back

Steganography

Steganography is the act of hiding information within something else. As you can see from the wikipedia page, it comes in many forms like with numbers revealed under different colours or Jeremiah Denton blinking “TORTURE” in morse code when he was held as a prisoner of war. For this post, I will be focusing on steganography in digital forms. I will not cover all possibilities in digital form because this post would never end.

Encryption And Steganography

There are many circumstances in which you may want to send or store information securely. In a broader meaning, encrypting your disk with LUKS or specific files with PGP is steganography. The problem with this is usually that if someone tortures you, you are most likely going to give it up and if you are incapable of doing this if for example the key was on a drive that was destroyed, good luck convincing your captors of that. In some circumstances, a good option to go with would be to hide critical information within something else. Normal encryption is openly saying you are hiding information but with steganography, it is difficult for someone to determine if anything is even there.

Text

There are many digital forms to hide in text like using non-printing unicode characters, a message in the pattern of deliberate errors and marked corrections in a word processing document, etc. Some simple examples I’ve done as a kid and you may have done too is putting a sentence together from every X number of words in text, first letter of each line, the combination of all digits in text and convert to letters based on a pre-defined set of rules, etc. This was always fun to do in class. The ciphertext method where letters should be swapped with other letters was also fun but when the message was intercepted by the teacher, they would know there was a hidden message. With steganography, they wouldn’t even know.

Images

Computerphile has a great video on steganography in images archive.org if you want to watch it. There are many different programs available to be able to do this for yourself. An example. Depending on how you do it and if your attacker can get the original image, it can be obvious.

As mentioned in the video, rights holders of images like stock photo companies may embed watermarks to say they own it and if it is used without their permission for something, they can fight the person using the image.

Audio

Image or text can be concealed in a sound file which when analysed with a spectrogram can reveal this information. An example is with Nine Inch Nails in their album year zero.

File System

This is a complex section and issues like with entropy can become a big problem. Plausible deniability can mean you decrypt data to reveal one thing and deny another key exists to decrypt the same area of data to reveal another the really hidden data. If you are forced to decrypt data on a drive facing torture if you don’t (either physical harm or being put in prison if you do not comply), programs like veracrypt with hidden volumes can be useful to on one hand show a great movie on how your draconian government is amazing while hiding a copy of a religious book. You can also look into Plausible Deniability With LUKS and a page on deniable file systems with relevant publications at the bottom. Check out FractalCrypt too.

Printers

You can leave certain patterns when printing a document to be able to derive a message. For a lot of printers, most people do not know their printer gives a lot of information on each sheet. This is hidden from the user and can include the model, serial number, and timestamps using a dot-matrix code. This is something governments like to do with letters sent to them.

Piracy

For piracy of software, movies, video games and a lot of other media, people who legally own the software can have a hard time tracking who cracked it and is distributing it. Steganography can help them hide identifying information within a copy of something they made and when an illegal copy is found, they can trace it back to the original person that pirated that copy.

Malware

With CDR software, anti-viruses being okay and there being a variety of programs for people to use, crafting stegomalware that works is difficult. If achieved, something that doesn’t seem malicious to a user to open like an image or a PDF can pwn their system using a vulnerability in the program they used.

Detection

Steganography can still be detected depending on the circumstances so you should be careful regardless. Like everything, it isn’t a magic bullet so don’t treat it as one.

Conclusion

Steganography is a strong response to the issues faced with using standard encryption and comes in many forms. As you can imagine, it can be used for good and bad but it is ultimately just another (very cool) tool.