Inside North Korea’s Naenara Browser

Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness.

The Naenara browser is part of the Red Star operating system used in North Korea and it’s a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, That address is not reachable from networks outside the DPRK.

“Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office,” Hansen wrote in a blog post detailing his findings. “The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!”

What that does is give North Korean officials the ability to control exactly what traffic gets in and out of the country’s network.

“One can presume that the intent of this huge local country-wide LAN would be to limit what users can access and also limit what can be accessed by outsiders,” Hansen said by email.

That’s only one piece of the puzzle, though. Hansen also looked at the way the Naenara browser handles things such as email, calendars, certificates and other elements and found a lot of other oddities. For one, the country has implemented a system that enables it to determine precisely when a user installs the anti-phishing and anti-malware lists from the DPRK’s home base.

“That means the microtime of installation is sent to the mothership every single time someone pulls down the anti-phishing and anti-malware lists (from in the browser. This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser,” Hansen said.

Also, any time a browser crashes, the report is sent back to the main DPRK IP address, giving the country valuable insights into what’s causing crashes, and perhaps, new vulnerability data.

“Useful for debugging and also for finding exploits in Firefox, without necessarily giving that information back to Mozilla – a U.S. company,” Hansen said.

All email also is routed through the main IP address in North Korea, as do calendar entries. And, unsurprisingly, the Naenara browser only accepts one certificate–the one provided by the government.

“That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them,” Hansen said. 

Researchers have known for a long time that the North Korean government exerts serious control over the online movements of its citizens, but the details of how that system works provide an interesting look at the technical measures the country employs.

“It is odd that they can do all of this off of one IP address. Perhaps they have some load balancing but ultimately running anything off of one IP address for a whole country is bad for many reasons. DNS is far more resilient, but it also makes things slower, in a country with Internet connectivity that is probably already pretty slow. If I were to guess, the DPRK probably uses a proxy and splits off core functions by URL to various clusters of machines,” Hansen said.

Suggested articles


  • Esra Erimez on

    While this solution may appear to be inefficient, it does provide what the leaders of the country want, total control of all in and outbound communication. Also, I doubt that they have anywhere near the number of users that the A class address provides for the general population of the country but it could be made to work. -- Esra Erimes
  • Kaetemi on

    From what I've heard, they are indeed using proxies for web traffic; and those proxies do require a login. Apparently, depending on the rights associated with your login, you can access the public internet through this proxy system. Each building has it's own isolated LAN; any access outside a building goes through the building's proxy to the central network.
  • ExtraT on

    It's funny that the author sidesteps the simple logical conclusion of the one-IP solution: DRPK's internet network is very small - with total number of users probably measured in tens of thousands.
  • Mike on

    I'm a robot!
  • Charles on

    Most likely, there aren't as many active users as everyone thinks they are. Moreover, the users must be very aware that the service is available for productivity only. Interesting thought.
  • Jonadab on

    Sixteen million addresses is WAY more than they're actually using, I'm pretty sure. There's no way in the world they'd let that many of their people use the internet. It's probably limited to a few thousand people, most of whom can only access the internet using government-owned computers in government buildings as part of their government jobs and probably only have access to a relatively small number of whitelisted sites. The number of North Koreans who can use the internet in a normal fashion like we take for granted elsewhere probably doesn't go into four digits.
  • Khan on

    Pretty much everybody on the internet is sitting behind a proxy, if you at work then you are probably behind the corporate proxy, if you on your residential internet then there is a good chance some of your traffic may be behind a transparent proxy, if you on your cell 3g/LTE then excellent chance you are behind a double NAT and a decent chance everything is proxied.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.