A look at RedStar OS 3.0 – North Korea’s Operating System

I recently stumbled upon a copy of RedStar OS, which appears to be a RHEL-based server distribution developed by North Korea. Version 2.5 was initially purchased and reviewed by a Russian student studying abroad, and a user by the name of slipstream uploaded version 3.0 (server) to TPB in mid-2014.

Several reports portray it as a tool to monitor web usage by the regime, and while I don’t doubt that, it seems unnecessary to repackage an operating system to do so. It seems more likely that it’s a symbol of sovereignty and independence from Windows (made in USA). Since North Korea’s internet is a giant class A network (10.76.1.0/22), any reporting software would likely try to report to an otherwise “internal” network. For example, the browser packaged with the OS has its homepage set to 10.76.1.11. A quick Wireshark analysis didn’t reveal anything immediately suspicious, but I’ve yet to dig into that fully.

On the surface, it’s a pretty hollow clone of RHEL using KDE desktop. The directory structure is a cross between OSX and *nix, as is the overall feel of the desktop environment. Applications

It comes with a couple of standard applications – a calculator, notepad, contact book, etc., as well as QuickTime and Naenera Browser (a Firefox clone). As Naenera (“my country”) is also the name of the official web portal, and that most citizens can’t access the “international internet”, the two might as well be synonymous.

You can see the public-facing Naenera at http://www.naenara.com.kp/en/, but be aware that they’ve been known to inject malware on some of their public-facing sites.

naenera

It’s also interesting to note there’s a CHM (compiled HTML) viewer. This is typically used for software documentation, and very well may be the case here. I’d be interested to see if this is utilized for something akin to Cuba’s Paquetes, downloading parts of the Kwangmyong, or something altogether different. (There is an empty “Sites” folder in the user’s home directory)

chm-viewr

There’s an OpenOffice clone, called Sogwang Office.

Sogwang Office Screenshot

It also has this music composition program, UnBangUI:

unbangui

The mail program doesn’t have any clear way to add an email account, but does prevent you from checking mail until you’ve added one.

email

The software center only allows importing from /media. There is a repository of extra applications that’s offered on a second CD (the Russian site says the extra CD costs about twice what the original OS costs), and I haven’t started to dig through that yet.

software-manager

In the “System Update” area, the Settings dialog shows a location for a URL and proxy, but I’m not sure it’s usable.

swmanager

Getting Root

Interestingly, the user isn’t added to sudoers and the root account is disabled. Fortunately, this is trivial to bypass, since someone “overlooked” the permissions in /etc/udev/rules.d. If you’re looking for a terminal shortcut, you won’t find it – you’ll have to press Alt+F2, then run konsole to get a shell.

That's convenient!
How convenient!

Once you’ve done that, fire up vi and create /tmp/freedom, or whatever you’d like to call it.

freedom

 

Now, open up that file in /etc/udev/rules.d and call /tmp/freedom via a RUN expression:

Don't forget to "chmod +x /tmp/freedom"
Don’t forget to “chmod +x /tmp/freedom”!

Now that that’s taken care of, you’ll need to refresh the udev rules. In VirtualBox, this worked simply by taking a snapshot, but you might have to reboot.

Enabling English on RedStar OS

Once you’re back up and running, you’ll likely want to enable a language other than Korean. While some reports state that Korean is the only language on the system, this isn’t true. It’s just that Korean is selected by default. Now that you have sudo superpowers, this can be done easily with sed: (obviously,for a language other than US English, use the appropriate locale code)

sed -i 's/ko_KP/en_US/g' /etc/sysconfig/i18n

sed -i 's/ko_KP/en_US/g' /usr/share/config/kdeglobals

Log out, and you should see the login screen in English:

afterlang

That’s it! You should now be able to browse around the OS relatively easily. I’ll post some interesting findings later, once I’ve had an opportunity to dig through it more.

 

A look at RedStar OS 3.0 – North Korea’s Operating System

Onity Hotel Lock Exploit

Update: 12/28/2012 – I’m a bit late on this, but this has actually been exploited for criminal activity. Imagine that. Apparently, it’s not as “unreliable, complex and difficult to implement” as Onity thought.

Update: 8/19/2012 – Anxiously awaiting delivery of ATtiny85 chips to convert this into an even more compact device (also would be cheaper and able to be mass-produced).

Cody Brocious did a presentation at Black Hat 2012 on how to exploit the Onity hotel locks, and is the main source of information for this page. His original page for the talk is located here here.Please take the time to visit Cody’s site (updated link) if you’re interested in how this works.

Unfortunately, I don’t have my own personal hotel locks to play with, and hotels thus far have either not had a GM available when I stopped in or the GM has dismissed this as nonsense. One even said “If I feel there’s a problem with our locks, I’ll contact our Onity rep. We pay them good money, so I’m sure this is all taken care of.” An engineer at Holiday Inn was very interested in resolving it, but I’m not aware of anyone making progress in getting the PP codes. (If you have a PP, there are plenty of us interested in engineering a software solution, rather than forcing a hardware update.)

A quick survey shows about 60-75% of the hotel locks in  Pittsburgh (city, not region) are vulnerable to this at the time of this writing.

The Lock

Lock

If you’ve stayed in a hotel, you’ve probably seen this lock. Cody asserts this lock is one of the more popular brands and gives a figure of over 4 million installed. What you probably haven’t seen is the programming port, located on the bottom of the lock (red arrow). It uses a size “K” DC adapter (5.0mm OD x 2.1mm ID, center positive) to communicate with the programming device (Portable Programmer, PP). I’ll refer you to Cody’s site for specifics on the communication protocol. Essentially, the PP and lock work as master-slave, with the PP as the master. The PP transmits a 3.3v signal (HIGH) when idle, and the signal drops into a LOW state in order to communicate.

When the locks are installed, a sitecode is written to the lock’s memory. This is a 32-bit value that’s unique to the facility, but shared among all equipment in that hotel. After that, there are several other values, including the code for the Master keys and the Programming key (more on this later).

Using the PP, staff are able to open the lock manually. The PP issues an “OPEN” command in combination with the sitecode. Since the sitecode is hidden from even the property owner, this is supposed to provide a bit of security against anyone just opening the lock, right?

(Of course not, you wouldn’t be reading this if that were the case!)

All we have to do is read the sitecode from the lock’s memory, and mix it in with the OPEN command (which is the same for every lock). This takes around 220 milliseconds to perform.

Open Command

The lock simply opens, and the access log reads as though the PP was used by staff to open the door. This is done by programming the Arduino to continuously send “open” commands via the DC plug. In practice, it takes around 1-2 seconds to open the lock, due to timing problems and at what point in the code you insert the plug into the lock. For all intents and purposes, it’s instantaneous.

The Arduino

If you haven’t heard of the Arduino yet, it’s similar to the BASIC Stamp microprocessor, but faster, cheaper and open-source. It uses it’s own open-source programming language, which is heavily based on C. An Arduino Uno runs around $35 at RadioShack and the Arduino Mega is around $65. Additional parts you’ll need (if starting from scratch) are:

  • An A to B USB adapter (the big square one that’s probably plugged into your printer)
  • Two “K” size DC barrel plugs (5.0mm OD x 2.1mm ID). Center is positive for both.
  • A few pieces of wire and a 5.6k resistor (green-blue-red for those people)
  • A 9v battery plug. Wire this to one of the DC plugs. This will be the power source for your Arduino. (You can run it off of USB power, but it won’t be as stealthy if you have a computer attached to it)
  • The Arduino software (Free – arduino.cc)
  • The source code – not provided here. (It’s not hard to find, but I’m not giving handouts)
Arduino

I also used some heat-shrink tubing and a lighter (hence the black smoke marks on the clear tubing), as well as two small pieces of 22ga solid wire. Everything is twisted together (not soldered) and held together with heat-shrink tubing.

I modified the code to blink the LED on pin 13 five times (50ms on/off) at the beginning of each loop, because I like feedback. I’m also working on code that will intercept the transmissions between the lock and a PP and send it back to my computer, on the off chance one of the managers calls me back and says “Yeah, sure, take a look”.

It’s not pretty, but it gets the job done (power supply not shown). Add a cool project enclosure, and you have yourself a portable master key to any room in any hotel that uses Onity locks.

Protect Yourself

Onity has acknowledged the problem (+1 point to Onity), but claims “the hacking methods [are] unreliable, and complex to implement.” If by “complex”, they mean “anyone with a few pieces of wire and a BIC lighter can throw this together in the middle of Starbucks in 10 minutes”, then yes, it’s very complex. Cody claims varying success with this device, but I don’t know that I’d call it “unreliable”. (In my limited tests, it has worked 100% of the time.)

Onity is currently manufacturing plugs (see above link) to block the programming pin and also providing a TORX screw to replace the battery cover. That will stop anyone without a TORX bit (Less than a dollar, if I recall correctly) from using this method. They totally won’t spend that extra dollar at RadioShack.

They’re also talking about a “firmware” update, by which they apparently mean “replace the circuit board in all 4 million locks and issue new programming devices to each hotel”. It’ll probably only be a matter of time until this new “firmware” is broken, too.

Case-in-point: Don’t let them fool you, this is inexpensive, shockingly easy to implement, and more reliable than it should be.

I don’t want to sound like I’m suggesting a boycott of anyone using Onity locks, but if you’re concerned about your safety, you may want to choose a hotel with a different lock (given the option). A brief look at Pittsburgh hotels (city, not suburban) shows that around half of them have Onity locks.

It goes without saying that you should be using the chain lock /bar latch on the door (but this can be kicked in easily or opened with a rubber band). Hopefully, you’d wake up if this was going on, but I’ve slept through much more.

While the old adage “locks are meant to keep honest people out” still holds true, this particular lock requires almost zero skill to open. If you can install iTunes, transfer music to your iPod, then plug it into your car sound system, you can do this.

Onity Hotel Lock Exploit