Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness.
The Naenara browser is part of the Red Star operating system used in North Korea and it’s a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11. That address is not reachable from networks outside the DPRK.
“Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office,” Hansen wrote in a blog post detailing his findings. “The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!”
What that does is give North Korean officials the ability to control exactly what traffic gets in and out of the country’s network.
“One can presume that the intent of this huge local country-wide LAN would be to limit what users can access and also limit what can be accessed by outsiders,” Hansen said by email.
All of North Korea’s Web traffic is run on a country-wide LAN.Tweet
That’s only one piece of the puzzle, though. Hansen also looked at the way the Naenara browser handles things such as email, calendars, certificates and other elements and found a lot of other oddities. For one, the country has implemented a system that enables it to determine precisely when a user installs the anti-phishing and anti-malware lists from the DPRK’s home base.
“That means the microtime of installation is sent to the mothership every single time someone pulls down the anti-phishing and anti-malware lists (from 10.76.1.11) in the browser. This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser,” Hansen said.
Also, any time a browser crashes, the report is sent back to the main DPRK IP address, giving the country valuable insights into what’s causing crashes, and perhaps, new vulnerability data.
“Useful for debugging and also for finding exploits in Firefox, without necessarily giving that information back to Mozilla – a U.S. company,” Hansen said.
All email also is routed through the main IP address in North Korea, as do calendar entries. And, unsurprisingly, the Naenara browser only accepts one certificate–the one provided by the government.
“That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them,” Hansen said.
Researchers have known for a long time that the North Korean government exerts serious control over the online movements of its citizens, but the details of how that system works provide an interesting look at the technical measures the country employs.
“It is odd that they can do all of this off of one IP address. Perhaps they have some load balancing but ultimately running anything off of one IP address for a whole country is bad for many reasons. DNS is far more resilient, but it also makes things slower, in a country with Internet connectivity that is probably already pretty slow. If I were to guess, the DPRK probably uses a proxy and splits off core functions by URL to various clusters of machines,” Hansen said.