A new wave of criminal communication

In the book The CODE Breakers, David Kahn¹ tells the early story of Demaratus, son of Ariston, who while exiled in Persia carved a message in the wood of a wax tablet destined to be delivered to the Spartans in order to warn them of the impending invasion by Xeres. After carving in the message, he covered the tablet with a fresh coat of wax in order to evade detection by the guards who would have naturally examined any such writing tablet. If discovered his fate would have been much worse than death. The message did reach Sparta and after recovery of the message the Spartans successfully defended against the Persian attack. This served as the beginning of technology that we know today as “steganography” the only difference is the modern version can conceal much more than a simple message.

The risk and threat posed by steganography has been argued vigorously for over a decade. Whether you believe that this elusive cyber threat poses an imminent danger, or has been effectively utilized to conceal incriminating information, covertly communicate between operatives, or is utilized to exfiltrate vital information—there exist a couple of undisputed facts. First, the number of available programs to perform steganography has increased dramatically—in 1999 only a handful of programs existed—today over 250 unique programs have been cataloged, analyzed, and verified. Counting variants of individual versions we are currently tracking a total 1,000+ which provides concrete evidence of the direct support of a base of users. Second, as the evolution of new viable carrier types are created, the expansion of new steganography methods that address those types evolves in lock step.

If this is true, what is the lure to steganography? Why would criminals or terrorists utilize such technology especially since there are thousands of proven well documented encryption algorithms that are readily available to keep information private, some of which are built directly into our native operating systems?² The answer is quite obvious; the purpose of steganography is not to simply keep information private, but rather to hide the mere existence of such information or communications.

The next obvious question is why do methods continue to evolve in lock step with the evolution of new carrier types? There are a few drivers that we have witnessed; the first is size, as a general rule new carrier types are being created today to handle larger content or to move larger content more effectively. Larger content provides two key advantages—first larger content generally provides a channel for storage or transmission of larger payloads without disturbing the normal visual, auditory, or protocol characteristics of the channel. Note that other characteristics will be altered, however the primary objective of steganography is to exploit the weakness of our senses, and hide information in such a way that we as humans cannot detect any changes while viewing, using, or listening to the altered content. The secondary objective of steganography is to avoid detection through deeper technical analysis. The second driver is that the larger, highly utilized and popular carriers and transmission methods provide cover or maybe more accurately, a larger haystack. For example today, the Internet, (not counting cell phones, PDA’s, or personal computers) contains over a trillion images—and millions are being added each day. Identifying specific images that contain embedded steganography in that sizable haystack is a daunting task at best. New carriers also offer both an intellectual and nefarious challenge as they can be exploited in innovative ways. Since security is either the last thought or an afterthought, exploiting these new carriers offers new fertile ground for experimentation, exploitation, and financial gain.

Voice Over Internet Protocol (VOIP) for instance is a widely used almost ubiquitous new protocol that has revolutionized our ability to communicate voice and video over the Internet in a peer to peer secure channel. The question becomes, can this channel be exploited to exfiltrate information, files, or even malicious code during an innocuous voice call? In order to answer this question, we must first better understand how steganography is applied using traditional carriers, and then we need to examine the obstacles and technical challenges that would need to be overcome in order to achieve effective data hiding within a VOIP stream.

Steganography and Covert Channels
Covert channels attempt to circumvent organization security policies by exploiting legitimate communications channels.³ Organizations today have large and complex network and communications infrastructures. Each provide a point of attack for insiders or infected systems to communicate covertly. Utilizing compromised images and multimedia files in conjunction with Internet, e-mail, and other common infrastructure services to push files that contain hidden content represents the simplest form of this attack. More complex forms involve the modification of the communication channel itself in order to exploit unused spaces and attributes of the channels. Even Wireless Local Area Networks WLAN are susceptible to such attacks.⁴ One such example is the Frame control field of a WLAN header. Toggling rarely used bits such as More Frag, Retry, PwrMgt, or More Data can provide single or multiple bit alterations of every packet. The method of modifying communications packets to embed hidden information is not new, weaknesses related to steganography in the TCP/IP protocol were noted in the Hacker Publication First Monday⁵ as early as 1997. As new protocols are developed, rarely used fields or fields that contain limited values offer new applications for steganography. Whether these protocols are TCP, IP, or UDP based or whether they are client server or peer to peer, exploitation opportunities exist.

Streaming Channels
With the advent of multimedia streaming data (audio, video, VOIP, etc.) several experts theorized that embedding steganography in such streams would be difficult if not impossible (I have actually heard the word impossible used, and this always concerns me especially when steganography is used in the same sentence). The simple reason most often given is that these protocols assume data loss as a normal part of the protocol. This is not only tolerated but actually expected. Missing a couple of packets or the discarding of corrupted packets have limited and only momentary effects on the experience of listening, viewing, or communicating over streams. However, if you have embedded a compressed, encrypted steganography payload within the stream and data loss or corruptions occur using this model the payload would be affected.

This brings up an important point. One could jump to the conclusion that an effective jamming attack against both static steganography (images and audio files), as well as within streaming media would be to routinely inject steganography noise into the data using techniques similar to those defined above. If done properly, little impact would be rendered in the resulting data. This argument holds true for non-lossy compressed images and audio types. However, injecting noise into JPEG and mp3 carriers for example can cause problems as each time you re-encode an image the quality is affected. In our experiments with a range of sample images, degradation begins to become visible after 200-500 cycles (depending on image and noise insertion characteristics). Larger images (3+Mb) of outside scenery with high color counts can sustain up to a 1,000 injections before visibly noticeable distortion is apparent.

VOIP Steganography Threat
An increasing threat today is the natural evolution of steganography in Real-time Transport Protocol (RTP)⁶ which is a transport protocol for real-time applications. A successful RTP environment provides an end-to-end transport with the ability to transmit real-time data such as audio and video. The RTP relies on the underpinnings of the User Datagram Protocol (UDP)⁷ for its transport. Within VOIP environments, RTP provides the channel for the call traffic. Therefore, for VOIP four likely candidates for embedding steganography exists.

1. UPD Packets Headers – exploitation of the unused, and rarely used header fields.
2. RTP Packet Headers – exploitation of the unused, and rarely used header fields.
3. Inserting garbled UDP packets that are discarded by the receiver, but used for steganographic data transmission.
4. Voice payload – When making VOIP calls, the analog voice signals are transformed into digital content using a codec (an elaborate word meaning encoding/decoding). After the digitized voice is encoded, it is compressed and within most environments encrypted. Much like JPEG compression described previously, the compression method used is Lossy, therefore steganography modifications must be made after the Lossy compression stage and prior to any encryption.

All of these general approaches suffer from potential data loss, thus to successfully implement steganography within any of these channels requires a viable solution to data loss. The first option is to employ error correction techniques that will automatically correct for lost or corrupted packets. The second and most practical method is to embed payloads that are naturally resilient to data loss. i.e. other voice, video, or streaming data types.

Conclusion
With the increasing proliferation of VOIP, the ability to covertly communicate over these channels is quickly becoming a reality. With Android phones⁸ being delivered ready for custom application development along with an Open Source VOIP community⁹ the ability for both the good guys and the bad guys to exploit these devices for their own purposes is endless. The detection, cracking, and jamming of steganography laced covert communication channels is not at the end of a life-cycle, but rather only at the beginning. With the almost limitless number of VOIP calls, streaming audio, and video content and connected mobile devices, our ability to overtly or covertly communicate to anyone, anywhere, anytime is upon us. The question is what will the good guys and bad guys choose to do with it and more importantly how will we investigate the criminal uses now and in the future.

References:

1. “The CODE Breakers” David Kahn, Scribner Press 1967
2. “The Impact of Full Disk Encryption on Digital Forensics”, Eoghan Casey, Gerasimos J. Stellatos, April 2008 SIGOPS Operating Systems Review, Volume 42 Issue 3 ACM
3. “Covert Computer and Network Communications”, Robert C. Newman, Information Security Curriculum Development Conference ‘07’ September 28-29. ACM 978-1-59593-909-8/00/007
4. “WLAN Steganography: A First Practical Review”, Christian Krätzer, Jana Dittmann, Andreas Lang, Tobias Kühne, MM&Sec'06, September 26–27, 2006, Geneva, Switzerland.
5. “Covert channels in the TCP/IP protocol suite”, Craig H. Rowland, First Monday First Monday, Volume 2, Number 5 - 5 May 1997
6. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RFC1889 - RTP: A Transport Protocol for Real-Time Applications, Internet Engineering Task Force, January 1996.
7. J. Postel. RFC768 - User Datagram Protocol, Internet Engineering Task Force, August 1980.
8. Android Wikapedia Entry, http://en.wikipedia.org/wiki/Google_Android
9. Open Source VOIP, http://www.voip-info.org/wiki-Open+Source+VOIP+Software

Chet Hosmer, is the co-founder and Chief Scientist at WetStone. His research into advanced forms of steganography spans over a decade. Chet can be reached via e-mail chet@wetstonetech.com or send Chet a tweet @ChetHosmer.

Related articles:
Find Incriminating Contraband in Images
Digital Steganalysis: Content Awareness on Steroids
Steganography: Ticket to Hide