A security researcher recently figured out how to stash the complete works of Shakespeare in a single tweet, which sounds like a really neat way to conceal private data right in public eye…
…but the “hiding place” is pretty obvious once you know what to look for.
You end up with a 64×64 pixel image that weighs in at 2MB, instead of the 10KB or so it would normally be, which could end up attracting the very sort of surveillance attention you were hoping to avoid.
The art of hiding data in plain sight is called steganography – but just how safe is it as a cybersecurity trick?
Here’s what you need to know, all in plain English.
(Watch directly on YouTube if the video won’t play here.)
DannAgro
It’s weird how long steganography has been around, yet no expert etc has ever said anything about how secure and detectable it is. I always feel that I can’t trust it, for no particular reason, and that it’s just too good to be true. Can’t anyone independent comment on its security?
Anonymous
If the data is encrypted with AES256 to begin with, the data is secure and hard to detect.
Paul Ducklin
That’s not quite right, and it’s an assumption that could land you in hot water.
Properly encrypted data is indistinguishable from random noise, so if you hide it in the bottom few bits of each pixel in an image, say, the image will no longer have the same statistical properties as the original, where the camera noise at the bottom of each pixel is nowhere near as random.
(Camera noise may look the same to the human eye, but it will almost certainly have a detectably different distribution of numeric values, and tools already exist that try to figure out whether files such as photos were naturally generated, or synthetically modified for secretive purposes.)
For example, imagine that you have a camera that’s known to have a sensor that never registers pixels that are totally black – let’s assume that it always comes up with an 8-bit intensity level from 1 to 255 instead of from 0 to 255. The bottom bit of each pixel will therefore be 0 a little bit less frequently than if you chose randomly, because there are 128 odd numbers (which end in a -1 bit) between 1 and 255, but only 127 even numbers (which end in -0).
So, if you use the bottom bit of each pixel to hide one bit of your AES encrypted data, a human won’t notice the difference. But the image will show an even balance of 0 and 1 bits, instead of a 127-to-128 ratio – and that’s something a computer program can quickly and easily check.
To hide your AES data as innocently as possible, you’d need to use an encoding system that mimicked real images as closely as possible. That adds difficulty, complexity and the likelihood of coding mistakes…and every time you got a new camera, you’d need to take care to update your encoding system, and so on, and so on.
Even hiding English words believably in existing English text – for example, embedding a hidden sentence A in a text template B – is a real challenge. Here’s a puzzle we set a few years ago – why not give it a go? It looks easy, but it’s not…
https://nakedsecurity.sophos.com/british-crypto-hacking-from-ww2-have-a-try/
As for how a tiny anomaly in random-versus-non-random data can produce detectably inaccurate results, see…
https://nakedsecurity.sophos.com/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/
DannAgro
Thanks for the explanation, Paul, and the fact that, unless you take an incredible amount of trouble, it’s almost impossible to hide the presence of the message, even if it’s been safely encrypted.