By Martyn Williams
03 March 2017
Computer security researchers analyzing a North Korean tablet computer have discovered a level of surveillance and control not previously seen inside electronics from the DPRK. If used across all tablets and smartphones, the system could significantly impact the ability of activists to send digital information into North Korea that can be viewed and shared by citizens.
The researchers from Enno Rey Netzwerke (ERNW) in Heidelberg, Germany, spent several months analyzing an Ullim (울림) tablet and presented their findings at the recent Chaos Communication Congress in Hamburg.
Ullim is the brand name given to a family of Android tablet computers that have been sold by the Pyongyang Informatics Company since at least 2014.
North Korean tablets are usually sourced from Chinese electronics companies and the Ullim analyzed is no different. It’s based on a tablet called the Z100 from China’s Shenzhen-based Hoozo, however the communications hardware is missing from the North Korean version. This modification allows the North Korean government to have an extra level of control over who can access the domestic intranet. To get online, users need a plug-in dongle for wired LAN, WiFi or dial-up connection.
The tablet was produced some time in late 2015 or early 2016 and runs Android version 4.4.2 “KitKat.” Google released it in October 2013 and it was superseded in November 2014. It comes with basic Android apps such as a camera, gallery and browser but none of the Google-specific apps like Gmail, Google Maps or YouTube. The tablet came pre-installed with North Korean apps for education, cooking, games and reference.
But what is more interesting is that North Korean engineers also made four major modifications to the operating system that point to a significant level of surveillance on users and a high level of control over the what content can be accessed on the device.
- Constant Surveillance
The first is a piece of software called “Red Flag.” It runs in the background and takes a screenshot every time the user opens an app. It also records the browser history, the internal identification number of the tablet and ensures that the core system hasn’t been tampered with.
If someone were to succeed in replacing a core operating system file to get around some of the security measures, the software reboots the machine, said Florian Grunow, one of the ERNW researchers.
A second app called “Trace Viewer” works with Red Flag and allows users to browse through the history recorded by Red Flag. The screenshots can be seen along with details of everything the user has been doing. This app ensures that none of this data can be manually deleted and allows the records to be exported and reviewed at a later point.
Trace Viewer is clearly provided to show users that everything they do is recorded and to remind them that anything done on the tablet can be found out by the government, said Grunow.
- Limiting Functionality to Approved Apps Only
When it comes to other apps, another addition by North Korean software developers is a white-list of apps that can be installed. Every time a user attempts to install an app, it’s checked against the list. If it’s not on the list, it cannot be installed.
“They’ve actually done a pretty decent job of locking it down,” said Manuel Lubetzki, another of the research team.
- Watermarking Files
Ullim also includes a watermarking system that was first discovered in the Red Star Operating System, the North Korean-developed version of Linux. It records the time and computer registry into a file each time it is opened. So, if a file is shared from person to person, someone in possession of the final copy can examine the watermarking data to determine how it spread from person to person. On a mass scale, this data can be used to plot entire social networks of people.
However on this tablet, it’s of limited use because directly sharing files is impossible.
- Restricting Media Compatibility
“There is an even more advanced and even more restrictive way of controlling the media distribution within North Korea in the devices and it’s based on digital signatures,” said Niklaus Schiess, the third member of the research team.
It revolves around two security signatures: one called NATISIGN that comes from the North Korean government; and one called SELFSIGN that is generated by the tablet itself. When a user tries to open a file, the tablet checks to see if it has been correctly signed. If neither of those is present, the file cannot be opened. That means Android apps, images, movies, text files, audio files and just about anything else you can think of needs to have either been created on the tablet or come from the government to work on the Ullim.
“If I have a friend with another Ullim device, he cannot just put [a file] on removable media and give it to me,” said Schiess.
The system significantly curtails the use of the tablet for anything other than consumption of government-sanctioned media and files generated by the user themselves. It represents a level of information control approaching paranoia, but also mirrors the kind of controls that North Koreans have lived with their entire lives: where permissions are required to travel between certain places and where some telephones networks are blocked off from other parts of the country.
Implications for Information Flow
Taken together, the various systems and software on Ullim represent a significant barrier to activists who are hoping the greater spread of portable electronics will increase the ability of North Koreans to freely access information.
“If you do manage to get an app on there and try to install it, it won’t work because the signature is wrong,” said Grunow. “The [Android file] must be signed with the government key. Additionally, there is a check to see if the app is in the whitelist and a normal user cannot get into the code to add to the whitelist.”
“This basically finishes all of your efforts to be a normal user in the DPRK,” he said. “It’s virtual[ly] impossible.”
Unfiltered information is one of the biggest enemies of the North Korean regime so it’s no surprise that engineers have gone to such lengths to lock down the tablet.
In the recently published “Compromising Connectivity,” Intermedia reports the digital signature system was rolled out to all Android devices in late 2013, less than two years after Kim Jong Un became leader of the DPRK. The operating system update, which was mandated for all users, effectively shut off North Koreans’ ability to access any information sent on USB sticks or memory cards with these devices because the data would be missing signatures of either the government or personal keys.
Despite that 2013 move, there continue to be several high-profile attempts to send in digital information such as Wikipedia databases or other media on USB sticks or memory cards. This must raise the question: can anyone in North Korea access the digital information?
I asked Grunow to rate the job the North Korean engineers have done from the view of restricting media consumption.
“It’s the way I would have done it,” he said.
It’s difficult to tell if there are any bugs or backdoors in the software because it can’t be viewed operating on the North Korean intranet, but Grunow says his team hasn’t found any major bugs so far.
There are a few areas that merit a closer investigation, Grunow added, but he doesn’t want them made public for fear of tipping off North Korean computer scientists to possible weaknesses in the system.
These digital security systems show the North Korean government isn’t standing still when it comes to digital information and that shouldn’t be a surprise. The free flow of information is one of the greatest threats the regime faces and nothing enables it like digital networks. With increasing numbers of people coming online through tablets, PCs and mobile phones, monitoring and watching everything the population does is increasingly difficult. These controls effectively keep the sharing of most information in check and leave people to resort to old-fashioned word-of-mouth.
What’s perhaps surprising is that researchers outside of North Korea are only now starting to understand these systems, some three years after they were introduced. It points to the continued difficulty in getting information out of North Korea, particularly when it comes to complex technical information on the country’s networks. Often defectors don’t have the ability to understand in depth how something works, and that ends up being a further benefit to the North Korean government.