When the ancient Greeks wanted to get something done, they really committed. In 499 B.C., in a bid to get out of an unpleasant job assignment, Histaeus, the leader of Miletus, plotted a rebellion against the Persian king Darius the Great. Elaborately coded missives sent to co-conspirators would only rouse suspicion. He needed something much sneakier. So Histaeus shaved his favorite slave’s head, tattooed the message on his scalp, and then waited for the hair to grow back. When the tattoo was sufficiently covered up, he sent the slave to visit his co-conspirator, who knew where to find the goods.
This bit of stealth – not just sending a secret message but doing it in such a way that obscures any communication has taken place at all – is called steganography. In the 2500 years since Histaeus started his revolution, technology has helped steganography evolve, yielding methods from invisible ink to microdots, to secret bits stowed inside digital photos. But while this kind of thing makes for entertaining cocktail party chat, it has never borne much direct relevance to most people’s lives.
That’s about to change.
The past few years have seen fundamental changes in means, motive and opportunity for steganography. This has led to an alarming shift in how it is used: where it once mainly allowed (often) scary dudes to chat covertly with other scary dudes, it is now increasingly being used by those same scary dudes to chat covertly with your computer. These developments have so alarmed the folks at Europol that two years ago they put together a special initiative that would study the Cambrian explosion of new steganography tools, and look for ways to fight back.
“2018 is the year of the steganography renaissance,” says Chet Hosmer, founder of computer security firm Python Forensics. “But it’s not just about the tools the bad guys use. This might finally be the year the good guys start fighting back.”
The history of the arms race between the people trying to keep communications secret and those trying to smoke them out makes for good reading. During World War II, spies passed innocuous papers back and forth that would reveal their secrets in the form of microdots (photographed documents which the Germans managed to shrink down to the size of a totally missable period at the end of a sentence). There’s a long, dark internet rabbit hole waiting for the person who types “steganography” into the search bar.
Elegant and intriguing as such methods were, however, they were always hamstrung by two things – the size of the message was limited (for example by the surface area of Histaeus’ slave’s scalp) and if time was of the essence, this method was not your friend.
Those limitations vanished with the digital era. In 1997, the first alarm bells were sounded about the radical new potential of steganography by Craig Rowland who found it was possible to smuggle secret dispatch using the very protocols the internet used to communicate.
In theory. “No one cared,” says Hosmer. It was an academic amuse bouche, a clever proof of principle, an IT campfire story told by nerds to other nerds. In part because it couldn’t transmit much information, no one really gave it much thought.
Well, maybe criminals did. After the 9-11 attacks, rumours circulated widely of terrorist plots embedded in images of a sewing machine on eBay listings. Other rumours popped up: pedophiles using steganography to embed horrible images inside innocuous ones; corporate spies using it to walk corporate secrets out the door.
These stories reflect the reality that steganography tools have multiplied in quantity and kind. Forget about that scalp – now you can hide messages in anything: streaming video, network communications, Skype calls, email headers. (For silliness, you can’t beat the algorithm that embeds secret messages in club beats.)
But it’s not just that the means to do steganography were multiplying (the last time someone tried to count the number of tools out there, in 2014, they came up with 1250). The motives for using it have changed too. Criminals need steganography today in a way they didn’t until recently – their other avenues for communicating with and controlling malware-infested computer networks are being cut off.
One of the top clues that tips off security researchers to a malware infestation is suspicious communication that shouldn’t be happening. This is a sign that some nefarious outsider is sending instructions to a machine they shouldn’t have access to. Once you’ve found the suspicious communication, you can shut it all down. And security types have gotten very good at finding unauthorised communications. “A lot of places have really clamped down on people leaking information out of their networks,” says Wojciech Mazurczyk, a researcher at Warsaw University of Technology in Poland. “The defensive solutions are increasingly better, so cybercriminals are turning to steganography to cover their tracks.”
To understand how they do this, consider a Trojan discovered in 2011 (dubbed Shady Rat) that communicated secretly with its handlers by uploading and downloading innocuous pictures to popular web sites. These pictures contained its next set of instructions but no one was the wiser. By hiding its existence from IT security types in this way, Hosmer estimates that Shady Rat was able to keep operating undetected for 7 years. In internet years, that’s practically the heat death of the universe.
The explosion of means, plus the motive, have expanded the opportunities for steganography. “There are a lot of potential digital “objects” that can be modified in the communication networks,” says Mazurczyk: not just the images used by Shady Rat but text files, video, audio files, network traffic and much more. Finding the hidden messages in the constant flow of digital traffic is not so much like trying to find a needle in a haystack as trying to find a particular piece of straw in a haystack.
That’s what Mazurczyk is trying to put a stop to, in collaboration with Europol’s European Cyber Crime Centre. A couple of years ago he helped to co-found a new initiative there called Criminal Use of Information Hiding. About 170 security experts from different background are trying to catch up on basics, such as how to know when a stegged message is embedded in a carrier. Also, because there’s no centralised list of steganographic tools, forensic examiners may not recognise one even when they find it.
Hosmer says another possibility is to radically change all our file protocols. Jpgs, gifs, pngs, mp3s –all of these have loads of storage space just begging for stowaways. They just weren’t designed to resist embedding. A new protocol might.
But such ambitious projects will take years to bear fruit. Hosmer thinks there’s a more immediate option: jam the steganography. This is where you scramble the information in a media file, not enough to damage the file itself, but more than enough to mess up any hidden signal it might be carrying in its bowels.
In fact, Facebook, Twitter, and some other big social sites may already be engaging in a version of this. “None of them talk about this of course and I don’t want to name names,” says Hosmer. But he has some circumstantial evidence. As part of a graduate cybersecurity class he teaches at Utica College in New York, his students embed secret messages into a variety of media, using a range of steganography algorithms, and then upload the images, video and sound files to “all the big” social networks. “Every single time they re-download any of these files, the payload is gone,” says Hosmer.
When I put this to Facebook’s communications manager for security, he gave me the email version of an elaborate shrug (Twitter and Instagram have not responded). One alternate explanation is that just processing the media files for their servers may simply scramble any steganography as a happy side effect.
But let’s say they are already deliberately giving all their uploaded content a Silkwood shower. Other companies could follow suit. If, say, Amazon and other cloud providers scrubbed all content hosted on amazon web services, they could protect entire companies that are hosted there.
“People are really starting to understand that steganography is a problem,” says Hosmer. But even he is realistic about how much of it we’ll ever be able to defeat. “This has been going on for 2000 years.”