Security researchers published a scary proof of concept attack on Android smartphones. It’s a pair of Trojan apps which cooperate to steal credit card numbers — either spoken into the phone or entered on the keypad — and then covertly relay them back to the attacker. The attack was very cleverly done and highlights new threats enabled by powerful mobile devices. They received a flurry of publicity, but I think the coverage missed one of the really interesting points of their attack. It’s a practical application of steganography to create a covert communication channel inside a device.
Steganography is the discipline of creating secret messages so that only the sender and the receiver are aware of the existence of the messages. When we think about secret communications, we generally think about encryption, codes, etc. Steganography is different. Encryption and codes (basically) prevent someone who intercepts a message from either reading it or modifying it covertly. Identifiable messages are flying around, but no unwanted senders or receivers can participate in the conversation. Steganograhpy makes the existence of the messages themselves unknown. It’s possible to combine steganography with encryption so that both the existence and the contents of your messages are secret, but they do different things. Encryption makes it unreadable, steganography makes it invisible.
Steganography has some practical and some fanciful uses. It appears most commonly in some printers which print an almost invisible pattern of colored dots on their pages, encoding identifying information about the printer. Presumably, this is to help track down criminals such as counterfeiters. It’s also used in digital watermarking, where identifying information is added to copyrighted materials. If they’re then distributed in violation of copyright, the distributor can be identified by the watermark.
Steganography is often discussed in a freedom fighter context. An individual subject to a repressive government can use steganography to communicate with supporters inside our outside the regime’s control without fear of detection since their communications are invisible. There has been speculation that steganography has been used by some spy agencies and terrorist groups for exactly that purpose.
All of these uses are intended to keep messages secret from other people.
What I find interesting with the smartphone research is that it uses steganography to keep communications secret from the device that is performing the communication. Android limits app-to-app direct communication as a security measure. The researchers used innocuous system settings and system alert mechanisms to create a secret communication channel between applications. The effect of keeping the covert communication secret from the phone is to keep it secret from the phone’s owner, but the goal was to fool the device itself.
That has interesting implications when you think about zone-oriented security (sandboxes, DMZs, virtual environments, “the green zone”). Security zones always share some kind of resources with the systems they inhabit. If they didn’t, they’d be completely isolated, and there wouldn’t be any need to establish a security zone. By compromising those shared resources, the researchers created an unanticipated use of a benign tool. By using the device which performs security monitoring as the steganographic tool to deliver an illicit message, it’s extremely hard to detect the wrongdoing as it occurs. It’s essentially a heist movie where the bank guard is tricked into carrying a big bag of cash out to the waiting getaway car.