after putting that into IDA and reverse engineering the driver we eventually managed to find how we could talk to that storage controller the question was

would that be working on the DPRK tablet so we plugged it in and booted it up and it actually did work this is the memory dump of the of the internal NAND storage and you can see from the

partitions that it's using it's quite a normal android device it's like has a bootloader partition containing the bootloader it has a boot partition containing the default kernel and it has a system partition for some binaries a data partition for the applications and a recovery partition we couldn't trigger and now we really could start doing our analysis and that is what

Niklas is going to tell you thanks um so okay um if some of you guys probably saw saw our talk

last year on red star s um there we found some really interesting features regarding the privacy evasion of those operating systems as soon as we got access to the device we were curious if there might be some similar mechanism or probably something that is even worse like this mechanism on the tablet and as soon as we were able to access most of the libraries

and then we saw there are actually two mechanisms on the volume devices one of them is basically a watermarking mechanism which is most likely the same one as in red star s it even looks like it's just a refactored version of two components in the red star s operating system

and it's doing basically the same watermarking and we didn't saw any code that is actually using this library so um the the active operating system what we saw there is not actually watermarking any files in terms of the watermarks like in red star s but it actually has the

code there and we think that it might be just for compatibility reasons what was more interesting is that there is an even more advanced and in an even more restrictive way of controlling the media distribution within north korea on the devices and it's based on digital signatures

just a quick recap of what we were talking about last year what you're seeing here is a hex part here is basically the encrypted form of the plain text that you're seeing below and this is basically just a watermark that allows you to identify a specific red star

installation and just if you're curious if you want to get to know how it's working there are actually good decryption tools in this repository but it's really really simple it's not rocket science how it's working but when you're doing this in the wild basically when you have the original file at the top and the red part here is basically the end of the actual image as a jpeg

file and as soon as the user is getting for example if it's on a removable media device and you're plugging it into a red star s system then it depends some bytes at the end of the file if you're giving this file then to another user running red star s there are even more files at the end of the jpeg and what you're seeing here the green part is basically the watermark

that identifies the first user and the orange watermark identifies the second user what is quite interesting here is that when you are seeing this from a government perspective just to give you an impression and when you're having a normal jpeg image and you're having

it on one red star s system put it on a removable media give it to a friend or whatever someone that you're affiliated with and it will apply the watermark of the second system if you do it again then with your third friend or like-minded people then the image

will actually contain references to all three operating system instances if then the government gets access to for example the system of the third user and gets access to this jpeg file and they want to know okay what is the source of this file and who has had access to this file

then they are basically able with this single file to track down dissidents or traitors or whatever because it allows you to reference all the users that had access to this file and what you then could do if you do this on a large scale like in a complete country for example it allows you to connect social networks it allows you to connect connection between

dissidents connections between traitors and what it then allows you is not only shut down users where you for example had access to a system and you found this file you are also able to shut down the sources of those files so for example users that create files or users that import

files from outside of the country and you are basically able then to shut down to complete all the connections then routine those suspected people what william does william is way more restrictive than what red star was doing it can actually do the same thing as red star is done

but on top of this there is another more restrictive way of not only tracing the distribution of media but the the goal of william is to basically prevent the distribution of media and this is quite interesting how they are doing this and it's really effective what they are doing

so what it's what they are doing basically is use cryptographic signatures and the government has control over those signatures and if you are controlling the signatures if you are able to sign files and if you are the only entity that can sign files then you have to complete control over all media sources and what is what should be noted here is that compared to red star

which had just implemented the most functionality into a kernel module that just hooked the system calls and in william all of this is explicit so each and every application has to do own signature checks it's not the operating system itself that provides this functionality the

operating system is just providing a library but each and every application is responsible for the signature checks these are done basically with a native library in java so each and every application can use this native library from within the java source code

and the package is actually called government no media which is quite interesting it's actually called when you are for example opening a file in when what what we saw the office suit when you're opening a file then it's basically doing some license checks so the functions are more or less concealed like license checks when you're opening files or when you're saving

files then there are in the background calling these functions in those native libraries william provides two ways of signing files these are referred to in the code as snotty sign basically called nation signing which are signatures by the government and there are

self-signed signatures which are done by the devices themselves if a file doesn't have a proper signature then all of these applications that are doing signature checks will prevent you from opening those files and this is a quick example of how one of those native libraries

looks like you have some basic functions that allow you to get some information of the file of the of the device which are used then to put into signatures or check the content of existing signatures and basically provide you these easy functions like is it a valid signature or not because all of the the rest of the code should should do the stuff like print if the

file cannot be opened and this is quite interesting because there are some applications that just have different error messages for the same situation so this is not the library but all the applications here's a quick list of most of the applications that are doing these signature checks so you

can get a brief overview of what they are really focusing on when it comes to the files that they are really interested in just some quick words about the nation sign and the code mostly also refers to it as government signing it's basically an RSA signature with a

2048-bit RSA key and the public key is just stored on the device the private key is held by the government and in addition to the signatures it just does a lot of obfuscation work so also on a bit level it's trying just to shift some bits we think that it's just doing

this to make it harder to sign the file the file stems yourself but it's nothing really from a security point of view it's it doesn't make any difference what we focus more on is the self-signing mechanism because it looks a lot more interesting because the the nation

signing is basically an RSA signature self-signing is a combination of symmetric encryption so there's some part that is just encrypted what is notable here is that it's Rishan there it's the basic algorithm behind AES but they were not using AES they were using a really specific

form there because they're not only using 256-bit keys but also 256-bit blocks so they are always encrypting 32 bits bytes at a time which is not possible with AES they are also doing RSA signatures and what they are basically doing is create a signature over the hash of a file

so they just mostly they have code for sha 224 but they are mostly using 256 bits there's also a file called legal ref dot dot on the file we saw this red flag application this application is responsible for reading the emi and the emcee of the of the device

and also the android id these will be stored in this legal ref file which is basically a legal reference of each and every device this is like basically the the same thing a little bit more advanced but the same thing like in red star s with the watermark here you have a legal

identity how it's referred in the code and this is also included in the signatures it's not only a signature of the file itself but it also always puts your identity into those files so this is also quite similar to the way red stars watermarking files it's only implemented basically to allow you to create files on the device itself and open

those so you have a camera on the device you can take pictures there and you are basically able to open those pictures on your own device a signature technically it looks like this signatures are fixed i have a fixed size of

792 bytes and so even if you are creating a text file with a single character it will always append 792 bytes to the file if you open it with the for example text editor you will never see the signature because it's responsible for checking it and removing it again from the file when you open it but the top part here is the rsa signature of the of the hash of the

file and the green part is encrypted and the most interesting content here is your mz and emi of the device the rest of it is basically just null bytes and they have

implemented they have not implemented it with padding and they are using kind of like ezp mode but they have like really at the end of the files it's quite interesting what they have implemented but i think it's just they didn't want to use padding because they're always encrypting 520 bytes which is not possible by default and the files that are affected by this here you can see

just an example of the office suit which is called chunk doc these are the files that are checked by this specific application like i said each and every application is responsible for doing the signature checks themselves so if you want to only check specific application types then you

as an application are responsible for doing those checks and these are basically all of the typical media files sound and video and stuff like that but also playing text files and playing html files are affected and what is also affected are apk files so if you want to install an

application you not only have the typical apk signing mechanism you have an additional signing mechanism with their self-signing basically and because it all also checks apk files when you're trying to install those so if you want to install a valid apk file it would have

to have two valid signatures from two completely different sources and just to give you an impression of what they're actually achieving with all of this signature stuff here when you have a volium device there are two valid sources of files

you can have the government which basically controls all the files that can be distributed within the dprk and they can sign those files and they have the ultimate power of controlling what media is distributed basically what media you can open on your volium tablet pc the other way is that you can open files or documents for example that have been created

by the file by the device itself so you only have these two ways of sharing files if i want to for example if i have a friend with another volium device and he takes a picture with his camera he cannot just put it on a removable media and give it to me and i'm basically not

able to open this file because the signature is or basically the legal reference in the signature is wrong and they're really not only shutting down what is inside of north korea at the moment like different volium devices and for example red star devices but also everything that is coming

from outside of north korea if you would want to put books or wikipedia articles on removable media and try to import it to the dprk then you would not be able to open those with one of those woolen tablets so all of the outside sources are basically not usable by the tablet

okay so this basically wraps up our findings from red star we got five more minutes i've seen we would like to say thank you to a few people right here especially we would like to thank is fink they are from south korea is an ngo and they are trying to get information into north

korea and these are the guys that provided us the tablet and we would like to say a big thank you to these guys and all of the guys that kind of got the tablet pc out of dprk so that helped us a lot yeah so concerning future work we will try in the future to free some of the information

that is on the tablet there are a lot of dictionaries a lot of books that you need to buy if you want to get an insight on what is happening or you don't get access at all we would

like to free this information and make it available if you are in possession of technology from and you want it to be analyzed please approach us we would be happy to be here next year with another talk on another heart or software of dprk we ourselves got some more stuff that we

are looking into right now we hope to be back here next year so from this wraps it up i hope you had a little bit fun and it was informational now we can go into the questions

thank you very much um we have maybe two minutes for questions so really quick this microphone all right so the uh self-signing of the woolen basically just adds about 800 bytes to every file that it's ever created uh if you view it on another system then does that just make

it a corrupt file is a jpeg plus 800 bytes of woolen signature just a an invalid jpeg or what does it become um it depends on the file you're using for jpeg for example it doesn't corrupt the file but there may be file formats because in jpeg you have like this really hard

file structure where it can determine the end of the file then it's no problem but there might be some file types that could be corrupted by those bytes okay this microphone yeah okay uh interesting talk indeed uh maybe i wasn't attentive or it was surely not in your scope but did you ever try to find the keys from the public television podcast uh yeah no well yes

we kind of were observing the tablet itself the problem is that the media player that is on the tablet is actually not capable of doing dvbt and as i said in the beginning the device that you could see in the beginning is probably a different version of the tablet probably an older

version so our version right here we could not find any crypto keys for dvbt or stuff like that so um yeah unfortunately we don't have any keys for that also also we could imagine that maybe that is done on the external on the peripheral not on the tablet itself so that we might not find it all keys on there and in addition to that you need to kind of get registered to get

all of the additional hardware it's possible that they install an apk that enables you to view dvbt and that comes with the crypto keys okay one question um out of those eight gigabytes

storage how much is uh used up by the original file system or the the original os so i would say that uh probably like it's it's not that much so probably like six gigabytes

are probably free i will check the data usage let me see storage um it's using one gigabyte so total space is like one gigabyte that is used so there is a lot of space that you can have okay thank you

Another question from the Signal Angel. Yes, there are two questions. The first is, are you planning to release any software dumps? And do you have to smuggle the device back to North Korea? I hope not for the last part. Like, for the first part, we are not going to release any dumps.

The problem is that the dumps will include serial numbers and fingerprints and stuff like that. And that would be perfectly easy to identify the guy who leaked it to us. And this is what we want to prevent for all circumstances. There is the one case where a guy tried to smuggle out a poster of North Korea and he went to jail for 15 years.

So you can imagine what happens if someone is trying to smuggle out a device like this and we want to prevent this. As I said, we are going to try to release some of the information that is on the tablet. Meaning like dictionaries, like books that are stored on the device, stuff like that.

So probably we are going to kind of go through all of this, filter it a little bit and then make it available to the public. Because we thought that information about that stuff is really lacking right now. Okay, we have one last question. Hi, there seems to be quite a bit of English in the file names and code snippets and so on.

Even in the bits that seem, let's say, DPRK only features, do you think Western developers have been involved in this project at all? Very good question. We know that DPRK is getting assistance for some stuff in developing stuff.

And I think they even had developers from Germany that were in exchange like a couple of years ago, like plenty years ago. We cannot state that they did all of this on their own. But I would say it's perfectly feasible because what we have seen with Red Star and all the other stuff, I think that they are capable in doing this.

So they probably don't need to have assistance. I think that like I turned like all of the stuff to English to have like the English language. If you're trying to apply a watermark with like Korean letters, like the self-signing stuff and

all of that stuff, like the four, the eight letters, self-sign, Nati sign and stuff like that. If you put that to Korean, it would not be eight byte anymore. It would probably be more. So that might be like the problem that they were facing. And that might be why they were using Latin letters.

Okay, thank you very much. Please give a warm round of applause to those three guys.