0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/658 Thanks! 1 00:00:13,590 --> 00:00:15,510 OK. Welcome everybody. 2 00:00:22,450 --> 00:00:24,789 So we all don't know. 3 00:00:26,180 --> 00:00:28,279 So much about the daily life in 4 00:00:28,280 --> 00:00:29,280 North Korea. 5 00:00:31,150 --> 00:00:33,489 It's a country with a pretty 6 00:00:33,490 --> 00:00:34,869 secret dictatorship 7 00:00:35,920 --> 00:00:37,179 and the people. 8 00:00:38,350 --> 00:00:41,110 Living there under constant observation. 9 00:00:43,890 --> 00:00:46,889 Research of fleet, software and hardware 10 00:00:46,890 --> 00:00:49,139 is sometimes the only 11 00:00:49,140 --> 00:00:51,479 way to look behind this curtain. 12 00:00:52,810 --> 00:00:54,640 And last year, Congress. 13 00:00:55,780 --> 00:00:58,149 Florian and Nicholas 14 00:00:58,150 --> 00:01:00,639 lifted the fork on 15 00:01:00,640 --> 00:01:03,279 North Korea's Red Star OS, 16 00:01:03,280 --> 00:01:05,559 and its features are its 17 00:01:05,560 --> 00:01:07,569 surveillance features. 18 00:01:07,570 --> 00:01:09,849 This year, they will 19 00:01:09,850 --> 00:01:11,919 let us know details about 20 00:01:11,920 --> 00:01:14,739 North Korea's latest tablet computer 21 00:01:14,740 --> 00:01:17,139 and please give a warm round of applause 22 00:01:17,140 --> 00:01:19,269 to Nicholas, Florian 23 00:01:19,270 --> 00:01:20,439 and Manu. 24 00:01:28,420 --> 00:01:30,519 All right. Thanks for showing up. 25 00:01:30,520 --> 00:01:33,519 I'm going to dove right into 26 00:01:33,520 --> 00:01:34,899 the limb 27 00:01:34,900 --> 00:01:36,159 or limb 28 00:01:36,160 --> 00:01:38,409 or limb how it is pronounced, we 29 00:01:38,410 --> 00:01:39,969 don't know any Korean. 30 00:01:39,970 --> 00:01:42,099 We have no idea how this is pronounced, 31 00:01:42,100 --> 00:01:43,149 to be honest. 32 00:01:43,150 --> 00:01:45,249 We had like Korean people talking to us 33 00:01:45,250 --> 00:01:46,539 and trying to teach us on how to 34 00:01:46,540 --> 00:01:48,189 pronounce it. 35 00:01:48,190 --> 00:01:50,319 William is probably like the wrong 36 00:01:50,320 --> 00:01:52,479 us that you can get it when you write it 37 00:01:52,480 --> 00:01:53,649 in Latin letters. 38 00:01:53,650 --> 00:01:56,229 But that's not important, 39 00:01:56,230 --> 00:01:58,419 I guess. So let's dove 40 00:01:58,420 --> 00:01:59,439 right into it. 41 00:01:59,440 --> 00:02:01,119 First of all, a disclaimer, we had this 42 00:02:01,120 --> 00:02:02,049 disclaimer last year. 43 00:02:02,050 --> 00:02:03,729 We will have it today. 44 00:02:03,730 --> 00:02:05,319 We never visited DPRK. 45 00:02:05,320 --> 00:02:07,479 So if we so most of 46 00:02:07,480 --> 00:02:09,159 the slides contain like words like 47 00:02:09,160 --> 00:02:11,679 probably or maybe 48 00:02:11,680 --> 00:02:13,389 this is because we never visit the DPRK 49 00:02:13,390 --> 00:02:15,609 and we don't know how this tablet, 50 00:02:15,610 --> 00:02:17,739 how the technology is really used, who is 51 00:02:17,740 --> 00:02:20,079 using it and what are 52 00:02:20,080 --> 00:02:22,239 like the control mechanisms 53 00:02:22,240 --> 00:02:24,639 to to extract data from these devices 54 00:02:24,640 --> 00:02:26,319 for the government, for example. 55 00:02:26,320 --> 00:02:28,359 We just have this device and have some of 56 00:02:28,360 --> 00:02:29,979 our sources in South Korea. 57 00:02:31,000 --> 00:02:32,979 So some of the stuff that we are saying 58 00:02:32,980 --> 00:02:35,139 is speculation please bear with us that 59 00:02:35,140 --> 00:02:37,029 this is not possible to give you like a 60 00:02:37,030 --> 00:02:39,129 full blown introduction 61 00:02:39,130 --> 00:02:40,539 and all of that. 62 00:02:40,540 --> 00:02:42,639 And it's as last year not about making 63 00:02:42,640 --> 00:02:44,709 fun of the people in DPRK, 64 00:02:44,710 --> 00:02:46,689 and it's also not about making fun of the 65 00:02:46,690 --> 00:02:48,819 people who made this piece 66 00:02:48,820 --> 00:02:49,820 of software. 67 00:02:50,620 --> 00:02:52,449 We are not focusing on security in this 68 00:02:52,450 --> 00:02:54,859 talk. It's only about the privacy aspect, 69 00:02:54,860 --> 00:02:57,099 so there are no details on security 70 00:02:57,100 --> 00:02:59,019 issues that might be in the tablet. 71 00:02:59,020 --> 00:03:01,419 This may be further research 72 00:03:01,420 --> 00:03:04,029 that we are going to do 73 00:03:04,030 --> 00:03:05,859 in the near future, but this is not the 74 00:03:05,860 --> 00:03:07,809 focus of this of this talk. 75 00:03:07,810 --> 00:03:10,299 So what are we going to talk about? 76 00:03:10,300 --> 00:03:12,099 We are going to give you a little update 77 00:03:12,100 --> 00:03:13,029 about Red Star. 78 00:03:13,030 --> 00:03:15,099 So there is has been a 79 00:03:15,100 --> 00:03:17,229 lot of work following our 80 00:03:17,230 --> 00:03:20,319 publication last year of Red Star or as 81 00:03:20,320 --> 00:03:22,659 we've been talking about the software 82 00:03:22,660 --> 00:03:25,359 and the hardware that the tablet PC is 83 00:03:25,360 --> 00:03:27,729 made of. We will give you an introduction 84 00:03:27,730 --> 00:03:29,139 of all the applications or some of the 85 00:03:29,140 --> 00:03:30,279 applications that are stored on the 86 00:03:30,280 --> 00:03:31,389 tablet PC. 87 00:03:31,390 --> 00:03:33,909 And we actually have a life device 88 00:03:33,910 --> 00:03:35,559 here, so it's sitting right here. 89 00:03:35,560 --> 00:03:38,499 Maybe Kim Jong UN is listening already. 90 00:03:38,500 --> 00:03:40,539 So we have one device right here that we 91 00:03:40,540 --> 00:03:42,190 got out of DPRK 92 00:03:43,750 --> 00:03:44,829 in the Q and A. 93 00:03:44,830 --> 00:03:46,299 It is important that you please do not 94 00:03:46,300 --> 00:03:48,579 ask questions on how we exactly got this 95 00:03:48,580 --> 00:03:50,680 tablet PC. We will not answer them. 96 00:03:51,850 --> 00:03:53,709 So but we have like this full blown 97 00:03:53,710 --> 00:03:55,389 device. It's sitting right there and I'm 98 00:03:55,390 --> 00:03:57,279 going to do a live demo. 99 00:03:57,280 --> 00:03:58,300 Then after that, 100 00:03:59,740 --> 00:04:01,779 like volume is pretty locked down, so 101 00:04:01,780 --> 00:04:03,549 there is not much a user can do to kind 102 00:04:03,550 --> 00:04:05,349 of break out of the usual tools or 103 00:04:05,350 --> 00:04:06,849 applications that are installed on the 104 00:04:06,850 --> 00:04:09,039 device. So we had to find a way 105 00:04:09,040 --> 00:04:11,469 to gain access to like the whole package, 106 00:04:11,470 --> 00:04:13,329 all of the APKs, all of the stuff that is 107 00:04:13,330 --> 00:04:14,889 stored on the device and monolayer is 108 00:04:14,890 --> 00:04:16,958 going to talk about how we gained access 109 00:04:16,959 --> 00:04:18,549 to the device. 110 00:04:18,550 --> 00:04:20,588 And after that, we will see how the 111 00:04:20,589 --> 00:04:23,139 government is able to control 112 00:04:23,140 --> 00:04:25,269 the distribution of media with these 113 00:04:25,270 --> 00:04:27,399 tablet PCs, and Nikolaus is going to talk 114 00:04:27,400 --> 00:04:28,899 about that part. 115 00:04:28,900 --> 00:04:30,339 And after that, hopefully we will have 116 00:04:30,340 --> 00:04:31,659 some Q&A. 117 00:04:31,660 --> 00:04:33,999 So to give you some Redstone updates 118 00:04:34,000 --> 00:04:35,439 really fast. 119 00:04:35,440 --> 00:04:36,939 There have been multiple publications 120 00:04:36,940 --> 00:04:39,339 concerning the security of Red Star as 121 00:04:39,340 --> 00:04:41,409 we didn't focus on the security last year 122 00:04:41,410 --> 00:04:43,689 of our code execution command injections 123 00:04:43,690 --> 00:04:45,219 and even in the server version of 124 00:04:45,220 --> 00:04:47,199 Redstone as the shellshock all over the 125 00:04:47,200 --> 00:04:48,200 place. 126 00:04:48,730 --> 00:04:50,979 Then there was a cool art project 127 00:04:50,980 --> 00:04:53,079 that has been created by a 128 00:04:53,080 --> 00:04:55,149 guy who made who used 129 00:04:55,150 --> 00:04:57,759 the watermarks for files 130 00:04:57,760 --> 00:04:59,909 to create artifacts in pictures. 131 00:04:59,910 --> 00:05:02,199 So what he would do is like he would take 132 00:05:02,200 --> 00:05:04,659 like your face as a picture, create 133 00:05:04,660 --> 00:05:07,059 a watermark for it and then 134 00:05:07,060 --> 00:05:08,799 kind of disturb the picture. 135 00:05:08,800 --> 00:05:10,899 So it becomes that it has artifacts 136 00:05:10,900 --> 00:05:13,239 in the so you can visit the project. 137 00:05:13,240 --> 00:05:15,699 Inter alia, that org is the URL. 138 00:05:15,700 --> 00:05:17,979 And what we also found 139 00:05:17,980 --> 00:05:19,749 is that we found a website which is 140 00:05:19,750 --> 00:05:21,879 called Cook's dot org dot copy, which 141 00:05:21,880 --> 00:05:24,309 is from DPRK, and it contains 142 00:05:24,310 --> 00:05:25,869 all of the JPEGs that you see on that 143 00:05:25,870 --> 00:05:27,489 website. So it's out there publicly 144 00:05:27,490 --> 00:05:29,139 available. You can just go to the website 145 00:05:29,140 --> 00:05:31,059 and grab all the JPEGs, and you will see 146 00:05:31,060 --> 00:05:33,669 that all of these JPEGs have watermarking 147 00:05:33,670 --> 00:05:34,899 supplied by Redstone. 148 00:05:34,900 --> 00:05:36,849 So actually, this is like a finding where 149 00:05:36,850 --> 00:05:38,709 we can see the Red Star as is actually 150 00:05:38,710 --> 00:05:40,809 used and these water markings 151 00:05:40,810 --> 00:05:43,059 are existing in the wild. 152 00:05:43,060 --> 00:05:44,499 We could identify six different 153 00:05:44,500 --> 00:05:47,469 watermarks on this website, which is 154 00:05:47,470 --> 00:05:49,539 which tells us that there 155 00:05:49,540 --> 00:05:51,039 are like six different computers where 156 00:05:51,040 --> 00:05:53,589 those JPEGs are kind of created, 157 00:05:53,590 --> 00:05:55,420 used, manipulated or whatever. 158 00:05:56,760 --> 00:05:58,539 Um, why are we doing this? 159 00:05:58,540 --> 00:06:00,759 So again, as last year, there's only 160 00:06:00,760 --> 00:06:02,529 some general information available about 161 00:06:02,530 --> 00:06:04,599 the tablet PCs is 162 00:06:04,600 --> 00:06:06,939 the DPRK provides, and we wanted 163 00:06:06,940 --> 00:06:09,099 to kind of get 164 00:06:09,100 --> 00:06:11,409 a glimpse into the tablet PCs because 165 00:06:11,410 --> 00:06:13,839 we last year we identified some dead code 166 00:06:13,840 --> 00:06:15,999 that was laying around in red stylus 167 00:06:16,000 --> 00:06:18,369 and it was not used by the watermarking. 168 00:06:18,370 --> 00:06:20,619 And we thought last year that there 169 00:06:20,620 --> 00:06:22,299 might be some sophisticated, more 170 00:06:22,300 --> 00:06:23,649 sophisticated, more advanced 171 00:06:23,650 --> 00:06:25,569 watermarking. And this is exactly what we 172 00:06:25,570 --> 00:06:27,579 found in the. 173 00:06:27,580 --> 00:06:28,580 Cabinet picks. 174 00:06:29,590 --> 00:06:32,109 So again, as I said, 175 00:06:32,110 --> 00:06:34,389 William, kind of is 176 00:06:34,390 --> 00:06:36,549 the name of the tablet PC, if 177 00:06:36,550 --> 00:06:38,619 you translated, it translates to Echo. 178 00:06:38,620 --> 00:06:40,629 If you put this into Google Translate, it 179 00:06:40,630 --> 00:06:42,339 translate to something completely else. 180 00:06:42,340 --> 00:06:44,649 I have no idea why, but I think it 181 00:06:44,650 --> 00:06:47,109 translates to ring or something. 182 00:06:47,110 --> 00:06:49,209 But Echo is probably the the real 183 00:06:49,210 --> 00:06:51,069 name if you want to translate it and is 184 00:06:51,070 --> 00:06:53,740 also a name of a waterfall in the DPRK. 185 00:06:54,760 --> 00:06:56,829 There are probably for at least 186 00:06:56,830 --> 00:06:59,169 four tablet PCs out there in DPRK. 187 00:06:59,170 --> 00:07:01,089 We have hands on for three. 188 00:07:01,090 --> 00:07:03,009 There is another one which is called 189 00:07:03,010 --> 00:07:05,139 after a mountain in DPRK, 190 00:07:05,140 --> 00:07:07,420 and it's called mysterious fragrant. 191 00:07:08,890 --> 00:07:11,259 So it's probably the day 192 00:07:11,260 --> 00:07:13,059 they basically name all of their pieces 193 00:07:13,060 --> 00:07:15,189 of technology after stuff in 194 00:07:15,190 --> 00:07:17,289 the nature. I guess if 195 00:07:17,290 --> 00:07:19,239 you do some small research or some some 196 00:07:19,240 --> 00:07:20,559 some research on the device, you will 197 00:07:20,560 --> 00:07:22,119 find out that the manufacturer that is 198 00:07:22,120 --> 00:07:23,589 doing the hardware is not coming from 199 00:07:23,590 --> 00:07:26,049 DPRK. It is the Chinese manufacturer, 200 00:07:26,050 --> 00:07:27,789 and it is actually selling this piece of 201 00:07:27,790 --> 00:07:29,349 hardware just to play in hardware with a 202 00:07:29,350 --> 00:07:30,350 stock android on it, 203 00:07:31,510 --> 00:07:34,449 probably under the name of Zap 100. 204 00:07:34,450 --> 00:07:36,369 And it's a Chinese manufacturer and the 205 00:07:36,370 --> 00:07:38,979 products sold from 180 to 260 206 00:07:38,980 --> 00:07:40,750 euro, which is like 207 00:07:41,770 --> 00:07:43,659 a good price for such a for the 208 00:07:43,660 --> 00:07:45,399 technology that is behind the tablet PC. 209 00:07:45,400 --> 00:07:47,409 But you can imagine the 260 euro is 210 00:07:47,410 --> 00:07:49,329 pretty much for someone sitting in DPRK 211 00:07:49,330 --> 00:07:50,979 and wanting to buy a tablet PC. 212 00:07:50,980 --> 00:07:53,139 So probably those tablet 213 00:07:53,140 --> 00:07:54,220 PCs are not 214 00:07:56,260 --> 00:07:58,149 meant to be like fold the whole public. 215 00:07:58,150 --> 00:08:00,069 It's probably only a few people that have 216 00:08:00,070 --> 00:08:01,569 access to those tablet PCs. 217 00:08:01,570 --> 00:08:03,729 But this is speculation 218 00:08:03,730 --> 00:08:04,989 the software that is running on the 219 00:08:04,990 --> 00:08:07,449 tablet PC is coming from DPRK. 220 00:08:07,450 --> 00:08:09,399 So what they did is basically they use an 221 00:08:09,400 --> 00:08:12,369 Android SDK to develop Android 222 00:08:12,370 --> 00:08:14,679 for their tablet PC and then put 223 00:08:14,680 --> 00:08:16,989 some interesting services and interesting 224 00:08:16,990 --> 00:08:18,730 applications into the tablet PC. 225 00:08:19,840 --> 00:08:21,609 So we are going to give you a product 226 00:08:21,610 --> 00:08:22,989 presentation. 227 00:08:22,990 --> 00:08:24,369 Well, we are not going to give you a 228 00:08:24,370 --> 00:08:26,769 product presentation, but DPRK 229 00:08:26,770 --> 00:08:28,179 is actually doing this. 230 00:08:28,180 --> 00:08:30,369 Can you switch the audio 231 00:08:30,370 --> 00:08:32,440 to the laptop, please? 232 00:08:39,530 --> 00:08:41,298 So the subtitles are not coming from the 233 00:08:41,299 --> 00:08:43,279 original video, the subtitles has been 234 00:08:43,280 --> 00:08:45,379 edited by a guy from South 235 00:08:45,380 --> 00:08:46,909 Korea who was helping us out. 236 00:08:46,910 --> 00:08:49,129 So this is the official commercial for 237 00:08:49,130 --> 00:08:50,130 William. 238 00:08:58,680 --> 00:08:59,680 Said. 239 00:09:13,890 --> 00:09:14,890 I say. 240 00:09:46,430 --> 00:09:47,430 You. 241 00:10:27,020 --> 00:10:28,020 You. 242 00:11:49,910 --> 00:11:51,059 And I listen. 243 00:12:00,430 --> 00:12:01,449 All right. 244 00:12:01,450 --> 00:12:03,369 OK, so this was an original video, so we 245 00:12:03,370 --> 00:12:05,529 didn't do this video or something. 246 00:12:05,530 --> 00:12:07,209 This was really an original video that 247 00:12:07,210 --> 00:12:08,620 also is on the tablet PC. 248 00:12:09,640 --> 00:12:12,039 I will shortly go into a few points 249 00:12:12,040 --> 00:12:14,259 out of the video because they seem 250 00:12:14,260 --> 00:12:15,219 pretty important to me. 251 00:12:15,220 --> 00:12:16,869 First of all, don't drive and watch TV. 252 00:12:16,870 --> 00:12:18,489 That's a bad idea. 253 00:12:18,490 --> 00:12:20,349 Second of all, if you closely look at 254 00:12:20,350 --> 00:12:23,079 those at this device, you will see 255 00:12:23,080 --> 00:12:24,819 if you know the original device. 256 00:12:24,820 --> 00:12:26,589 That is probably probably a different 257 00:12:26,590 --> 00:12:29,019 type, although it is the same 258 00:12:29,020 --> 00:12:30,999 kind of brand. 259 00:12:31,000 --> 00:12:33,189 So down right in the corner 260 00:12:33,190 --> 00:12:35,109 you can see like that is all rim. 261 00:12:35,110 --> 00:12:37,119 And also on the back of the tablet is the 262 00:12:37,120 --> 00:12:39,699 same are the same letters. 263 00:12:39,700 --> 00:12:41,199 So we are pretty sure that it is like 264 00:12:41,200 --> 00:12:43,299 from the same series or whatever, but it 265 00:12:43,300 --> 00:12:45,309 is not the same hardware as you can see 266 00:12:45,310 --> 00:12:46,719 right there. So probably there are 267 00:12:46,720 --> 00:12:48,849 multiple tablets that are running 268 00:12:48,850 --> 00:12:50,439 under this brand. 269 00:12:50,440 --> 00:12:51,580 This is important to know. 270 00:12:52,660 --> 00:12:54,849 The next thing which is quite interesting 271 00:12:54,850 --> 00:12:56,829 is that they provide rapid updates, which 272 00:12:56,830 --> 00:12:57,939 is something that if you're in the 273 00:12:57,940 --> 00:12:59,919 Android world, not that common, which I 274 00:12:59,920 --> 00:13:01,719 find like this is pretty amazing and 275 00:13:01,720 --> 00:13:02,720 good. 276 00:13:03,430 --> 00:13:04,809 The second thing is they have a free 277 00:13:04,810 --> 00:13:06,609 warranty service, which is also pretty 278 00:13:06,610 --> 00:13:08,769 convenient. So that's also a nice 279 00:13:08,770 --> 00:13:10,089 service, I would say. 280 00:13:10,090 --> 00:13:12,129 And one of the most important parts is 281 00:13:12,130 --> 00:13:14,709 that if you this is not going into like 282 00:13:14,710 --> 00:13:16,569 the tablet PC itself, but it gives you 283 00:13:16,570 --> 00:13:18,399 some clues about how infrastructure is 284 00:13:18,400 --> 00:13:19,779 working in DPRK. 285 00:13:19,780 --> 00:13:21,980 So they are actually offering a DVD 286 00:13:23,320 --> 00:13:25,719 broadcast on the tablet PC 287 00:13:25,720 --> 00:13:27,759 so you can buy or rent or whatever or get 288 00:13:27,760 --> 00:13:29,919 a dongle and then have like 289 00:13:29,920 --> 00:13:31,299 20 cables connected to it. 290 00:13:31,300 --> 00:13:32,979 So it's a little bit like Apple. 291 00:13:32,980 --> 00:13:35,139 And then you can view a 292 00:13:35,140 --> 00:13:37,359 DVD on your device, and 293 00:13:37,360 --> 00:13:39,549 this even sells as a feature that they 294 00:13:39,550 --> 00:13:41,739 say you will 295 00:13:41,740 --> 00:13:44,169 not be able to view any other stuff 296 00:13:44,170 --> 00:13:45,759 than just our own. 297 00:13:45,760 --> 00:13:47,469 And this is pretty interesting because if 298 00:13:47,470 --> 00:13:49,659 we're going back to Red Star OS and we 299 00:13:49,660 --> 00:13:51,099 had I don't know if you've seen the talk, 300 00:13:51,100 --> 00:13:53,319 but we had an antivirus scanner 301 00:13:53,320 --> 00:13:55,329 who was not antivirus scanning at all. 302 00:13:55,330 --> 00:13:56,649 It was doing something completely 303 00:13:56,650 --> 00:13:58,419 different. And we thought, like, they are 304 00:13:58,420 --> 00:13:59,439 like tricking users. 305 00:13:59,440 --> 00:14:01,719 They just say this is an antivirus 306 00:14:01,720 --> 00:14:03,609 scanner to do something else under the 307 00:14:03,610 --> 00:14:05,709 hood. But if you see this, then they are 308 00:14:05,710 --> 00:14:08,229 basically saying, we want to prevent 309 00:14:08,230 --> 00:14:10,449 that. You see the malicious stuff from 310 00:14:10,450 --> 00:14:12,339 outside. So they are selling this as a 311 00:14:12,340 --> 00:14:14,439 feature. So it's not like they're trying 312 00:14:14,440 --> 00:14:16,149 to trick the people. 313 00:14:16,150 --> 00:14:17,649 They are saying like, we are going to 314 00:14:17,650 --> 00:14:20,169 encrypt, decrypt our our TV broadcasts, 315 00:14:20,170 --> 00:14:21,759 and you will only be able to see our 316 00:14:21,760 --> 00:14:23,559 stuff. So there is no danger from the 317 00:14:23,560 --> 00:14:24,909 outside coming to you. 318 00:14:24,910 --> 00:14:26,169 And this is pretty remarkable. 319 00:14:26,170 --> 00:14:28,269 I think I think, OK, if we're 320 00:14:28,270 --> 00:14:30,399 going to the architecture itself, 321 00:14:30,400 --> 00:14:31,959 let's take a quick look at the hardware. 322 00:14:31,960 --> 00:14:33,909 It's an all when a thirty three system on 323 00:14:33,910 --> 00:14:34,910 a chip. 324 00:14:35,590 --> 00:14:37,929 It comes with eight gigabytes of flash 325 00:14:37,930 --> 00:14:40,329 and it has a micro SD port 326 00:14:40,330 --> 00:14:42,669 and a power plug to charge 327 00:14:42,670 --> 00:14:43,779 the tablet. 328 00:14:43,780 --> 00:14:45,759 It has a not so responsive touch screen, 329 00:14:45,760 --> 00:14:47,409 to be honest. So if I'm going to do the 330 00:14:47,410 --> 00:14:49,359 live demo, I probably fucked some stuff 331 00:14:49,360 --> 00:14:51,429 up and like, tap on the wrong things and 332 00:14:51,430 --> 00:14:53,679 some sometimes it happens, sometimes 333 00:14:53,680 --> 00:14:55,689 it won't. So it's a bit random. 334 00:14:55,690 --> 00:14:57,339 So bear with me if it takes a while to 335 00:14:57,340 --> 00:14:59,079 open some of the applications. 336 00:14:59,080 --> 00:15:01,299 And if you just get the 337 00:15:01,300 --> 00:15:02,859 the tablet by itself, there are no 338 00:15:02,860 --> 00:15:04,269 communication ports at all. 339 00:15:04,270 --> 00:15:06,789 So there is normally if you buy like 340 00:15:06,790 --> 00:15:09,369 your usual all winner A33 341 00:15:09,370 --> 00:15:11,319 system on a chip with a board that comes 342 00:15:11,320 --> 00:15:13,269 with a board, you probably have another 343 00:15:13,270 --> 00:15:15,039 chip that has like Bluetooth, Wi-Fi and 344 00:15:15,040 --> 00:15:16,709 all of the other stuff that you need in 345 00:15:16,710 --> 00:15:18,879 in a normal tablet PC on 346 00:15:18,880 --> 00:15:20,799 this device. This has been either 347 00:15:20,800 --> 00:15:23,019 soldered off or it never 348 00:15:23,020 --> 00:15:25,209 made it to production, so the board does 349 00:15:25,210 --> 00:15:27,369 not contain any communication hardware 350 00:15:27,370 --> 00:15:29,439 itself. You always have to 351 00:15:29,440 --> 00:15:32,139 buy or rent 352 00:15:32,140 --> 00:15:34,899 adapters that you can plug in to use 353 00:15:34,900 --> 00:15:37,059 the stuff. And as you have and could 354 00:15:37,060 --> 00:15:39,399 see in the video, like the usual 355 00:15:39,400 --> 00:15:41,889 cases and use be modem Wi-Fi 356 00:15:41,890 --> 00:15:44,889 IT normal networking capability, or DVT. 357 00:15:44,890 --> 00:15:47,409 It also has HDMI it 358 00:15:47,410 --> 00:15:48,649 and that was the problem. 359 00:15:48,650 --> 00:15:50,739 This does not have HDMI, which is 360 00:15:50,740 --> 00:15:53,049 why we cannot connected to the to the 361 00:15:53,050 --> 00:15:55,209 screen, but they are 362 00:15:55,210 --> 00:15:56,559 in the commercial. You could see that 363 00:15:56,560 --> 00:15:58,719 they just plug in a micro HDMI 364 00:15:58,720 --> 00:16:00,759 or mini HDMI, and then you can basically 365 00:16:00,760 --> 00:16:02,589 hook it up to any HDMI device. 366 00:16:02,590 --> 00:16:04,149 So with this device, it's not possible, 367 00:16:04,150 --> 00:16:05,259 unfortunately. 368 00:16:05,260 --> 00:16:07,269 So we will have to do this projector 369 00:16:07,270 --> 00:16:08,919 thing here right there, and I hope it 370 00:16:08,920 --> 00:16:10,449 will turn out fine. 371 00:16:10,450 --> 00:16:12,999 OK? Concerning the software perspective, 372 00:16:13,000 --> 00:16:15,249 there's an Android four for two running 373 00:16:15,250 --> 00:16:17,349 with and for Android for 374 00:16:17,350 --> 00:16:19,899 to kind of up to date kernel. 375 00:16:19,900 --> 00:16:20,859 It was built. 376 00:16:20,860 --> 00:16:22,509 The build date goes back to September 377 00:16:22,510 --> 00:16:25,119 10th, 2015, so it's pretty 378 00:16:25,120 --> 00:16:26,589 new. 379 00:16:26,590 --> 00:16:28,509 I think we got it four months ago or 380 00:16:28,510 --> 00:16:29,439 something like that. 381 00:16:29,440 --> 00:16:31,539 So at the time that we were starting the 382 00:16:31,540 --> 00:16:34,449 research, it was actually pretty new. 383 00:16:34,450 --> 00:16:36,189 Looking at the pre-settled applications, 384 00:16:36,190 --> 00:16:38,619 it's just your usual, uh, Android 385 00:16:38,620 --> 00:16:40,329 stuff, but without the Google stuff, 386 00:16:40,330 --> 00:16:42,249 obviously. So there is not like a Play 387 00:16:42,250 --> 00:16:44,529 Store or something and no 388 00:16:44,530 --> 00:16:46,269 Google Maps or whatever that has all been 389 00:16:46,270 --> 00:16:49,029 stripped out and you basically have just 390 00:16:49,030 --> 00:16:51,189 basic functionality, plus some 391 00:16:51,190 --> 00:16:53,109 applications from DPRK. 392 00:16:53,110 --> 00:16:55,509 Can I have the tablet on the big screen, 393 00:16:55,510 --> 00:16:57,130 please, for the demonstration? 394 00:17:02,340 --> 00:17:04,169 Tradition of the video, again, to kind of 395 00:17:04,170 --> 00:17:05,608 get over things. 396 00:17:05,609 --> 00:17:08,578 OK, so this is the tablet PC itself. 397 00:17:08,579 --> 00:17:10,828 This is the default background 398 00:17:10,829 --> 00:17:12,659 that you see right there. 399 00:17:12,660 --> 00:17:14,368 If I move the tablet around a little bit, 400 00:17:14,369 --> 00:17:16,049 you might see that there are some cables 401 00:17:16,050 --> 00:17:17,699 coming out on one side. 402 00:17:17,700 --> 00:17:19,588 This is because we try to find debugging 403 00:17:19,589 --> 00:17:21,479 parts. We didn't find any. 404 00:17:21,480 --> 00:17:23,699 We just started debugging the 405 00:17:23,700 --> 00:17:25,289 LCD and stuff like that. 406 00:17:25,290 --> 00:17:27,598 But just so this is not really 407 00:17:27,599 --> 00:17:29,459 working. So. But if you are having 408 00:17:29,460 --> 00:17:31,409 questions afterwards, these cables are 409 00:17:31,410 --> 00:17:33,119 just coming out, then doing nothing right 410 00:17:33,120 --> 00:17:34,379 now. 411 00:17:34,380 --> 00:17:36,599 OK. So let me show the tablet 412 00:17:36,600 --> 00:17:38,609 PC real quick. So the problem is that 413 00:17:38,610 --> 00:17:40,829 some of the applications have 414 00:17:40,830 --> 00:17:42,989 a serial ID that is 415 00:17:42,990 --> 00:17:45,239 mostly shown on the splash screen, which 416 00:17:45,240 --> 00:17:47,369 is and we don't know why this Serial 417 00:17:47,370 --> 00:17:48,509 ID is there. 418 00:17:48,510 --> 00:17:49,829 It could be that it's just like a 419 00:17:49,830 --> 00:17:51,689 versioning number for the applications, 420 00:17:51,690 --> 00:17:54,269 but it could also be a way to track 421 00:17:54,270 --> 00:17:56,489 who has which app installed 422 00:17:56,490 --> 00:17:58,799 on the tablet and to prevent 423 00:17:58,800 --> 00:18:01,289 the guy getting into trouble 424 00:18:01,290 --> 00:18:03,899 who kind of leaked this tablet PC. 425 00:18:03,900 --> 00:18:06,239 I'm going to pull out the tablet PC, 426 00:18:06,240 --> 00:18:07,739 open up the application. 427 00:18:07,740 --> 00:18:09,449 See, that's a serial number and put it 428 00:18:09,450 --> 00:18:11,219 back, just to be sure, OK? 429 00:18:11,220 --> 00:18:12,779 So I'm going to pull it out. 430 00:18:12,780 --> 00:18:14,849 And then again, you know that this 431 00:18:14,850 --> 00:18:16,379 is not like we're tricking something. 432 00:18:16,380 --> 00:18:18,179 This is just because I want to make sure 433 00:18:18,180 --> 00:18:19,919 that no serial ideas are shown on the 434 00:18:19,920 --> 00:18:21,659 screen. OK, so the first thing that I'm 435 00:18:21,660 --> 00:18:23,099 going to show you is an overview over the 436 00:18:23,100 --> 00:18:24,089 applications. 437 00:18:24,090 --> 00:18:25,829 This is these are the applications that 438 00:18:25,830 --> 00:18:27,599 are in the factory reset mode. 439 00:18:27,600 --> 00:18:29,849 So this comes with the 440 00:18:29,850 --> 00:18:32,009 application or with the with the tablet 441 00:18:32,010 --> 00:18:33,119 itself. 442 00:18:33,120 --> 00:18:35,249 You have like your usual stuff, like the 443 00:18:35,250 --> 00:18:37,049 camera you can see right there, a file 444 00:18:37,050 --> 00:18:38,339 browser. 445 00:18:38,340 --> 00:18:40,589 I'm going to go into the 446 00:18:40,590 --> 00:18:42,359 settings. 447 00:18:42,360 --> 00:18:44,759 You can see that there is an Ethernet 448 00:18:44,760 --> 00:18:46,619 modem and stuff like that. 449 00:18:46,620 --> 00:18:48,839 If I scroll down a bit, you can see 450 00:18:48,840 --> 00:18:50,939 some of the applications running there is 451 00:18:50,940 --> 00:18:53,939 even flash, as you can see right there. 452 00:18:53,940 --> 00:18:55,829 Flash is probably we don't know if it's 453 00:18:55,830 --> 00:18:58,109 really flash, but it makes sense because 454 00:18:58,110 --> 00:18:59,849 some of or most of the applique all the 455 00:18:59,850 --> 00:19:02,009 websites of DPRK are using Flash to show 456 00:19:02,010 --> 00:19:05,109 videos and deliver remote exploits. 457 00:19:05,110 --> 00:19:07,169 Um, so 458 00:19:07,170 --> 00:19:08,879 that totally makes sense. 459 00:19:08,880 --> 00:19:10,889 OK. If you scroll down a bit, you can see 460 00:19:10,890 --> 00:19:12,659 like your usual applications and 461 00:19:12,660 --> 00:19:14,819 archiving application and 462 00:19:14,820 --> 00:19:16,559 this red flag thing, which is pretty 463 00:19:16,560 --> 00:19:17,639 interesting. 464 00:19:17,640 --> 00:19:19,709 OK. So next thing I'm 465 00:19:19,710 --> 00:19:21,599 going to show you is the security stuff 466 00:19:21,600 --> 00:19:24,029 and the certificate authorities 467 00:19:24,030 --> 00:19:25,349 that are installed on the tablet. 468 00:19:25,350 --> 00:19:27,089 They are not so many. 469 00:19:28,260 --> 00:19:30,479 That's all of them, basically, and 470 00:19:30,480 --> 00:19:32,639 they are all from DPRK. 471 00:19:32,640 --> 00:19:34,979 So you should bear this in mind 472 00:19:34,980 --> 00:19:36,749 if you get like a device like this and 473 00:19:36,750 --> 00:19:38,189 start browsing. 474 00:19:38,190 --> 00:19:40,529 You probably will 475 00:19:40,530 --> 00:19:42,209 be men in the middle, totally when you're 476 00:19:42,210 --> 00:19:45,539 using this and DPRK internet or internet. 477 00:19:45,540 --> 00:19:47,669 OK, the next thing interesting 478 00:19:47,670 --> 00:19:48,869 is maybe the browser. 479 00:19:48,870 --> 00:19:50,939 So looking at the browser, there 480 00:19:50,940 --> 00:19:52,839 is a Nexus S right there. 481 00:19:52,840 --> 00:19:54,749 Um, it's just a normal browser. 482 00:19:54,750 --> 00:19:57,059 You can like to do something to see some 483 00:19:57,060 --> 00:20:00,359 files on the hard drive, some of them. 484 00:20:00,360 --> 00:20:02,819 What you can do is go to the favorites 485 00:20:02,820 --> 00:20:05,069 and see, like the bookmarks that that 486 00:20:05,070 --> 00:20:06,629 are already there. 487 00:20:06,630 --> 00:20:08,189 If you look at the bookmarks there, 488 00:20:08,190 --> 00:20:09,929 probably most of them are internal 489 00:20:09,930 --> 00:20:11,639 websites. So if you click on them, you 490 00:20:11,640 --> 00:20:13,859 see that the the the URL is actually 491 00:20:13,860 --> 00:20:15,299 an IP address. 492 00:20:15,300 --> 00:20:17,489 And if you check 493 00:20:17,490 --> 00:20:19,109 on all of them, you see that they are all 494 00:20:19,110 --> 00:20:21,269 internal IP addresses and these go 495 00:20:21,270 --> 00:20:24,149 perfectly go into the address space 496 00:20:24,150 --> 00:20:26,369 that DPRK has, especially these ones 497 00:20:26,370 --> 00:20:28,379 right there on the tablet PC. 498 00:20:28,380 --> 00:20:30,359 If you hook it up to Wireshark and let it 499 00:20:30,360 --> 00:20:32,369 run is even making some outbound 500 00:20:32,370 --> 00:20:34,559 connections to IP addresses that go 501 00:20:34,560 --> 00:20:36,089 into this network segment. 502 00:20:37,620 --> 00:20:39,479 We don't know what what it is doing or 503 00:20:39,480 --> 00:20:41,069 what it is trying to get from there. 504 00:20:41,070 --> 00:20:42,929 Maybe the rapid updates, that's the 505 00:20:42,930 --> 00:20:44,279 probability. 506 00:20:44,280 --> 00:20:45,989 I don't know. Exactly. 507 00:20:45,990 --> 00:20:47,399 So there's also a camera. 508 00:20:47,400 --> 00:20:48,989 I'm not going to turn on the camera and 509 00:20:48,990 --> 00:20:50,969 take a picture of you so Kim Jong UN can 510 00:20:50,970 --> 00:20:52,379 see what we're doing right here. 511 00:20:52,380 --> 00:20:53,939 I'm going to leave this out. 512 00:20:53,940 --> 00:20:56,939 The next thing I'm going to show you is 513 00:20:56,940 --> 00:20:57,940 a game. 514 00:21:03,520 --> 00:21:05,709 Which is a robot defense, 515 00:21:05,710 --> 00:21:07,449 I don't know if, you know, robot defense, 516 00:21:07,450 --> 00:21:09,069 it's perfectly available in the Play 517 00:21:09,070 --> 00:21:10,119 Store for Android. 518 00:21:11,140 --> 00:21:12,579 And if you start the game, 519 00:21:13,630 --> 00:21:15,639 then you might recognize that it is 520 00:21:15,640 --> 00:21:16,849 really 521 00:21:16,850 --> 00:21:17,850 a 522 00:21:18,610 --> 00:21:21,879 drag and drop. You know that it is really 523 00:21:21,880 --> 00:21:24,009 the kind of the original version 524 00:21:24,010 --> 00:21:24,999 of this game. 525 00:21:25,000 --> 00:21:26,829 And what they did is basically they 526 00:21:26,830 --> 00:21:29,079 adapted a few things, especially 527 00:21:29,080 --> 00:21:31,239 for language settings, and made 528 00:21:31,240 --> 00:21:33,249 a new splash screen and adopted a new 529 00:21:33,250 --> 00:21:34,989 splash screen. So if a decompile this 530 00:21:34,990 --> 00:21:36,459 thing, you will see that it is perfectly 531 00:21:36,460 --> 00:21:38,049 fine, the one from the play store's at 532 00:21:38,050 --> 00:21:39,249 least in parts. 533 00:21:39,250 --> 00:21:41,409 So there might be a 534 00:21:41,410 --> 00:21:43,359 copyright violation right here. 535 00:21:43,360 --> 00:21:45,489 I'm not sure about 536 00:21:45,490 --> 00:21:48,039 this. OK, what else do we have? 537 00:21:48,040 --> 00:21:49,449 Another thing that I found pretty 538 00:21:49,450 --> 00:21:51,129 interesting is that there is an 539 00:21:51,130 --> 00:21:54,609 application that enables 540 00:21:54,610 --> 00:21:56,829 kids to learn 541 00:21:56,830 --> 00:21:58,749 how to type with a keyboard. 542 00:21:58,750 --> 00:22:00,579 That's pretty nice, actually. 543 00:22:00,580 --> 00:22:02,349 So you have your settings. 544 00:22:02,350 --> 00:22:03,879 I'm just typing random theme. 545 00:22:03,880 --> 00:22:05,319 I don't know what what it says right 546 00:22:05,320 --> 00:22:06,249 there. 547 00:22:06,250 --> 00:22:08,649 And then you can start to hook up a 548 00:22:08,650 --> 00:22:10,779 USB keyboard to the tablet and let the 549 00:22:10,780 --> 00:22:12,969 kids kind of type to learn how 550 00:22:12,970 --> 00:22:14,949 to type on a keyboard, which is actually 551 00:22:14,950 --> 00:22:15,950 quite nice. 552 00:22:17,050 --> 00:22:19,119 OK, what else do we have? 553 00:22:19,120 --> 00:22:21,399 So concerning 554 00:22:21,400 --> 00:22:23,499 writing, there is also 555 00:22:23,500 --> 00:22:25,779 a full blown office sued 556 00:22:25,780 --> 00:22:27,910 on the tablet itself. 557 00:22:31,560 --> 00:22:33,869 And with office, Seward, I really 558 00:22:33,870 --> 00:22:35,789 mean office, huge. 559 00:22:35,790 --> 00:22:38,399 So it lets you kind of create PowerPoint 560 00:22:38,400 --> 00:22:40,109 presentations and stuff like that, and it 561 00:22:40,110 --> 00:22:41,789 really works, and we would laugh. 562 00:22:41,790 --> 00:22:43,019 We would have loved to do the 563 00:22:43,020 --> 00:22:45,269 presentation with this tablet PC, 564 00:22:45,270 --> 00:22:47,279 but unfortunately we cannot hook it up to 565 00:22:47,280 --> 00:22:49,319 two HDMI, so that was not possible at 566 00:22:49,320 --> 00:22:50,489 all. 567 00:22:50,490 --> 00:22:52,259 OK, what do we have? 568 00:22:52,260 --> 00:22:54,209 We have a lot of propaganda obviously 569 00:22:54,210 --> 00:22:55,549 installed on the tablet PC. 570 00:22:55,550 --> 00:22:57,689 So there is one 571 00:22:57,690 --> 00:22:59,879 application that is coming 572 00:22:59,880 --> 00:23:01,949 even out of Red Star, 573 00:23:01,950 --> 00:23:04,499 and it is basically the encyclopedia 574 00:23:04,500 --> 00:23:06,539 and shows the writings of all of the 575 00:23:06,540 --> 00:23:08,849 leaders from DPRK. 576 00:23:08,850 --> 00:23:12,209 And you can see what they have written. 577 00:23:12,210 --> 00:23:14,519 Exactly. So another interesting thing 578 00:23:14,520 --> 00:23:17,369 is is there is a lot of educational stuff 579 00:23:17,370 --> 00:23:18,719 on the tablet PC. 580 00:23:18,720 --> 00:23:21,180 So there is one application 581 00:23:22,560 --> 00:23:25,319 that is basically a technological 582 00:23:25,320 --> 00:23:26,789 dictionary 583 00:23:26,790 --> 00:23:28,589 so you can 584 00:23:28,590 --> 00:23:30,839 like, find information 585 00:23:30,840 --> 00:23:32,939 about technology and you can also 586 00:23:32,940 --> 00:23:35,339 their dictionaries install that lets you 587 00:23:35,340 --> 00:23:37,739 look into other 588 00:23:37,740 --> 00:23:40,109 science areas as well. 589 00:23:41,370 --> 00:23:42,599 OK, another one, which is pretty 590 00:23:42,600 --> 00:23:44,699 interesting, and maybe 591 00:23:44,700 --> 00:23:45,930 I would like to have your 592 00:23:48,030 --> 00:23:50,279 so I need to kind of come up with a hack 593 00:23:52,370 --> 00:23:53,700 right here. Probably. 594 00:23:57,630 --> 00:23:58,650 So give me a second. 595 00:23:59,730 --> 00:24:01,859 Um, and we 596 00:24:01,860 --> 00:24:02,860 go. 597 00:24:03,270 --> 00:24:04,019 All right. 598 00:24:04,020 --> 00:24:06,149 So I'm going to start this 599 00:24:06,150 --> 00:24:07,819 application again. 600 00:24:07,820 --> 00:24:10,019 Um, and if you see the splash 601 00:24:10,020 --> 00:24:12,089 screen, please show to me on 602 00:24:12,090 --> 00:24:14,519 which game this kind of reminds 603 00:24:14,520 --> 00:24:15,520 you. 604 00:24:17,520 --> 00:24:19,799 Yes. I don't know if it's SIM City, but 605 00:24:19,800 --> 00:24:21,449 when I started the application, the first 606 00:24:21,450 --> 00:24:22,679 thing that came to my mind is this looks 607 00:24:22,680 --> 00:24:23,579 like SIM City. 608 00:24:23,580 --> 00:24:25,149 And what this application is doing, 609 00:24:25,150 --> 00:24:27,539 actually, it is an architecture 610 00:24:27,540 --> 00:24:29,609 program, so you can basically 611 00:24:29,610 --> 00:24:31,859 plan houses, plan cities 612 00:24:31,860 --> 00:24:34,139 with this thing and actually 613 00:24:34,140 --> 00:24:36,329 kind of really do 614 00:24:36,330 --> 00:24:38,489 the architecture of your future house or 615 00:24:38,490 --> 00:24:39,719 whatever with it. 616 00:24:39,720 --> 00:24:42,239 It even comes with an auto seed 617 00:24:42,240 --> 00:24:44,219 plug in so you can use it like the stuff 618 00:24:44,220 --> 00:24:45,149 that you create right there. 619 00:24:45,150 --> 00:24:46,949 You can reuse it on your Windows PC if 620 00:24:46,950 --> 00:24:49,019 you have, like a CAD 621 00:24:49,020 --> 00:24:50,789 program right there. 622 00:24:50,790 --> 00:24:52,919 Um, probably everything with 623 00:24:52,920 --> 00:24:54,479 copyright and stuff like that in the 624 00:24:54,480 --> 00:24:55,619 right place. 625 00:24:55,620 --> 00:24:57,389 What else do we have? 626 00:24:57,390 --> 00:25:00,359 There is a cooking application on it. 627 00:25:00,360 --> 00:25:02,429 There are a bunch of more of games 628 00:25:02,430 --> 00:25:04,499 on it. And then there is one or two 629 00:25:04,500 --> 00:25:06,929 pretty interesting things 630 00:25:06,930 --> 00:25:08,879 that came to our attention when we use 631 00:25:08,880 --> 00:25:10,439 the tablet for the first time. 632 00:25:10,440 --> 00:25:12,420 So if you. 633 00:25:13,940 --> 00:25:16,279 Start the application right here, Trace 634 00:25:16,280 --> 00:25:18,199 Viewer, that is a pretty interesting 635 00:25:18,200 --> 00:25:20,479 thing, because if you started, 636 00:25:20,480 --> 00:25:22,309 then you will see that it gathers 637 00:25:22,310 --> 00:25:23,689 screenshots. 638 00:25:23,690 --> 00:25:25,999 So what it does is there is a process 639 00:25:26,000 --> 00:25:28,279 in the background that is actually once 640 00:25:28,280 --> 00:25:30,079 you open up an application, it's going to 641 00:25:30,080 --> 00:25:32,599 take a screenshot of the application 642 00:25:32,600 --> 00:25:34,309 and it's going to store it in a secure 643 00:25:34,310 --> 00:25:36,469 way. And the only thing that you can 644 00:25:36,470 --> 00:25:38,359 do with this trace view is basically see 645 00:25:38,360 --> 00:25:40,909 your browsing history and see 646 00:25:40,910 --> 00:25:43,039 the pictures of the applications that 647 00:25:43,040 --> 00:25:44,839 and the contents that you started. 648 00:25:44,840 --> 00:25:46,549 So from our perspective, this is like a 649 00:25:46,550 --> 00:25:48,529 clear indication that they're going to 650 00:25:48,530 --> 00:25:50,779 tell you we know what you are doing, 651 00:25:50,780 --> 00:25:52,519 so we see what you are doing. 652 00:25:52,520 --> 00:25:54,259 You don't have any chance to delete any 653 00:25:54,260 --> 00:25:55,219 of this stuff. 654 00:25:55,220 --> 00:25:56,839 But we see what you're doing and you 655 00:25:56,840 --> 00:25:58,430 cannot get rid of this information. 656 00:25:59,810 --> 00:26:01,339 The next thing which is pretty 657 00:26:01,340 --> 00:26:02,750 interesting is 658 00:26:03,890 --> 00:26:06,409 if you try to open up a file 659 00:26:06,410 --> 00:26:08,689 on the the tablet, 660 00:26:10,190 --> 00:26:12,559 then you're probably not able 661 00:26:12,560 --> 00:26:14,449 to open any of the stuff that is coming 662 00:26:14,450 --> 00:26:15,679 from outside. 663 00:26:15,680 --> 00:26:17,839 And this was the thing where 664 00:26:17,840 --> 00:26:19,939 we thought we need to 665 00:26:19,940 --> 00:26:22,039 go into detail what is happening right 666 00:26:22,040 --> 00:26:23,989 there and we thought, this is a pretty 667 00:26:23,990 --> 00:26:25,519 powerful mechanism. 668 00:26:25,520 --> 00:26:27,649 So if you just try to open 669 00:26:27,650 --> 00:26:29,299 one of those fine, OK, in this case, it's 670 00:26:29,300 --> 00:26:31,609 working. That's bad because 671 00:26:31,610 --> 00:26:33,289 I created this file on this tablet. 672 00:26:33,290 --> 00:26:35,569 If I'm going to open up another file like 673 00:26:35,570 --> 00:26:37,519 this one? And you will see this message. 674 00:26:37,520 --> 00:26:39,499 This is not signed file. 675 00:26:39,500 --> 00:26:41,449 OK, so obviously there is some signing 676 00:26:41,450 --> 00:26:43,549 mechanism on the device that prevents us 677 00:26:43,550 --> 00:26:45,470 from opening arbitrary files. 678 00:26:47,120 --> 00:26:48,859 OK. Can I go back to the computer, 679 00:26:48,860 --> 00:26:49,860 please? 680 00:26:53,480 --> 00:26:54,859 Can I have Nicholas, his password, 681 00:26:54,860 --> 00:26:55,860 please? 682 00:26:58,380 --> 00:26:59,489 Should I ask Kim Jong UN? 683 00:27:05,150 --> 00:27:07,249 Do you have an auto erase after like 10 684 00:27:07,250 --> 00:27:09,689 times entering the wrong password? 685 00:27:09,690 --> 00:27:10,690 Not. 686 00:27:14,810 --> 00:27:15,810 Caps lock. 687 00:27:19,910 --> 00:27:22,789 OK, so much for the application demos, 688 00:27:22,790 --> 00:27:24,199 I have two more applications that I 689 00:27:24,200 --> 00:27:26,959 cannot show on the tablet PC for reasons, 690 00:27:26,960 --> 00:27:29,089 but I'm going to show you with some 691 00:27:29,090 --> 00:27:30,709 of the screenshots. So the first thing 692 00:27:30,710 --> 00:27:32,689 which is very, very, very interesting is 693 00:27:32,690 --> 00:27:34,039 that there is a tool called nuck 694 00:27:34,040 --> 00:27:36,169 installed on the tablet PC, and it 695 00:27:36,170 --> 00:27:37,879 is probably used to get connection to the 696 00:27:37,880 --> 00:27:40,279 internet internet of 697 00:27:40,280 --> 00:27:41,569 DPRK. 698 00:27:41,570 --> 00:27:43,369 You can choose like three options dial up 699 00:27:43,370 --> 00:27:45,619 with a modem going by a 700 00:27:45,620 --> 00:27:47,689 local area connection or going 701 00:27:47,690 --> 00:27:49,999 over the internet or whatever it uses. 702 00:27:50,000 --> 00:27:52,069 Panna, which is like, 703 00:27:52,070 --> 00:27:53,509 I've never seen this in the wild. 704 00:27:53,510 --> 00:27:55,009 Wireshark knows the protocol. 705 00:27:55,010 --> 00:27:57,139 I've never seen this so far. 706 00:27:57,140 --> 00:27:58,789 You need to supply login credentials and 707 00:27:58,790 --> 00:28:00,859 then you can choose four different 708 00:28:00,860 --> 00:28:02,929 access points, depending on the city 709 00:28:02,930 --> 00:28:05,569 that you're in. So you can choose like 710 00:28:05,570 --> 00:28:07,669 a network access when you're 711 00:28:07,670 --> 00:28:09,829 in Pyongyang, for example, enter your 712 00:28:09,830 --> 00:28:11,809 credentials and probably get hooked up to 713 00:28:11,810 --> 00:28:13,970 the local intranet of DPRK. 714 00:28:15,230 --> 00:28:16,729 The next one, which is quite interesting 715 00:28:16,730 --> 00:28:18,469 and is running in the background, is Red 716 00:28:18,470 --> 00:28:19,459 Flag. 717 00:28:19,460 --> 00:28:21,409 This tool is the one that is taking the 718 00:28:21,410 --> 00:28:22,729 screenshots in the background. 719 00:28:22,730 --> 00:28:24,919 It's also logging the browser history, 720 00:28:24,920 --> 00:28:26,959 and it is responsible for grabbing the 721 00:28:26,960 --> 00:28:29,029 Imai Mzee and the Android ID, so 722 00:28:29,030 --> 00:28:30,769 there is no SIM card installed right 723 00:28:30,770 --> 00:28:32,959 here. Probably this is an indication 724 00:28:32,960 --> 00:28:34,249 that the same algorithm or the same 725 00:28:34,250 --> 00:28:36,319 mechanism is running on 726 00:28:36,320 --> 00:28:38,959 the smartphones that DPRK is providing. 727 00:28:38,960 --> 00:28:40,969 It also is copying some key metric 728 00:28:40,970 --> 00:28:43,369 material around and doing some basic 729 00:28:43,370 --> 00:28:45,139 integrity checking of the system. 730 00:28:45,140 --> 00:28:46,969 And if these integrity checks fail, the 731 00:28:46,970 --> 00:28:48,949 system will be rebooted or shut down. 732 00:28:50,030 --> 00:28:51,559 In addition, there is a whitelist for 733 00:28:51,560 --> 00:28:53,629 applications. So you even if you would be 734 00:28:53,630 --> 00:28:55,039 able to install applications on the 735 00:28:55,040 --> 00:28:57,349 thing, then the whitelist will kick in 736 00:28:57,350 --> 00:28:59,599 and will not let you allow to install 737 00:28:59,600 --> 00:29:01,309 the application. So this is an incomplete 738 00:29:01,310 --> 00:29:03,679 list. I have highlighted some of the 739 00:29:03,680 --> 00:29:05,899 the most interesting parts like Angry 740 00:29:05,900 --> 00:29:08,179 Birds you see at the top or the robot 741 00:29:08,180 --> 00:29:10,129 defense down at the bottom. 742 00:29:10,130 --> 00:29:12,319 So probably we have some 743 00:29:12,320 --> 00:29:14,329 copyright infringements down. 744 00:29:14,330 --> 00:29:16,439 So the last thing that you've seen is, 745 00:29:16,440 --> 00:29:18,709 um, obviously not a black 746 00:29:18,710 --> 00:29:20,779 box analysis anymore, and you 747 00:29:20,780 --> 00:29:22,369 have seen that there is like source code 748 00:29:22,370 --> 00:29:24,409 that we could decompile so we could gain 749 00:29:24,410 --> 00:29:25,639 access to the device. 750 00:29:25,640 --> 00:29:27,409 And Manuel is telling you on how we 751 00:29:27,410 --> 00:29:29,059 achieve to gain access to the device. 752 00:29:37,040 --> 00:29:38,150 OK. Can you hear me? 753 00:29:39,200 --> 00:29:40,200 Yes. All right. 754 00:29:41,360 --> 00:29:43,189 Well, that's Florian gives you more of an 755 00:29:43,190 --> 00:29:45,289 overview of what you can do as a 756 00:29:45,290 --> 00:29:47,179 user with that tablet. 757 00:29:47,180 --> 00:29:48,709 I'm going to get a little bit more 758 00:29:48,710 --> 00:29:50,899 technical, but I try to keep 759 00:29:50,900 --> 00:29:53,299 it as understandable as possible without 760 00:29:53,300 --> 00:29:54,680 losing too much detail 761 00:29:56,000 --> 00:29:57,049 as researchers. 762 00:29:57,050 --> 00:29:59,179 We, of course, wanted to know well, what 763 00:29:59,180 --> 00:30:00,589 goes on on there? 764 00:30:00,590 --> 00:30:02,929 What is that thing actually doing and how 765 00:30:02,930 --> 00:30:05,089 is it achieving such mechanisms that 766 00:30:05,090 --> 00:30:07,189 prevents you from opening arbitrary 767 00:30:07,190 --> 00:30:08,539 files? 768 00:30:08,540 --> 00:30:10,639 But to find that out, we needed 769 00:30:10,640 --> 00:30:13,249 some kind of in-depth analysis. 770 00:30:13,250 --> 00:30:15,319 But to perform an in-depth analysis, 771 00:30:15,320 --> 00:30:17,599 you'll some your data, the data 772 00:30:17,600 --> 00:30:19,969 from the tablet, and 773 00:30:19,970 --> 00:30:22,189 I'm going to show you how we got 774 00:30:22,190 --> 00:30:23,929 to that data and then the process of 775 00:30:23,930 --> 00:30:25,909 doing so. You'll probably get a good 776 00:30:25,910 --> 00:30:28,249 impression of what they 777 00:30:28,250 --> 00:30:30,649 do to prevent someone from tampering 778 00:30:30,650 --> 00:30:32,030 with their system integrity. 779 00:30:33,110 --> 00:30:35,299 And yeah, what we finally 780 00:30:35,300 --> 00:30:37,429 needed to achieve is either 781 00:30:37,430 --> 00:30:39,649 get a memory dump of this whole tablet 782 00:30:39,650 --> 00:30:42,049 or we need privileged code execution 783 00:30:42,050 --> 00:30:43,789 on that tablet. 784 00:30:43,790 --> 00:30:45,619 And how do we do that? 785 00:30:45,620 --> 00:30:46,820 That's what I'm going to tell you. 786 00:30:49,830 --> 00:30:51,449 Because actually, they did a pretty 787 00:30:51,450 --> 00:30:53,519 decent job in 788 00:30:53,520 --> 00:30:55,799 locking their tablet down. 789 00:30:55,800 --> 00:30:58,259 At first we tried the obvious things like 790 00:30:58,260 --> 00:30:59,909 Is there be enabled? 791 00:30:59,910 --> 00:31:01,049 No, it wasn't. 792 00:31:01,050 --> 00:31:02,579 Can we enable it? 793 00:31:02,580 --> 00:31:04,379 No, we couldn't. 794 00:31:04,380 --> 00:31:05,879 Are there the developer options? 795 00:31:05,880 --> 00:31:07,889 You know, then you press like five times 796 00:31:07,890 --> 00:31:10,199 the number of Android and then 797 00:31:10,200 --> 00:31:12,299 Boom, you're a developer and you can do 798 00:31:12,300 --> 00:31:14,069 like advanced configuration. 799 00:31:14,070 --> 00:31:16,529 No, they also disabled that. 800 00:31:16,530 --> 00:31:18,929 Can we install arbitrary APK files, no 801 00:31:18,930 --> 00:31:20,609 flow and always show that to you? 802 00:31:20,610 --> 00:31:22,889 If you try to install any APK file 803 00:31:22,890 --> 00:31:24,989 like a terminal emulator that would help 804 00:31:24,990 --> 00:31:27,449 us executing arbitrary code, 805 00:31:27,450 --> 00:31:29,729 that didn't work. You need to have signed 806 00:31:29,730 --> 00:31:30,730 Epic. 807 00:31:31,840 --> 00:31:34,119 Then we turn that thing off and push 808 00:31:34,120 --> 00:31:36,189 like every button combination 809 00:31:36,190 --> 00:31:38,259 that we could imagine to find out if 810 00:31:38,260 --> 00:31:40,689 there's a recovery or download mode. 811 00:31:40,690 --> 00:31:42,759 But as far as we, we 812 00:31:42,760 --> 00:31:45,069 can pursue that, that wasn't possible. 813 00:31:46,800 --> 00:31:48,839 Then we got a little bit more creative. 814 00:31:49,860 --> 00:31:52,019 We tried to find a file, 815 00:31:52,020 --> 00:31:54,239 open dialog and all kinds of applications 816 00:31:54,240 --> 00:31:56,459 because we thought and the family, 817 00:31:56,460 --> 00:31:58,709 you know, you can only access certain 818 00:31:58,710 --> 00:32:01,349 files that are locked to one directory. 819 00:32:01,350 --> 00:32:03,479 So if we can find like applications 820 00:32:03,480 --> 00:32:05,489 that have file open dialogs, we might be 821 00:32:05,490 --> 00:32:07,619 able to traverse directories and get 822 00:32:07,620 --> 00:32:09,429 access to system storage. 823 00:32:10,530 --> 00:32:12,329 And that is actually possible. 824 00:32:12,330 --> 00:32:13,979 There are some applications that are 825 00:32:13,980 --> 00:32:16,199 implementing their own file open dialogs. 826 00:32:16,200 --> 00:32:17,220 And then you can access 827 00:32:18,270 --> 00:32:19,919 files from the system. 828 00:32:19,920 --> 00:32:21,989 But still, you're very limited in the 829 00:32:21,990 --> 00:32:23,189 files that you can access. 830 00:32:23,190 --> 00:32:25,589 Like you can only access certain 831 00:32:25,590 --> 00:32:28,259 file types like data files, 832 00:32:28,260 --> 00:32:31,049 and you won't find a lot of important 833 00:32:31,050 --> 00:32:33,209 system critical information 834 00:32:33,210 --> 00:32:35,729 on an Linux device that is stored as data 835 00:32:35,730 --> 00:32:36,730 60. 836 00:32:38,060 --> 00:32:40,939 Also, if we manage to do so, 837 00:32:40,940 --> 00:32:42,529 we still need to defeat the Android 838 00:32:42,530 --> 00:32:44,359 sandbox somehow because usually on an 839 00:32:44,360 --> 00:32:46,189 Android device, an application in the 840 00:32:46,190 --> 00:32:47,269 sandbox. 841 00:32:47,270 --> 00:32:49,879 So you can't just access any arbitrary 842 00:32:49,880 --> 00:32:50,880 system file. 843 00:32:52,250 --> 00:32:54,589 We also tried attacks by archives 844 00:32:54,590 --> 00:32:56,479 like classical Zoom link attacks or 845 00:32:56,480 --> 00:32:57,889 directory reversals. 846 00:32:57,890 --> 00:32:59,209 But they weren't possible as well. 847 00:33:00,380 --> 00:33:02,269 We found an application that had a 848 00:33:02,270 --> 00:33:05,029 configuration file that was not signed 849 00:33:05,030 --> 00:33:07,009 and that contained something that looked 850 00:33:07,010 --> 00:33:10,519 like shell command parameters. 851 00:33:10,520 --> 00:33:12,709 But it turns out that either they 852 00:33:12,710 --> 00:33:14,959 ain't or we couldn't exploit that. 853 00:33:16,670 --> 00:33:18,559 Interesting note we found an application 854 00:33:18,560 --> 00:33:21,049 on the tetras, and that application 855 00:33:21,050 --> 00:33:23,179 was coded by some kind, by 856 00:33:23,180 --> 00:33:24,109 some Chinese guy. 857 00:33:24,110 --> 00:33:25,339 We don't know. 858 00:33:25,340 --> 00:33:26,899 But we found the source code for that on 859 00:33:26,900 --> 00:33:28,729 GitHub. And it's actually the same source 860 00:33:28,730 --> 00:33:30,799 code. So they just stole it from GitHub 861 00:33:30,800 --> 00:33:34,279 and installed it to all of their tablets. 862 00:33:34,280 --> 00:33:36,619 And as we got the source code, 863 00:33:36,620 --> 00:33:39,289 we could perform like a more advanced 864 00:33:39,290 --> 00:33:41,539 kind of attack against that. 865 00:33:41,540 --> 00:33:43,549 And we noted that it was riding. 866 00:33:43,550 --> 00:33:45,019 I think it was something related to the 867 00:33:45,020 --> 00:33:47,329 score as a serialized 868 00:33:47,330 --> 00:33:49,939 Java object to the SD card. 869 00:33:49,940 --> 00:33:52,219 And it didn't check for any signature. 870 00:33:52,220 --> 00:33:54,199 So that was a way we might be able to get 871 00:33:54,200 --> 00:33:56,269 in there. But it turns 872 00:33:56,270 --> 00:33:58,069 out on Android, that's a more complex 873 00:33:58,070 --> 00:33:59,930 thing and it didn't work out in our case. 874 00:34:01,060 --> 00:34:03,249 As we saw that they implement that their 875 00:34:03,250 --> 00:34:04,899 own office sued. 876 00:34:04,900 --> 00:34:06,669 We all know those attacks like the last 877 00:34:06,670 --> 00:34:08,499 micro injection. 878 00:34:08,500 --> 00:34:10,509 We also tried that, but no, that didn't 879 00:34:10,510 --> 00:34:12,099 work out as well. 880 00:34:12,100 --> 00:34:13,059 That's only an excerpt. 881 00:34:13,060 --> 00:34:15,339 We tried a lot of more things, but 882 00:34:15,340 --> 00:34:17,649 what came to our minds was someone 883 00:34:17,650 --> 00:34:18,819 must have thought about that. 884 00:34:18,820 --> 00:34:20,919 Someone does not one that we tamper 885 00:34:20,920 --> 00:34:22,599 with their system. 886 00:34:22,600 --> 00:34:23,600 And I mean. 887 00:34:24,210 --> 00:34:26,579 On what you can see in Nicholas part, 888 00:34:26,580 --> 00:34:28,530 that's that's possible. 889 00:34:30,300 --> 00:34:32,699 So let's take a step back. 890 00:34:33,980 --> 00:34:34,968 We all know that there are 891 00:34:34,969 --> 00:34:36,649 vulnerabilities in Android. 892 00:34:36,650 --> 00:34:38,448 And if you follow the Android security 893 00:34:38,449 --> 00:34:40,638 bulletins, you'll notice that like 894 00:34:40,639 --> 00:34:42,799 almost every month, they're popping up 895 00:34:42,800 --> 00:34:45,289 new code execution vulnerabilities. 896 00:34:45,290 --> 00:34:47,209 Why can't we use one of those like 897 00:34:48,409 --> 00:34:50,119 like one of the famous ones, Stagefright, 898 00:34:50,120 --> 00:34:51,120 for example? 899 00:34:51,920 --> 00:34:54,109 While that's in theory possible in 900 00:34:54,110 --> 00:34:55,999 practice, it's quite hard to achieve 901 00:34:56,000 --> 00:34:57,000 because. 902 00:34:57,930 --> 00:35:00,199 This would be like black box exploding. 903 00:35:01,210 --> 00:35:03,009 In such a situation, you usually have a 904 00:35:03,010 --> 00:35:05,139 device at hand on which you can 905 00:35:05,140 --> 00:35:07,219 attach a debugger and search like for 906 00:35:07,220 --> 00:35:10,029 SRT bypasses or wrap gadgets. 907 00:35:10,030 --> 00:35:11,619 And we couldn't do so because we only got 908 00:35:11,620 --> 00:35:13,269 one tablet and that wasn't pretty rude 909 00:35:13,270 --> 00:35:14,270 it. 910 00:35:15,340 --> 00:35:17,469 What you can do in such a situation, 911 00:35:17,470 --> 00:35:18,969 you can perform in an attack on the 912 00:35:18,970 --> 00:35:22,029 hardware level, like 913 00:35:22,030 --> 00:35:23,679 from what the circuit board looked like 914 00:35:23,680 --> 00:35:26,469 and what we knew about the tablet 915 00:35:26,470 --> 00:35:27,999 and from the complexity that will be 916 00:35:28,000 --> 00:35:30,069 involved. It seems probable that 917 00:35:30,070 --> 00:35:31,809 they don't use any kind of trusted 918 00:35:31,810 --> 00:35:34,059 platform, module or other way to 919 00:35:34,060 --> 00:35:36,039 secure their boot process. 920 00:35:36,040 --> 00:35:38,079 So there might be a good chance that we 921 00:35:38,080 --> 00:35:40,269 just open up the case, dump 922 00:35:40,270 --> 00:35:42,519 or pop off the 923 00:35:42,520 --> 00:35:44,859 storage and dump that using whichever 924 00:35:44,860 --> 00:35:46,109 protocol we need to do that. 925 00:35:48,200 --> 00:35:50,479 Well, that is an option that 926 00:35:50,480 --> 00:35:52,369 might also lead to success. 927 00:35:52,370 --> 00:35:54,439 But suppose you're me and 928 00:35:54,440 --> 00:35:56,599 you're more like that software guy rather 929 00:35:56,600 --> 00:35:57,600 than the hardware guy. 930 00:35:58,970 --> 00:36:00,829 Well, give me a solar Ireland, and 931 00:36:00,830 --> 00:36:03,619 chances are that I'll mess this up. 932 00:36:03,620 --> 00:36:04,969 It might be that you're ending up with a 933 00:36:04,970 --> 00:36:07,069 break and considering that that is 934 00:36:07,070 --> 00:36:09,109 a very valuable device and to get your 935 00:36:09,110 --> 00:36:10,130 hands on such a device. 936 00:36:11,270 --> 00:36:13,489 It's not a feasible option, at least not 937 00:36:13,490 --> 00:36:15,739 for us. Even if you're more 938 00:36:15,740 --> 00:36:18,649 skilled in like soldiering than me, 939 00:36:18,650 --> 00:36:20,959 chances are that the that the chip might 940 00:36:20,960 --> 00:36:23,929 get too hard for only too little 941 00:36:23,930 --> 00:36:24,930 and you're screwed up. 942 00:36:31,660 --> 00:36:33,319 We turn back to the internet. 943 00:36:33,320 --> 00:36:35,379 We thought we might find another way 944 00:36:35,380 --> 00:36:37,089 to to access the storage. 945 00:36:39,130 --> 00:36:41,229 And after searching about 946 00:36:41,230 --> 00:36:43,059 the architecture after we popped open the 947 00:36:43,060 --> 00:36:44,499 case, we could see what chips that is 948 00:36:44,500 --> 00:36:45,500 using. 949 00:36:46,180 --> 00:36:49,029 We found the A33 950 00:36:49,030 --> 00:36:50,349 system on a chip. 951 00:36:50,350 --> 00:36:52,869 And what we also found is this tool. 952 00:36:52,870 --> 00:36:54,789 This was half in English, half in 953 00:36:54,790 --> 00:36:56,799 Chinese. So we press some buttons and 954 00:36:56,800 --> 00:36:58,989 we're not really an idea 955 00:36:58,990 --> 00:37:00,069 of what we were doing. 956 00:37:00,070 --> 00:37:03,279 But it was suppose to give you a bootable 957 00:37:03,280 --> 00:37:05,439 image that you just just that you're 958 00:37:05,440 --> 00:37:07,509 just could burn onto an SD card and 959 00:37:07,510 --> 00:37:09,549 plug into your device and just boot it 960 00:37:09,550 --> 00:37:10,449 up. 961 00:37:10,450 --> 00:37:12,609 And we felt like, no, that was 962 00:37:12,610 --> 00:37:13,659 not going to work. 963 00:37:13,660 --> 00:37:15,519 That would that would be one of the first 964 00:37:15,520 --> 00:37:17,109 things that turned off. 965 00:37:17,110 --> 00:37:19,209 And we're plugging the SD card and that 966 00:37:19,210 --> 00:37:20,210 actually worked. 967 00:37:28,980 --> 00:37:30,779 Well, we thought why? 968 00:37:30,780 --> 00:37:32,909 Why did they do that, then why they they 969 00:37:32,910 --> 00:37:35,009 all these hard mechanisms we found in the 970 00:37:35,010 --> 00:37:36,149 first place? 971 00:37:36,150 --> 00:37:37,150 It doesn't make sense. 972 00:37:38,520 --> 00:37:40,289 We can only speculate about that. 973 00:37:40,290 --> 00:37:42,149 But there are some pretty satisfying 974 00:37:42,150 --> 00:37:43,559 explanations. 975 00:37:43,560 --> 00:37:45,029 Well, one would be they just forgot it, 976 00:37:45,030 --> 00:37:46,030 but we don't think so. 977 00:37:48,000 --> 00:37:50,129 It could be that this is a feature of the 978 00:37:50,130 --> 00:37:52,169 system on a chip that the system on a 979 00:37:52,170 --> 00:37:54,359 chip is by default, booting from SD 980 00:37:54,360 --> 00:37:56,309 card if you do not cut certain hot bill 981 00:37:56,310 --> 00:37:58,379 lines. And if they just bought the 982 00:37:58,380 --> 00:38:00,479 hardware from a Chinese manufacturer, it 983 00:38:00,480 --> 00:38:02,729 might be too complex to cut 984 00:38:02,730 --> 00:38:04,739 those hardware lines or reprogram the 985 00:38:04,740 --> 00:38:06,119 system on a chip. 986 00:38:06,120 --> 00:38:07,649 So maybe that's an option. 987 00:38:07,650 --> 00:38:10,409 And if you think again about it, 988 00:38:10,410 --> 00:38:12,479 it's not really contradicting their 989 00:38:12,480 --> 00:38:14,849 security concept because what 990 00:38:14,850 --> 00:38:17,039 is the thing they need to defend against? 991 00:38:18,090 --> 00:38:20,429 They need to defend against a North 992 00:38:20,430 --> 00:38:23,129 Korean trader or something 993 00:38:23,130 --> 00:38:24,989 who would be inside of North Korea and 994 00:38:24,990 --> 00:38:26,369 try to do this. 995 00:38:26,370 --> 00:38:28,529 And imagine, just imagine 996 00:38:28,530 --> 00:38:31,169 you're sitting in North Korea and 997 00:38:31,170 --> 00:38:33,539 try to access that tool with your 998 00:38:33,540 --> 00:38:35,189 internet access constantly being 999 00:38:35,190 --> 00:38:37,499 monitored or no internet 1000 00:38:37,500 --> 00:38:38,500 access at all. 1001 00:38:39,530 --> 00:38:41,059 I think that's kind of difficult, and 1002 00:38:41,060 --> 00:38:42,860 that's probably the reason they did that. 1003 00:38:44,410 --> 00:38:46,929 Still, as we get code execution, 1004 00:38:46,930 --> 00:38:49,329 we weren't done yet because 1005 00:38:49,330 --> 00:38:50,679 we brought it up that it mentioned it was 1006 00:38:50,680 --> 00:38:52,839 a functioning Linux kernel, but 1007 00:38:52,840 --> 00:38:55,359 it had no way of accessing the memory. 1008 00:38:55,360 --> 00:38:57,729 There was just missing a driver. 1009 00:38:57,730 --> 00:38:59,829 Well, what could we do? 1010 00:38:59,830 --> 00:39:01,929 For one, we could just plug in our logic 1011 00:39:01,930 --> 00:39:03,799 analyzer and analyze what is that thing 1012 00:39:03,800 --> 00:39:05,349 talking over the wire. 1013 00:39:05,350 --> 00:39:07,479 But that would still involve touching the 1014 00:39:07,480 --> 00:39:09,520 hardware, and we decided not to do so. 1015 00:39:10,730 --> 00:39:13,099 So we could also try to get hands 1016 00:39:13,100 --> 00:39:15,169 on the data sheets that were that 1017 00:39:15,170 --> 00:39:17,329 are for this, for this kind of 1018 00:39:17,330 --> 00:39:18,330 flash storage. 1019 00:39:19,190 --> 00:39:21,379 We have that at hand and implementing 1020 00:39:21,380 --> 00:39:23,239 their own driver based on the data sheet 1021 00:39:23,240 --> 00:39:25,489 sounds like a time consuming process. 1022 00:39:25,490 --> 00:39:28,159 So we went with another option. 1023 00:39:28,160 --> 00:39:30,409 Our option was we thought 1024 00:39:30,410 --> 00:39:32,629 it cannot be the case that they 1025 00:39:32,630 --> 00:39:34,249 manufactured the manufacturer. 1026 00:39:34,250 --> 00:39:36,349 They bought that from a whole new 1027 00:39:36,350 --> 00:39:38,449 tablet with completely new hardware 1028 00:39:38,450 --> 00:39:40,009 they never used before. 1029 00:39:40,010 --> 00:39:41,159 At that point in time, we didn't know 1030 00:39:41,160 --> 00:39:42,679 what was the exact 100. 1031 00:39:42,680 --> 00:39:44,809 We thought there must be 1032 00:39:44,810 --> 00:39:46,969 a different tablet, which uses almost 1033 00:39:46,970 --> 00:39:49,189 the same architecture, and maybe that one 1034 00:39:49,190 --> 00:39:51,229 has a functioning driver. 1035 00:39:51,230 --> 00:39:53,179 So we went to the internet again, and 1036 00:39:53,180 --> 00:39:54,829 this is what we found. 1037 00:39:54,830 --> 00:39:56,959 It's a tablet for. Like at the point of 1038 00:39:56,960 --> 00:39:58,639 time we bought, it was like thirty bucks 1039 00:39:58,640 --> 00:40:00,709 and we thought, well, 30 bucks, 1040 00:40:00,710 --> 00:40:02,299 nothing can go wrong with that. 1041 00:40:02,300 --> 00:40:04,759 And we bought it like two of them. 1042 00:40:04,760 --> 00:40:07,069 And lucky for us, they came already. 1043 00:40:07,070 --> 00:40:08,070 Pretty it. 1044 00:40:09,460 --> 00:40:11,829 So we just could plug in a tab 1045 00:40:11,830 --> 00:40:14,289 and like dump all its contents. 1046 00:40:14,290 --> 00:40:15,929 And we were done. 1047 00:40:15,930 --> 00:40:18,449 We took the kernel and the kernel driver 1048 00:40:18,450 --> 00:40:20,489 for the storage and put that on the 1049 00:40:20,490 --> 00:40:22,499 external SD card, we used to boot. 1050 00:40:22,500 --> 00:40:24,929 And first we plugged it in our fake or 1051 00:40:24,930 --> 00:40:26,639 that tablet. 1052 00:40:26,640 --> 00:40:29,039 And that didn't work out quite as easy 1053 00:40:29,040 --> 00:40:31,289 because the way the driver 1054 00:40:31,290 --> 00:40:33,239 tries to find out how to talk to the 1055 00:40:33,240 --> 00:40:34,919 storage controller. 1056 00:40:34,920 --> 00:40:36,989 But after putting that into 1057 00:40:36,990 --> 00:40:39,329 IDA and reverse engineering the driver, 1058 00:40:39,330 --> 00:40:41,549 we eventually managed to find how 1059 00:40:41,550 --> 00:40:43,739 we could talk to that storage 1060 00:40:43,740 --> 00:40:44,740 controller. 1061 00:40:45,310 --> 00:40:47,439 The question was, would that be 1062 00:40:47,440 --> 00:40:49,929 working on the DPRK Typekit? 1063 00:40:49,930 --> 00:40:52,629 So we plug it in and booted it up and 1064 00:40:52,630 --> 00:40:54,489 it actually did work. 1065 00:40:54,490 --> 00:40:56,829 This is the memory dump of the 1066 00:40:56,830 --> 00:40:59,049 of the internal NAND storage, and 1067 00:40:59,050 --> 00:41:01,059 you can see from the partitions that it's 1068 00:41:01,060 --> 00:41:03,279 using. It's quite normal Android 1069 00:41:03,280 --> 00:41:05,049 device. It's like has a bootloader 1070 00:41:05,050 --> 00:41:07,149 partition containing the bootloader. 1071 00:41:07,150 --> 00:41:09,579 It has a boot partition containing the 1072 00:41:09,580 --> 00:41:11,829 default kernel and ramdisk. 1073 00:41:11,830 --> 00:41:13,239 It has a system partition for some 1074 00:41:13,240 --> 00:41:15,099 binaries, a data partition for the 1075 00:41:15,100 --> 00:41:17,529 applications and the recovery partition 1076 00:41:17,530 --> 00:41:19,749 we couldn't trigger. 1077 00:41:19,750 --> 00:41:21,939 And now we really could start doing 1078 00:41:21,940 --> 00:41:24,009 our analysis. And that is what my 1079 00:41:24,010 --> 00:41:25,010 class is going to tell you. 1080 00:41:26,050 --> 00:41:27,050 Thanks. 1081 00:41:35,950 --> 00:41:38,519 OK, if some of you guys who 1082 00:41:38,520 --> 00:41:40,799 probably saw our talk last year 1083 00:41:40,800 --> 00:41:43,259 on red stories there, we found 1084 00:41:43,260 --> 00:41:44,879 some really interesting features 1085 00:41:44,880 --> 00:41:47,579 regarding the privacy evasion of those 1086 00:41:47,580 --> 00:41:49,559 operating systems. 1087 00:41:49,560 --> 00:41:51,179 As soon as we got access to the device, 1088 00:41:51,180 --> 00:41:53,069 we were curious if there might be some 1089 00:41:53,070 --> 00:41:55,619 similar mechanism or probably 1090 00:41:55,620 --> 00:41:57,929 something that is even 1091 00:41:57,930 --> 00:42:00,539 worse, like this mechanism on the 1092 00:42:00,540 --> 00:42:02,639 tablets. And as soon 1093 00:42:02,640 --> 00:42:04,709 as we were able to access most of the 1094 00:42:04,710 --> 00:42:06,839 libraries, then we saw there 1095 00:42:06,840 --> 00:42:09,089 are actually two mechanisms 1096 00:42:09,090 --> 00:42:10,919 on the ruling devices. 1097 00:42:10,920 --> 00:42:12,779 One of them is basically a watermarking 1098 00:42:12,780 --> 00:42:15,149 mechanism, which is most likely the same 1099 00:42:15,150 --> 00:42:17,309 one as in Red Star as 1100 00:42:17,310 --> 00:42:18,269 it even looks like. 1101 00:42:18,270 --> 00:42:20,579 It's just refactored version 1102 00:42:20,580 --> 00:42:22,649 of two components in the Red Star s 1103 00:42:22,650 --> 00:42:24,569 operating system, and it's doing 1104 00:42:24,570 --> 00:42:26,189 basically the same watermarking. 1105 00:42:27,330 --> 00:42:29,609 We didn't saw any code that is actually 1106 00:42:29,610 --> 00:42:30,749 using this library. 1107 00:42:30,750 --> 00:42:32,909 So the active operating 1108 00:42:32,910 --> 00:42:34,889 system, what we saw there, it's not 1109 00:42:34,890 --> 00:42:37,109 actually watermarking any files 1110 00:42:37,110 --> 00:42:38,759 in terms of the watermarks, like in Red 1111 00:42:38,760 --> 00:42:40,829 Star s, but it actually has 1112 00:42:40,830 --> 00:42:42,899 the code there and we think that it might 1113 00:42:42,900 --> 00:42:45,929 be just for compatibility reasons. 1114 00:42:45,930 --> 00:42:47,969 What was more interesting is that there 1115 00:42:47,970 --> 00:42:50,219 is an even more advanced and even more 1116 00:42:50,220 --> 00:42:52,349 restrictive way of controlling 1117 00:42:52,350 --> 00:42:54,959 the media distribution within North Korea 1118 00:42:54,960 --> 00:42:56,969 on the devices. 1119 00:42:56,970 --> 00:42:59,010 And it's based on digital signatures. 1120 00:43:00,840 --> 00:43:02,969 Just a quick recap of what we were 1121 00:43:02,970 --> 00:43:04,529 talking about last year. 1122 00:43:04,530 --> 00:43:07,109 What you're seeing here is an example 1123 00:43:07,110 --> 00:43:09,449 of a word document, and 1124 00:43:09,450 --> 00:43:11,609 the mocked part here is basically 1125 00:43:11,610 --> 00:43:13,529 the encrypted form of the plain text that 1126 00:43:13,530 --> 00:43:14,969 you're seeing below. 1127 00:43:14,970 --> 00:43:17,429 And this is basically just a watermark 1128 00:43:17,430 --> 00:43:19,799 that allows you to identify 1129 00:43:19,800 --> 00:43:22,079 a specific red star installation. 1130 00:43:22,080 --> 00:43:24,329 And just if you're curious if you want 1131 00:43:24,330 --> 00:43:25,799 to get to know how it's working there 1132 00:43:25,800 --> 00:43:27,479 actually decryption tools in this 1133 00:43:27,480 --> 00:43:28,709 repository. 1134 00:43:28,710 --> 00:43:29,879 But it's really, really simple. 1135 00:43:29,880 --> 00:43:31,169 It's not rocket science, how it's 1136 00:43:31,170 --> 00:43:33,299 working, but when 1137 00:43:33,300 --> 00:43:35,429 you're doing this in the 1138 00:43:35,430 --> 00:43:36,779 wild, basically, when you have the 1139 00:43:36,780 --> 00:43:39,209 original file at the top and 1140 00:43:39,210 --> 00:43:41,399 read part, here is a basically 1141 00:43:41,400 --> 00:43:43,409 the end of the actual image as a JPEG 1142 00:43:43,410 --> 00:43:45,719 file and as soon as the user 1143 00:43:45,720 --> 00:43:47,099 is getting. 1144 00:43:47,100 --> 00:43:48,839 For example, if it's on a removable media 1145 00:43:48,840 --> 00:43:50,669 device and you're plugging it into a red 1146 00:43:50,670 --> 00:43:53,009 star system, then it depends on bytes 1147 00:43:53,010 --> 00:43:54,599 at the end of the file. 1148 00:43:54,600 --> 00:43:56,459 And if you're giving this file, then to 1149 00:43:56,460 --> 00:43:58,439 another user running Red Star s, there 1150 00:43:58,440 --> 00:44:00,369 are even more files at the end of the 1151 00:44:00,370 --> 00:44:01,679 JPEG. 1152 00:44:01,680 --> 00:44:03,059 And what you're seeing here are the green 1153 00:44:03,060 --> 00:44:05,219 part is basically the watermark that 1154 00:44:05,220 --> 00:44:07,409 identifies the first user and 1155 00:44:07,410 --> 00:44:09,539 the orange watermark identifies 1156 00:44:09,540 --> 00:44:11,429 the second user. 1157 00:44:11,430 --> 00:44:13,409 What is quite interesting here is that 1158 00:44:13,410 --> 00:44:15,719 when you are seeing 1159 00:44:15,720 --> 00:44:18,599 this from a government perspective, 1160 00:44:18,600 --> 00:44:21,479 just to give you an impression 1161 00:44:21,480 --> 00:44:23,879 when you're having a normal JPEG 1162 00:44:23,880 --> 00:44:25,559 image and you're having it on one red 1163 00:44:25,560 --> 00:44:27,659 star system, put 1164 00:44:27,660 --> 00:44:29,639 it on a removable media, give it to a 1165 00:44:29,640 --> 00:44:31,779 friend or whatever someone that you're 1166 00:44:31,780 --> 00:44:34,199 affiliated with, and it will apply 1167 00:44:34,200 --> 00:44:36,389 the watermark of the second system. 1168 00:44:36,390 --> 00:44:38,999 If you do it again, then with your friend 1169 00:44:39,000 --> 00:44:41,099 or like minded 1170 00:44:41,100 --> 00:44:43,319 people, then took the image 1171 00:44:43,320 --> 00:44:45,449 will actually contain references to all 1172 00:44:45,450 --> 00:44:48,689 three operating system instances. 1173 00:44:48,690 --> 00:44:50,759 If then, the government gets access to, 1174 00:44:50,760 --> 00:44:52,919 for example, the system of the third 1175 00:44:52,920 --> 00:44:55,259 user and gets access to this JPEG 1176 00:44:55,260 --> 00:44:57,749 file and they want to know, OK, 1177 00:44:57,750 --> 00:44:59,909 what is the source of this file and who 1178 00:44:59,910 --> 00:45:01,619 has had access to this file? 1179 00:45:01,620 --> 00:45:03,359 Then they are basically able with this 1180 00:45:03,360 --> 00:45:05,429 single file to track down 1181 00:45:05,430 --> 00:45:08,219 dissidents or traitors or whatever, 1182 00:45:08,220 --> 00:45:10,379 because it allows you to reference all 1183 00:45:10,380 --> 00:45:12,119 the users that have access to this file. 1184 00:45:13,530 --> 00:45:15,539 And what you think you could do if you do 1185 00:45:15,540 --> 00:45:17,699 this on a large scale, 1186 00:45:17,700 --> 00:45:20,369 like in a complete country, for example, 1187 00:45:20,370 --> 00:45:22,949 it allows you to connect social networks. 1188 00:45:22,950 --> 00:45:24,779 It allows you to connect connection 1189 00:45:24,780 --> 00:45:26,789 between connections between dissidents, 1190 00:45:26,790 --> 00:45:29,099 connections between creators and what 1191 00:45:29,100 --> 00:45:30,929 what it then allows you is not only shut 1192 00:45:30,930 --> 00:45:33,299 down users where you, for example, 1193 00:45:33,300 --> 00:45:34,829 have access to a system and you found 1194 00:45:34,830 --> 00:45:37,109 this file, you're also able to shut 1195 00:45:37,110 --> 00:45:38,819 down the sources of those files. 1196 00:45:38,820 --> 00:45:41,519 So, for example, users that create files 1197 00:45:41,520 --> 00:45:44,039 or users that import files from 1198 00:45:44,040 --> 00:45:46,109 outside of the country and you 1199 00:45:46,110 --> 00:45:47,579 are basically able then to shut down to 1200 00:45:47,580 --> 00:45:49,649 complete all the 1201 00:45:49,650 --> 00:45:51,899 connections then between those 1202 00:45:51,900 --> 00:45:52,409 suspected 1203 00:45:52,410 --> 00:45:53,410 people 1204 00:45:53,890 --> 00:45:56,039 and what William does, William is way 1205 00:45:56,040 --> 00:45:59,189 more restrictive than what 1206 00:45:59,190 --> 00:46:00,719 one red star was doing. 1207 00:46:00,720 --> 00:46:03,089 It can actually do the same thing as 1208 00:46:03,090 --> 00:46:04,619 the Red Star has done. 1209 00:46:04,620 --> 00:46:07,139 But on top of this, there is another more 1210 00:46:07,140 --> 00:46:09,389 restrictive way of not only 1211 00:46:09,390 --> 00:46:11,969 tracing the distribution of media, 1212 00:46:11,970 --> 00:46:14,159 but the the the goal of ruling is 1213 00:46:14,160 --> 00:46:16,379 to basically prevent the distribution 1214 00:46:16,380 --> 00:46:17,669 of media. 1215 00:46:17,670 --> 00:46:19,349 And this is quite interesting how they 1216 00:46:19,350 --> 00:46:21,539 are doing this, and it's 1217 00:46:21,540 --> 00:46:23,729 really effective what they are doing. 1218 00:46:23,730 --> 00:46:25,019 So what it's what they are doing 1219 00:46:25,020 --> 00:46:27,809 basically is use cryptographic signatures 1220 00:46:27,810 --> 00:46:29,999 and the government has control over those 1221 00:46:30,000 --> 00:46:31,079 signatures. 1222 00:46:31,080 --> 00:46:32,489 And if you are controlling the 1223 00:46:32,490 --> 00:46:34,299 signatures, if you are able. 1224 00:46:34,300 --> 00:46:37,179 Who signed files and if you are the only 1225 00:46:37,180 --> 00:46:39,279 entity that can sign files, then you 1226 00:46:39,280 --> 00:46:41,439 have to complete control over all media 1227 00:46:41,440 --> 00:46:42,819 sources. 1228 00:46:42,820 --> 00:46:45,129 And what is what should be noted 1229 00:46:45,130 --> 00:46:47,889 here is that compared to Red Star, 1230 00:46:47,890 --> 00:46:49,959 which had just implemented 1231 00:46:49,960 --> 00:46:51,729 the most functionality into a kernel 1232 00:46:51,730 --> 00:46:54,459 module that just hooked the system calls 1233 00:46:54,460 --> 00:46:56,739 it Wuling, all of this is explicit. 1234 00:46:56,740 --> 00:46:58,899 So each and every application has 1235 00:46:58,900 --> 00:47:00,609 to do own signature checks. 1236 00:47:00,610 --> 00:47:02,559 It's not the operating system itself that 1237 00:47:02,560 --> 00:47:04,199 provides this functionality. 1238 00:47:04,200 --> 00:47:06,429 The operating system is just providing 1239 00:47:06,430 --> 00:47:09,039 a library, but each and every application 1240 00:47:09,040 --> 00:47:11,109 is responsible for the signature 1241 00:47:11,110 --> 00:47:12,110 checks. 1242 00:47:13,180 --> 00:47:15,579 These are done basically within native 1243 00:47:15,580 --> 00:47:17,619 library in Chava, so each and every 1244 00:47:17,620 --> 00:47:19,719 application can use this native library 1245 00:47:19,720 --> 00:47:22,299 from within the trauma source code. 1246 00:47:22,300 --> 00:47:24,339 The package is actually called government 1247 00:47:24,340 --> 00:47:26,469 no media, which is quite interesting. 1248 00:47:27,490 --> 00:47:29,109 It's actually called when you are, for 1249 00:47:29,110 --> 00:47:31,629 example, opening a file in what 1250 00:47:31,630 --> 00:47:33,369 what we saw the office sued. 1251 00:47:33,370 --> 00:47:35,259 When you're opening a fire, then it's 1252 00:47:35,260 --> 00:47:38,259 basically doing some license checks. 1253 00:47:38,260 --> 00:47:40,389 So the functions are, uh, more or less 1254 00:47:40,390 --> 00:47:42,459 concealed like license checks when you're 1255 00:47:42,460 --> 00:47:44,889 opening files or when you're saving files 1256 00:47:44,890 --> 00:47:47,259 than there are in the background calling 1257 00:47:47,260 --> 00:47:48,789 these functions in those native 1258 00:47:48,790 --> 00:47:49,790 libraries. 1259 00:47:50,440 --> 00:47:52,509 William provides two ways of signing 1260 00:47:52,510 --> 00:47:53,559 files. 1261 00:47:53,560 --> 00:47:55,899 These are referred to in the code as not 1262 00:47:55,900 --> 00:47:58,089 sign. Basically, call nation 1263 00:47:58,090 --> 00:48:00,309 signing, which are 1264 00:48:00,310 --> 00:48:02,559 signatures by the government, and there 1265 00:48:02,560 --> 00:48:04,629 are self signed signatures which 1266 00:48:04,630 --> 00:48:07,329 are done by the devices themselves. 1267 00:48:08,650 --> 00:48:10,389 If a file doesn't have a proper 1268 00:48:10,390 --> 00:48:12,429 signature, then all of these applications 1269 00:48:12,430 --> 00:48:14,229 that are doing signature checks will 1270 00:48:14,230 --> 00:48:15,940 prevent you from opening those files. 1271 00:48:17,870 --> 00:48:19,969 This is a quick example of 1272 00:48:19,970 --> 00:48:22,039 how one of those native 1273 00:48:22,040 --> 00:48:24,139 libraries looks like you have some 1274 00:48:24,140 --> 00:48:26,239 basic functions that allow you to 1275 00:48:26,240 --> 00:48:28,399 get some information of the of the 1276 00:48:28,400 --> 00:48:30,679 of the device, which are used then to put 1277 00:48:30,680 --> 00:48:32,989 into signatures or check the content 1278 00:48:32,990 --> 00:48:35,209 of existing signatures 1279 00:48:35,210 --> 00:48:37,339 and basically provide you with these easy 1280 00:48:37,340 --> 00:48:39,979 functions, like is it a valid signature 1281 00:48:39,980 --> 00:48:40,909 or not? 1282 00:48:40,910 --> 00:48:43,009 Because all of the, uh, the the 1283 00:48:43,010 --> 00:48:44,749 rest of the code should should do the 1284 00:48:44,750 --> 00:48:47,029 stuff like print if the file cannot 1285 00:48:47,030 --> 00:48:48,019 be opened. 1286 00:48:48,020 --> 00:48:49,219 And this is quite interesting because 1287 00:48:49,220 --> 00:48:50,569 there are some applications that just 1288 00:48:50,570 --> 00:48:52,339 have different error messages for the 1289 00:48:52,340 --> 00:48:53,389 same situation. 1290 00:48:53,390 --> 00:48:55,129 So this is not a library, but all the 1291 00:48:55,130 --> 00:48:56,689 applications. 1292 00:48:56,690 --> 00:48:58,789 Here's a quick list of most of the 1293 00:48:58,790 --> 00:49:00,049 applications that are doing these 1294 00:49:00,050 --> 00:49:02,659 signature checks, so you can get a brief 1295 00:49:02,660 --> 00:49:05,449 overview of what they are really 1296 00:49:05,450 --> 00:49:08,059 focusing on when it comes to 1297 00:49:08,060 --> 00:49:10,039 the files that they are really interested 1298 00:49:10,040 --> 00:49:11,040 in. 1299 00:49:12,350 --> 00:49:14,299 Just some quick words about the nation's 1300 00:49:14,300 --> 00:49:16,729 line, and the code mostly also 1301 00:49:16,730 --> 00:49:19,399 refers to it as government signing. 1302 00:49:19,400 --> 00:49:21,829 It's basically an RSA 1303 00:49:21,830 --> 00:49:24,559 signature with a 2048 1304 00:49:24,560 --> 00:49:25,939 bit or as a key. 1305 00:49:25,940 --> 00:49:27,769 And the public is just stored on the 1306 00:49:27,770 --> 00:49:29,779 device, the private keys held by the 1307 00:49:29,780 --> 00:49:30,780 government. 1308 00:49:31,490 --> 00:49:34,129 And in addition to the signatures, 1309 00:49:34,130 --> 00:49:36,319 it just do. It does a lot of obfuscation 1310 00:49:36,320 --> 00:49:37,369 work. 1311 00:49:37,370 --> 00:49:39,439 So also on a bit level is trying just to 1312 00:49:39,440 --> 00:49:40,639 shift some bits. 1313 00:49:40,640 --> 00:49:42,589 We think that it's just doing this to 1314 00:49:42,590 --> 00:49:44,929 make it harder to sign 1315 00:49:44,930 --> 00:49:47,539 to find the files yourself, 1316 00:49:47,540 --> 00:49:49,039 but it's nothing really. 1317 00:49:49,040 --> 00:49:50,989 From a security point of view, it's it 1318 00:49:50,990 --> 00:49:52,010 doesn't make any difference. 1319 00:49:53,390 --> 00:49:55,639 What we focus more on is the safe signing 1320 00:49:55,640 --> 00:49:56,640 mechanism 1321 00:49:58,070 --> 00:50:00,199 because it looks a lot more 1322 00:50:00,200 --> 00:50:02,479 interesting because the nation's signing 1323 00:50:02,480 --> 00:50:04,939 is basically a signature. 1324 00:50:04,940 --> 00:50:07,489 Self signing is a combination of 1325 00:50:07,490 --> 00:50:09,349 symmetric encryption, and so there is 1326 00:50:09,350 --> 00:50:11,659 some power that is just encrypted. 1327 00:50:11,660 --> 00:50:13,819 What is notable here is that its mission 1328 00:50:13,820 --> 00:50:15,979 there. It's the basic 1329 00:50:15,980 --> 00:50:18,169 algorithm behind a yes, 1330 00:50:18,170 --> 00:50:19,789 but they are not using a yes. 1331 00:50:19,790 --> 00:50:21,889 They are using a really specific form 1332 00:50:21,890 --> 00:50:25,069 there because they're not only using 256 1333 00:50:25,070 --> 00:50:27,169 bit keys, but also 256 1334 00:50:27,170 --> 00:50:29,839 bit blocks. So they always encrypting 1335 00:50:29,840 --> 00:50:32,779 32 bits bytes at a time, 1336 00:50:32,780 --> 00:50:34,639 which is not possible with a yes. 1337 00:50:35,720 --> 00:50:38,029 They are also doing RSA signatures. 1338 00:50:38,030 --> 00:50:40,309 And what they're basically doing is 1339 00:50:40,310 --> 00:50:42,499 create a signature over the hash 1340 00:50:42,500 --> 00:50:44,719 of a file. So they just mostly 1341 00:50:44,720 --> 00:50:46,369 they've called for Sha two hundred and 1342 00:50:46,370 --> 00:50:48,499 twenty four, but they are mostly using 1343 00:50:48,500 --> 00:50:50,449 two hundred and fifty six bits. 1344 00:50:51,710 --> 00:50:53,779 There's also a file called Legal Ref Dot 1345 00:50:53,780 --> 00:50:55,189 Dot on the fire. 1346 00:50:55,190 --> 00:50:57,229 We saw this red flag application. 1347 00:50:57,230 --> 00:50:59,449 This application is responsible 1348 00:50:59,450 --> 00:51:01,509 for reading the Imai and the 1349 00:51:01,510 --> 00:51:03,619 emcee of the of the device 1350 00:51:03,620 --> 00:51:05,539 and also the Android idea. 1351 00:51:05,540 --> 00:51:07,819 These will be stored in this legal ref 1352 00:51:07,820 --> 00:51:09,499 file, which is basically a legal 1353 00:51:09,500 --> 00:51:12,079 reference of each and every device. 1354 00:51:12,080 --> 00:51:14,299 This is like basically 1355 00:51:14,300 --> 00:51:16,449 the same thing, a little bit more 1356 00:51:16,450 --> 00:51:18,110 advanced, but the same thing 1357 00:51:19,160 --> 00:51:21,529 like in Red Star s with the watermark. 1358 00:51:21,530 --> 00:51:23,659 Here you have a legal identity, how it's 1359 00:51:23,660 --> 00:51:25,999 referred into the code, and this is also 1360 00:51:26,000 --> 00:51:27,889 included in the signatures. 1361 00:51:27,890 --> 00:51:30,049 It's not only a signature of the fine 1362 00:51:30,050 --> 00:51:32,419 itself, but it also always puts your 1363 00:51:32,420 --> 00:51:34,519 identity into those files. 1364 00:51:34,520 --> 00:51:36,619 So this is also quite similar to the way 1365 00:51:36,620 --> 00:51:38,839 red star watermarking files, and 1366 00:51:38,840 --> 00:51:40,909 it's only implemented basically to 1367 00:51:40,910 --> 00:51:43,099 allow you to create files on 1368 00:51:43,100 --> 00:51:45,299 the device itself and open doors. 1369 00:51:45,300 --> 00:51:47,239 Though you have a camera on the device, 1370 00:51:47,240 --> 00:51:49,099 you can take pictures there and you are 1371 00:51:49,100 --> 00:51:51,199 basically able to 1372 00:51:51,200 --> 00:51:53,239 open those pictures on your own device. 1373 00:51:55,080 --> 00:51:56,059 A signature. 1374 00:51:56,060 --> 00:51:58,219 Technically, it looks like this 1375 00:51:58,220 --> 00:52:00,409 signatures are fixed to have a fixed 1376 00:52:00,410 --> 00:52:02,359 price of seven hundred and ninety two 1377 00:52:02,360 --> 00:52:03,499 bytes. 1378 00:52:03,500 --> 00:52:05,869 So even if you are creating a text file, 1379 00:52:05,870 --> 00:52:07,729 which is a character, it will always 1380 00:52:07,730 --> 00:52:09,859 append seven hundred and ninety two bytes 1381 00:52:09,860 --> 00:52:11,239 to the file. 1382 00:52:11,240 --> 00:52:13,039 If you open it with, uh, for example, 1383 00:52:13,040 --> 00:52:15,109 text editor, you will never see the 1384 00:52:15,110 --> 00:52:17,059 signature because it's responsible for 1385 00:52:17,060 --> 00:52:18,709 checking it and removing it again from 1386 00:52:18,710 --> 00:52:20,689 the file when you open it. 1387 00:52:20,690 --> 00:52:23,419 But the top part here is the Shaw. 1388 00:52:23,420 --> 00:52:25,579 The R is a signature of the of the hash 1389 00:52:25,580 --> 00:52:27,859 of the file, and the green part 1390 00:52:27,860 --> 00:52:30,689 is encrypted and it 1391 00:52:30,690 --> 00:52:33,049 the most interesting content here 1392 00:52:33,050 --> 00:52:35,419 is your Z and MRI 1393 00:52:35,420 --> 00:52:37,429 of the device. 1394 00:52:37,430 --> 00:52:40,179 The rest of it is basically just no bytes 1395 00:52:40,180 --> 00:52:42,139 and they have implemented. 1396 00:52:42,140 --> 00:52:44,389 They have not implemented it with padding 1397 00:52:44,390 --> 00:52:46,699 and they are using kind of like Easy 1398 00:52:46,700 --> 00:52:48,949 B mode, but they have 1399 00:52:48,950 --> 00:52:50,449 like really at the end of the file. 1400 00:52:50,450 --> 00:52:51,829 It's quite interesting what they've 1401 00:52:51,830 --> 00:52:54,029 implemented, but I think it's just 1402 00:52:54,030 --> 00:52:56,629 that they didn't want to use padding 1403 00:52:56,630 --> 00:52:59,569 because they always encrypting 520 1404 00:52:59,570 --> 00:53:01,819 bytes, which is not possible 1405 00:53:01,820 --> 00:53:02,820 by default. 1406 00:53:03,950 --> 00:53:06,259 And the files that are affected by this 1407 00:53:06,260 --> 00:53:08,779 Hurricane Z, just an example of the 1408 00:53:08,780 --> 00:53:11,749 office suite, which is called Dock. 1409 00:53:11,750 --> 00:53:13,549 These are files that are checked by this 1410 00:53:13,550 --> 00:53:14,959 specific application. 1411 00:53:14,960 --> 00:53:16,589 Like I said, each and every IP. 1412 00:53:16,590 --> 00:53:18,479 Is responsible for doing the signature 1413 00:53:18,480 --> 00:53:19,709 checks themselves. 1414 00:53:19,710 --> 00:53:22,199 So if you want to only check 1415 00:53:22,200 --> 00:53:24,299 specific application types, then 1416 00:53:24,300 --> 00:53:26,729 you as an application are responsible for 1417 00:53:26,730 --> 00:53:28,199 doing those checks. 1418 00:53:28,200 --> 00:53:30,059 And these are basically all of the 1419 00:53:30,060 --> 00:53:32,219 typical media files, 1420 00:53:32,220 --> 00:53:34,439 sound and video and stuff like that, but 1421 00:53:34,440 --> 00:53:36,629 also plain text files 1422 00:53:36,630 --> 00:53:39,389 and plain HDMI files are affected. 1423 00:53:39,390 --> 00:53:41,849 And what has also affected our APK files? 1424 00:53:41,850 --> 00:53:44,579 So if you want to install an application, 1425 00:53:44,580 --> 00:53:47,189 you not only have the typical APK 1426 00:53:47,190 --> 00:53:49,619 signing mechanism, you have an additional 1427 00:53:49,620 --> 00:53:51,389 sliding mechanism with their reserved 1428 00:53:51,390 --> 00:53:53,489 signing, basically because the 1429 00:53:53,490 --> 00:53:55,559 oil also checks APK files 1430 00:53:55,560 --> 00:53:57,659 when you're trying to install those. 1431 00:53:57,660 --> 00:53:59,549 So if you want to install a valid APK 1432 00:53:59,550 --> 00:54:01,919 file, it would have to have two 1433 00:54:01,920 --> 00:54:03,809 valid signatures from two completely 1434 00:54:03,810 --> 00:54:04,810 different sources. 1435 00:54:06,690 --> 00:54:08,909 Just to give you an impression of 1436 00:54:08,910 --> 00:54:11,399 what they are, they're actually 1437 00:54:11,400 --> 00:54:13,769 achieving with all of this signature 1438 00:54:13,770 --> 00:54:15,029 stuff here. 1439 00:54:15,030 --> 00:54:17,279 When you have a Boolean device, there 1440 00:54:17,280 --> 00:54:20,519 are two valid sources of files. 1441 00:54:20,520 --> 00:54:23,189 You can have the government, which 1442 00:54:23,190 --> 00:54:25,169 which basically controls all the files 1443 00:54:25,170 --> 00:54:27,779 that can be distributed within the DPRK, 1444 00:54:27,780 --> 00:54:30,029 and they can 1445 00:54:30,030 --> 00:54:31,469 find those files and they have the 1446 00:54:31,470 --> 00:54:33,809 ultimate power of controlling 1447 00:54:33,810 --> 00:54:35,609 what media is distributed. 1448 00:54:35,610 --> 00:54:37,529 Basically, what media like you can open 1449 00:54:37,530 --> 00:54:39,929 on your will and tablet PC. 1450 00:54:39,930 --> 00:54:42,509 The other way is that you can open 1451 00:54:42,510 --> 00:54:44,849 files or documents, for example, 1452 00:54:44,850 --> 00:54:47,009 that have been created by the file 1453 00:54:47,010 --> 00:54:48,509 by the device itself. 1454 00:54:48,510 --> 00:54:50,849 So you only have these two ways of 1455 00:54:50,850 --> 00:54:53,069 sharing files if I want to. 1456 00:54:53,070 --> 00:54:55,379 For example, if I have 1457 00:54:55,380 --> 00:54:57,239 a friend with another Boolean device and 1458 00:54:57,240 --> 00:54:59,099 he takes a picture with his camera. 1459 00:54:59,100 --> 00:55:01,049 He cannot just put it on a removable 1460 00:55:01,050 --> 00:55:02,429 media and give it to me. 1461 00:55:02,430 --> 00:55:04,499 And I'm basically not able to open 1462 00:55:04,500 --> 00:55:06,839 this file because the signature 1463 00:55:06,840 --> 00:55:08,969 is or basically the legal reference 1464 00:55:08,970 --> 00:55:11,009 in the signature is wrong. 1465 00:55:11,010 --> 00:55:13,289 And they're really not 1466 00:55:13,290 --> 00:55:16,079 only shutting down what is inside 1467 00:55:16,080 --> 00:55:17,999 of North Korea at the moment, like 1468 00:55:18,000 --> 00:55:20,279 different Boolean devices and flecks 1469 00:55:20,280 --> 00:55:22,559 of red star devices, but also everything 1470 00:55:22,560 --> 00:55:23,999 that is coming from outside of North 1471 00:55:24,000 --> 00:55:26,189 Korea. If you would want 1472 00:55:26,190 --> 00:55:28,829 to put books or Wikipedia 1473 00:55:28,830 --> 00:55:31,169 articles on removable media 1474 00:55:31,170 --> 00:55:33,239 and try to import it to the 1475 00:55:33,240 --> 00:55:35,339 DPRK, then you would not be 1476 00:55:35,340 --> 00:55:37,289 able to open those with one of those 1477 00:55:37,290 --> 00:55:38,309 William tablets. 1478 00:55:38,310 --> 00:55:40,379 So all of the outside sources 1479 00:55:40,380 --> 00:55:42,479 are basically not usable by the 1480 00:55:42,480 --> 00:55:43,480 public. 1481 00:55:46,500 --> 00:55:48,899 OK, so 1482 00:55:48,900 --> 00:55:50,999 this basically wraps up 1483 00:55:51,000 --> 00:55:52,439 our findings from Red Star. 1484 00:55:52,440 --> 00:55:54,389 We got five more minutes I have seen we 1485 00:55:54,390 --> 00:55:55,949 would like to say thank you to a few 1486 00:55:55,950 --> 00:55:58,319 people right here, especially 1487 00:55:58,320 --> 00:55:59,829 we would like to thank. 1488 00:55:59,830 --> 00:56:02,219 I think they are from South Korea 1489 00:56:02,220 --> 00:56:04,560 is an NGO and they are trying to get 1490 00:56:06,090 --> 00:56:08,219 information into North Korea. 1491 00:56:08,220 --> 00:56:10,139 And these are the guys that provided us 1492 00:56:10,140 --> 00:56:11,939 the tablet. And we would like to say a 1493 00:56:11,940 --> 00:56:13,769 big thank you to these guys and all of 1494 00:56:13,770 --> 00:56:16,139 the guys that kind of got the tablet PC 1495 00:56:16,140 --> 00:56:17,219 out of DPRK. 1496 00:56:17,220 --> 00:56:18,329 So that helped us a lot. 1497 00:56:19,770 --> 00:56:20,770 Yeah. 1498 00:56:27,840 --> 00:56:29,969 So concerning future work, we 1499 00:56:29,970 --> 00:56:32,069 will try in the future to free some of 1500 00:56:32,070 --> 00:56:33,569 the information that is on the tablet, 1501 00:56:33,570 --> 00:56:35,279 there are a lot of dictionaries, a lot of 1502 00:56:35,280 --> 00:56:37,619 books that you need to buy 1503 00:56:37,620 --> 00:56:39,479 if you want to get an insight on what is 1504 00:56:39,480 --> 00:56:41,399 happening or you don't get access at all. 1505 00:56:41,400 --> 00:56:43,799 We would like to free this information 1506 00:56:43,800 --> 00:56:45,060 and make it available 1507 00:56:46,230 --> 00:56:48,509 if you are in possession of 1508 00:56:48,510 --> 00:56:50,729 technology from DPRK and you want 1509 00:56:50,730 --> 00:56:52,289 it to be analyzed. 1510 00:56:52,290 --> 00:56:53,549 Please approach us. 1511 00:56:53,550 --> 00:56:55,499 We would be happy to be here next year 1512 00:56:55,500 --> 00:56:57,479 with another talk on another heart or 1513 00:56:57,480 --> 00:57:00,149 software of DPRK. 1514 00:57:00,150 --> 00:57:02,279 We ourselves got some more stuff that 1515 00:57:02,280 --> 00:57:04,529 we are looking into right now. 1516 00:57:04,530 --> 00:57:06,779 We hope to be back here next 1517 00:57:06,780 --> 00:57:09,089 year, so from this wraps 1518 00:57:09,090 --> 00:57:10,139 it up. 1519 00:57:10,140 --> 00:57:11,639 I hope you had a little bit fun and it 1520 00:57:11,640 --> 00:57:12,689 was informational. 1521 00:57:12,690 --> 00:57:14,550 Now we can go into the questions. 1522 00:57:23,110 --> 00:57:24,489 Thank you very much. 1523 00:57:24,490 --> 00:57:26,769 We have maybe two minutes 1524 00:57:26,770 --> 00:57:28,929 for questions, so really 1525 00:57:28,930 --> 00:57:30,879 quick this microphone. 1526 00:57:30,880 --> 00:57:33,039 All right. So the self signing of 1527 00:57:33,040 --> 00:57:35,049 the wall and basically just adds about 1528 00:57:35,050 --> 00:57:37,239 800 bytes to every file that it's 1529 00:57:37,240 --> 00:57:38,739 ever created. 1530 00:57:38,740 --> 00:57:40,809 If you view it on another system, then 1531 00:57:40,810 --> 00:57:42,909 does that just make it a corrupt file? 1532 00:57:42,910 --> 00:57:44,589 Is a JPEG plus 1533 00:57:44,590 --> 00:57:46,809 800 bytes of Gulam Signature 1534 00:57:46,810 --> 00:57:48,699 just an invalid JPEG? 1535 00:57:48,700 --> 00:57:50,019 Or what does it become? 1536 00:57:50,020 --> 00:57:51,909 I mean, it depends on the file you're 1537 00:57:51,910 --> 00:57:52,989 using for cherry pick. 1538 00:57:52,990 --> 00:57:55,089 For example, it doesn't corrupt the file, 1539 00:57:55,090 --> 00:57:57,249 but there may be file 1540 00:57:57,250 --> 00:57:59,409 formats because a JPEG you have like this 1541 00:57:59,410 --> 00:58:01,489 really hard file structure where 1542 00:58:01,490 --> 00:58:03,259 it can determine the end of the file, 1543 00:58:03,260 --> 00:58:04,689 then it's no problem. 1544 00:58:04,690 --> 00:58:07,059 But there might be some file 1545 00:58:07,060 --> 00:58:09,219 types that could be corrupted by 1546 00:58:09,220 --> 00:58:10,220 those funds. 1547 00:58:11,110 --> 00:58:13,269 OK to microphone? 1548 00:58:13,270 --> 00:58:14,769 Yeah. OK. 1549 00:58:14,770 --> 00:58:16,539 Interesting talking did. 1550 00:58:16,540 --> 00:58:18,649 Maybe I was attentive or it was 1551 00:58:18,650 --> 00:58:20,919 certainly not. Not cool, but did you 1552 00:58:20,920 --> 00:58:23,499 try to find the keys from the public 1553 00:58:23,500 --> 00:58:25,559 television broadcast? 1554 00:58:25,560 --> 00:58:26,469 Yep, no. 1555 00:58:26,470 --> 00:58:28,809 Well, yes, we kind of were observing 1556 00:58:28,810 --> 00:58:29,919 the tablet itself. 1557 00:58:29,920 --> 00:58:31,749 The problem is that the media player that 1558 00:58:31,750 --> 00:58:34,119 is on the tablet is actually not capable 1559 00:58:34,120 --> 00:58:35,379 of doing DVDs. 1560 00:58:35,380 --> 00:58:37,089 And as I said in the beginning, the 1561 00:58:37,090 --> 00:58:38,199 device that you could see in the 1562 00:58:38,200 --> 00:58:40,629 beginning is probably a different version 1563 00:58:40,630 --> 00:58:42,999 of the tablet, probably an older version. 1564 00:58:43,000 --> 00:58:45,099 So our version right here, we could 1565 00:58:45,100 --> 00:58:47,649 not find any crypto keys for DVDs 1566 00:58:47,650 --> 00:58:48,789 or stuff like that. 1567 00:58:48,790 --> 00:58:51,219 So yeah, unfortunately, 1568 00:58:51,220 --> 00:58:53,339 we don't have any keys for that also. 1569 00:58:53,340 --> 00:58:55,479 Also, we could imagine that maybe that 1570 00:58:55,480 --> 00:58:56,949 is done on the external, on the 1571 00:58:56,950 --> 00:58:59,079 peripheral, not on the tablet itself, so 1572 00:58:59,080 --> 00:59:01,179 that we might not find it all keys 1573 00:59:01,180 --> 00:59:02,379 on there. 1574 00:59:02,380 --> 00:59:04,299 And in addition to that, you need to kind 1575 00:59:04,300 --> 00:59:05,709 of get registered to get all of the 1576 00:59:05,710 --> 00:59:07,329 additional hardware. It's possible that 1577 00:59:07,330 --> 00:59:09,549 they install an APK 1578 00:59:09,550 --> 00:59:11,709 that enables you to view DVDs 1579 00:59:11,710 --> 00:59:13,330 and that comes with the CryptoKitties. 1580 00:59:14,770 --> 00:59:15,819 OK, thanks so much. 1581 00:59:15,820 --> 00:59:17,199 OK, one question. 1582 00:59:18,640 --> 00:59:20,949 Out of those eight gigabytes 1583 00:59:20,950 --> 00:59:23,469 of storage, how much is 1584 00:59:23,470 --> 00:59:25,689 used up by the original 1585 00:59:25,690 --> 00:59:28,149 file system of the original 1586 00:59:28,150 --> 00:59:29,150 OS and. 1587 00:59:34,950 --> 00:59:37,079 So I would say that probably 1588 00:59:37,080 --> 00:59:39,239 like it's it's not 1589 00:59:39,240 --> 00:59:41,039 that much, so probably like six 1590 00:59:41,040 --> 00:59:43,139 gigabytes, probably free. 1591 00:59:43,140 --> 00:59:45,809 I will check the data usage. 1592 00:59:45,810 --> 00:59:47,249 Let me see storage. 1593 00:59:48,450 --> 00:59:50,159 It's using one gigabyte. 1594 00:59:51,780 --> 00:59:54,059 So a total space is like one gigabyte 1595 00:59:54,060 --> 00:59:56,009 that is used. So there is a lot of space 1596 00:59:56,010 --> 00:59:57,010 that you can don't have. 1597 00:59:58,710 --> 01:00:01,079 OK, I got another 1598 01:00:01,080 --> 01:00:03,749 question from the signal angel. 1599 01:00:03,750 --> 01:00:05,759 Yes, there are two questions. 1600 01:00:05,760 --> 01:00:08,279 The first is, are you planning 1601 01:00:08,280 --> 01:00:10,349 to release any software dumps? 1602 01:00:10,350 --> 01:00:12,569 And do you have to 1603 01:00:12,570 --> 01:00:15,809 smuggle the device back to North Korea? 1604 01:00:15,810 --> 01:00:17,579 I hope not for the last part. 1605 01:00:18,690 --> 01:00:20,819 Like for the first part, we are not going 1606 01:00:20,820 --> 01:00:22,109 to release any dumps. 1607 01:00:22,110 --> 01:00:23,819 The problem is that the dumps will 1608 01:00:23,820 --> 01:00:25,979 include serial numbers and fingerprints 1609 01:00:25,980 --> 01:00:26,909 and stuff like that. 1610 01:00:26,910 --> 01:00:28,529 And that would be perfectly easy to 1611 01:00:28,530 --> 01:00:30,719 identify the guy who leaked it 1612 01:00:30,720 --> 01:00:33,089 to us. And this is what we 1613 01:00:33,090 --> 01:00:35,729 want to prevent for all circumstances. 1614 01:00:35,730 --> 01:00:37,469 That is the one case where a guy who 1615 01:00:37,470 --> 01:00:39,569 tried to smuggle out a poster of of North 1616 01:00:39,570 --> 01:00:41,819 Korea and he went to jail for 15 1617 01:00:41,820 --> 01:00:43,079 years. 1618 01:00:43,080 --> 01:00:44,579 So you can imagine what happens if 1619 01:00:44,580 --> 01:00:46,499 someone is trying to smuggle out a device 1620 01:00:46,500 --> 01:00:48,389 like this and we want to prevent this. 1621 01:00:48,390 --> 01:00:50,969 As I said, we are going to try to 1622 01:00:50,970 --> 01:00:53,579 release some of the information 1623 01:00:53,580 --> 01:00:55,139 that is on the tablet, meaning like 1624 01:00:55,140 --> 01:00:57,419 dictionaries like 1625 01:00:57,420 --> 01:00:59,789 books that are stored on the device. 1626 01:00:59,790 --> 01:01:01,709 Stuff like that. So probably we are going 1627 01:01:01,710 --> 01:01:03,959 to kind of go through all of this, 1628 01:01:03,960 --> 01:01:05,699 filter it a little bit and then make it 1629 01:01:05,700 --> 01:01:07,589 available to the public because we 1630 01:01:07,590 --> 01:01:09,659 thought that information about 1631 01:01:09,660 --> 01:01:11,940 that stuff is really lacking right now. 1632 01:01:13,480 --> 01:01:15,030 OK, we have one last question. 1633 01:01:16,280 --> 01:01:18,389 Hi, there seems to be quite a 1634 01:01:18,390 --> 01:01:20,609 bit of English 1635 01:01:20,610 --> 01:01:22,859 in the file names and numbers 1636 01:01:22,860 --> 01:01:25,109 and so on. And even in the bits, the same 1637 01:01:25,110 --> 01:01:27,419 sort of, let's say, DPRK only 1638 01:01:27,420 --> 01:01:28,319 features. 1639 01:01:28,320 --> 01:01:29,999 Do you think Western developers have been 1640 01:01:30,000 --> 01:01:31,429 involved in this project at all? 1641 01:01:32,730 --> 01:01:34,499 Very good question. 1642 01:01:34,500 --> 01:01:35,500 We know that 1643 01:01:36,660 --> 01:01:39,719 DPRK is getting assistance 1644 01:01:39,720 --> 01:01:42,149 for some stuff in developing 1645 01:01:42,150 --> 01:01:44,219 stuff, and they even I 1646 01:01:44,220 --> 01:01:46,379 think they even had like developers from 1647 01:01:46,380 --> 01:01:48,269 Germany that were in exchange 1648 01:01:49,440 --> 01:01:51,639 like a couple of years ago, like 1649 01:01:51,640 --> 01:01:52,640 years ago. 1650 01:01:53,490 --> 01:01:55,589 We cannot 1651 01:01:55,590 --> 01:01:57,689 state that they did all of this 1652 01:01:57,690 --> 01:01:58,829 on their own. 1653 01:01:58,830 --> 01:02:01,469 But I would say it's perfectly feasible 1654 01:02:01,470 --> 01:02:03,089 because what we have seen with Red Star 1655 01:02:03,090 --> 01:02:04,469 and all the other stuff, I think that 1656 01:02:04,470 --> 01:02:06,539 they're capable in doing this, so they 1657 01:02:06,540 --> 01:02:08,879 probably don't need 1658 01:02:08,880 --> 01:02:11,189 to have assistance. 1659 01:02:11,190 --> 01:02:13,379 I think that like I turned like 1660 01:02:13,380 --> 01:02:16,099 all of the stuff to English to 1661 01:02:16,100 --> 01:02:18,269 have, like the English language, if you 1662 01:02:18,270 --> 01:02:21,839 are trying to apply a watermark 1663 01:02:21,840 --> 01:02:23,789 with like Korean letters like this sort 1664 01:02:23,790 --> 01:02:25,409 of signing stuff and all of that stuff, 1665 01:02:25,410 --> 01:02:26,999 like the form that the the eight letters 1666 01:02:27,000 --> 01:02:28,919 that of sign, Nazi sign and stuff like 1667 01:02:28,920 --> 01:02:30,719 that, if you put that to Korean, it would 1668 01:02:30,720 --> 01:02:32,009 not be a bite anymore. 1669 01:02:32,010 --> 01:02:33,659 It would probably be more so that might 1670 01:02:33,660 --> 01:02:35,369 be like the the problem that they were 1671 01:02:35,370 --> 01:02:37,559 facing. And that might be 1672 01:02:37,560 --> 01:02:40,529 why they were using Latin letters. 1673 01:02:40,530 --> 01:02:41,530 Mm hmm. 1674 01:02:41,880 --> 01:02:43,889 Thanks. OK, thank you very much. 1675 01:02:43,890 --> 01:02:45,719 Please give a warm round of applause 1676 01:02:45,720 --> 01:02:47,369 to those guys.