The goal of a totalitarian regime is to control everything in a country: information, resources, and power. In the 21st century, that even includes omnipotence over the code that the country's computers use.
Enter RedStar OS: North Korea's own Linux based operating system, designed to monitor its users and remain resilient to any attempts to modify or otherwise exert control over it. On Sunday at Chaos Communication Congress, a security, art, and politics conference held annually in Hamburg, Germany, researchers Niklaus Schiess and Florian Grunow presented their in-depth investigation of the third version of the operating system.
Schiess and Grunow wanted to document the inner workings of RedStar because its use of freely available software, and in particular Linux, goes against the principles of the open source movement.
“They are using something that is supposed to support free-speech,” Grunow said.
As for what it actually looks like, “it's a fully featured desktop system,” Schiess told Motherboard. Under the hood, RedStar is based on Fedora 11, an iteration of the popular Linux distribution which was released in 2009, and works with a kernel—basically the heart of an operating system—from 2011. It comes with everything a user might need, including word processing and music creation software, and a modified Firefox browser. These applications, the desktop environment, and the underlying structure of the file system attempts to mimic that of Mac OSX.
But that is where the similarities with other operating systems end, and RedStar's totalitarian bent begins. RedStar enforces its dominance by rigorously monitoring any changes that a user might make, reacting accordingly, as well as creating “watermarks” on the files on any USB stick inserted into it.
In short, whenever a USB storage device containing documents, photos or videos is inserted into a RedStar computer, the operating system takes the current hard-disk's serial number, encrypts that number, and then writes that encrypted serial into the file, marking it.
The purpose “is to track who actually has this file, who created this file, and who opened this file,” Schiess said. That watermarking feature has been reported previously by the researchers, and others have published analyses of RedStar after versions of it have leaked or found their way out of the country. But Schiess and Grunow's newly presented dive into RedStar goes further, and is the most comprehensive picture of the OS yet.
RedStar “is highly customized,” Schiess said. “They've also added a lot of features to improve the security of the system.”
Those include a pre-installed firewall, extra protections of some of the system's core files, and a small program which constantly crawls the computer to check for any changes made to those files.
This program calls up a list of MD5 hashes—basically cryptographic fingerprints of files—and “as soon as this daemon sees that one of these files has been changed, it immediately reboots the system,” Schiess said. However, depending on the circumstances, the computer can sometimes get locked into an infinite cycle of booting and rebooting.
RedStar also even has its own anti-virus system, complete with a graphical user interface, which gets its updates from a server, unsurprisingly, located in North Korea.
All of these changes likely aren't designed to protect the system from an outside attacker, say a foreign nation attempting to remotely hack into North Korea's computer systems, but from RedStar's own users, the researchers said.
Indeed, it's clear that RedStar was not designed to be used outside the country, because the operating system's internet browser points to internal, North Korean IP addresses, as does the anti-virus update server, which can't be accessed from the outside world. (There is also a server version of RedStar however, that is used to run two public facing, North Korean websites). The applications are likely made by ten different developers: the researchers found the internal email addresses of different coders within the operating system's changelog.
The insular nature of the operating system, and the country, is further reflected in RedStar's custom crypto, which takes established encryption algorithms such as AES, and puts a new twist on them. It's unclear whether this was done because RedStar's developers feared these forms of encryption had been backdoored, meaning that an adversary could take advantage of them and access sensitive data, or whether they thought they could make some genuine improvements to the cryptography being used.
Regardless, “It shows they didn't even want to rely on foreign crypto,” Grunow said.
“They completely control every aspect of this system,” Grunow said.