Discovering the Hidden is a monthly column examining steganography and data hiding.
Over the course of the past year, a new crop of data hiding and steganography programs have emerged. These new Apps run on Android, iOS, and Windows mobile platforms. As one would expect, the ability to conceal, hide, and protect private information on smart mobile platforms is essential. In addition to the obvious benefits of protecting confidential information, there is a need for the ability to communicate covertly using these devices. Whether, this is benign communication between friends, insiders leaking company secrets, insider trading information, or communication between criminals, these new Apps provide mechanisms that enable covert information sharing. From a corporate, legal, investigative, or law enforcement perspective, being aware of this capability and being able to identify these Apps and the resulting covert communications is, of course, essential.
One of the issues is that there are so many Apps. In the past year alone, I have analyzed over 50 mobile data hiding Apps, with another dozen still awaiting my analysis. For the most part what I have found are old methods applied to a new platform, although usually with a twist.
On the iPhone platform, for example, there are a plethora of offerings. Just a few of the Apps available are shown in the screen shot below which was captured from my iPad.
Trying to select just one of these Apps to share was difficult as they all have unique approaches to data hiding. This month I decided to take a closer look at SPYPIX and examine the data hiding method and approach employed. This hiding method allows the user to hide a picture within a picture with varying degrees of quality. The concept is quite simple, overlay the two images and spatially hide the most significant bits of the hidden picture into the least significant details of the cover image. Based on how many bits of the hidden picture you wish to preserve, the quality of the resulting image will be affected. SPYPIX allows you to either take a photo with your iPhone or iPad, or select both the cover and hidden image from your photo library. In the screen shots below, I chose both images from my photo library. I chose a fairly high resolution image of a snow owl as the cover image, and a photo of myself as the hidden or secret image. SPYPIX first converts both images to 24 bit true color images in order to normalize the formats. The app then allows the user to specify or experiment with the number of pixels that will be replaced in the cover image—you can choose 0-7 bits. If you choose zero, the entire cover image would be replaced with the hidden image thus destroying the original image. If you were to select seven, only the most significant bit (MSB) of the RGB values of the secret image would replace the least significant bit (LSB) of the cover image. If you select five, as I did in the example screen shot below, the three MSBs, (7,6, and 5) of each RGB value of the secret or hidden image would replace the three LSB values of the cover image. As you can see, the final image on the right has completely absorbed the hidden picture of me.
The illustration below graphically describes how the replacement occurs. The important note here is that the number of bits you choose to replace will dramatically affect the usability of the hidden image. As you can see in the illustration, bits 0-4 of the secret image are discarded, thus reducing the resolution of the secret image from a 24 bit color image to a 9 bit color image.
At first glance one might think that this is pretty easy to detect. However, by visually rendering the image it looks pretty good even if you replace as many as 2 or 3 bits. One attack against this is to render and examine the LSB values directly. In Figure 4, I render the image on the left normally at 200% zoom. The image on the right I render again at 200% zoom but I only render the 3 LSB of RGB values. This reveals the reduced resolution image that was hidden inside the snow owl. Since only the 3 MSB values of the secret image were hidden, the data loss is evident, but you can still make out the image to some degree.
Based on the 9 of 24 bits replaced in the original image one would think this would be trivial to detect algorithmically. However, most of the LSB detection algorithms perform statistical analysis of the LSB values. Many of the predecessors to this approach compress then encrypt the payload and then modify the LSB values creating random data to be stored in the LSB values of the cover image. In this case, the data hidden has very little randomization, since the MSB values of the secret image vary much less than even the LSB value of an image, and significantly less than compressed or random data. In order to accommodate this type of detection, new comparison models and neural net training approaches were necessary to detect the anomalies implemented by this simple data hiding method. The basic process is to create a large set of examples using this method along with the original cover images and develop statistical measurements that can distinguish variance within LSB values of “normal” images vs. images that contain variable length replacement of LSB values.
In summary, I find the number of new data hiding Apps, approaches, and innovations occurring daily interesting. It clearly demonstrates the demand for new data hiding and covert communications methods on mobile platforms. In addition, just because a method lacks sophistication doesn’t necessarily mean that it is easy to discover or has little value. On the contrary, depending on the situation and the sophistication of the detection methods (if anyone is actually examining shared images), simple methods employed in Apps like SPYPIX may provide the right tool for the job.
Next month we will take a look at a new method of embedding hidden information into Voice Over Internet Protocol (VOIP) streams. Until then—keep discovering the hidden.
Chet Hosmer has been researching and developing technology and training surrounding data hiding, steganography, and watermarking for over a decade. He has made numerous appearances to discuss the threat steganography poses including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, Cyber Crime TechTV, and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to steganography and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com, and Wired Magazine. Chet also delivers keynote and plenary talks on various cyber security related topics around the world every year.