You have secrets to keep? Use steganography to hide data in image or audio files.
Hiding secret messages inside what seem to be harmless messages is nothing new. The word steganography itself originated in Greece and means “covered writing”. During important historic events of our past, steganography was often used to trade personal secrets, plan covert operations and send political espionage information.
Image credit: mrpeanut
For example, during World War II, the French RĂ©sistance used invisible ink on couriers’ backs to send messages between RĂ©sistance cells. In Greece, people wrote secret messages on plain wood tablets and covered it with wax. Since wax tablets were popular reusable writing surfaces, the Greeks would simply carve an inconspicuous message into the wax and pass the tablet along. The moment the tablet reached its destination, the wax was melted to reveal the hidden message. Fortunately for all of us, steganography has gotten a lot easier to achieve and a lot harder to reveal: Enter digital steganography.
How digital steganography works
Today’s digital steganography works by adding secret bits (or replacing bits) in files, such as photos or audio files, with secret data. The fact that it’s not widely used and is very hard to “crack” makes it even more appealing, and therefore a pretty good method of transmitting extremely sensitive personal or business information through e-mail, over the Web, or through social channels such as Twitter or Facebook. There are basically two popular approaches:
1. Adding bits to a file: Hidden message could appear in the “file header”, which usually contains information such as the file type or, in the case of JPG images, the resolution and color depth of the photo. Alternatively, since every file has a pre-defined “End of file here” mark, secret messages could simply be attached after the “official” end of the file.
The obvious upside is that the modified file wouldn’t be distinguishable from the original. However, the file in question could grow in size: For example, hiding a 1 Mbyte document inside a 5 Mbyte audio file increases its total size significantly. Outsiders with access to the original file could easily see that there’s hidden data inside – and that counters the concept of undetectability.
Using the “Least Significant Bit” (LSB): Instead of adding bits and increasing the chance of being caught, how about replacing bits of the original file? In order to not damage or alter the file itself, simply use data parts that are not important to the overall file. Here’s how it works: Every byte is made up of 8 bits. However, not all of these 8 bits are necessary to (for example) define if a pixel of an image is red or white. This is the perfect spot to hide secret data since a) it doesn’t add any size to the file and b) it doesn’t alter the file itself.
For example, a pixel of an RGB image is defined by three bytes for each color -- by replacing the LSB of each byte, you could hide 3 bits of information in one pixel!
There are even more possibilities with audio streams, since you’re able to replace the typical noise and hissing in songs (especially in older ones) with noise that sounds just a bit different, but is in fact made up of secret data.
As you can see, the possibilities are almost endless – and finding this information through stegoanalysis is extremely tough.
How to hide data inside an image
There are several tools that will hide files inside files. One I’m fond of is Invisible Secrets 2.1 (a freeware product formerly known as 1-2-Free Steganography), which is able to embed any kind of information inside either JPEG or BMP files. Its successor, version 4.1, has gone commercial and adds support for PNG, HTML and WAVE files. However, since we’re talking about images first, the free version will do just fine.
Having downloaded and launched Invisible Secrets 2.1, you’ll want to select a photo that you’re going to use to store the secret information in.
Check the “Wipe carrier after process” box if you want to get rid of the original.
Next, you choose the source file(s) you want to hide inside the carrier. You basically embed as many files as you like.
In order to create further “confusion”, click on “Fake files” and embed some temporary files that’ll make it even harder for anyone to spot or decrypt your sensitive information. To add another layer of security, Invisible Secrets is also capable of encrypting the embedded files using Blowfish (CBC) encryption.
At the end of the assistant, you’ll simply specify the name of the output JPG file – such as “Hawaii_01.jpg”
As you can see, despite the fact that we’ve embedded an XLS file as well as six temporary files the image doesn’t appear any different.
In order for your recipient to reveal the information, he or she needs to have Invisible Secrets and select the “Extract and/or Decrypt file(s) from a carrier” option.
Steganography using audio streams
Audio steganography focuses on adding noise or an echo that sounds like it was always meant to be in the recording. One of the more popular tools for that job is mp3stego. Instead of using the LSB technique, mp3stego hides data at the heart of any MP3 file -– the “inner loop”. (The tools developer, Fabien A.P. Peticolas, co-wrote a huge piece on steganography and its mathematic challenges.)
There are some caveats with MP3Stego: First of all, it’s a simple command line tool (though it’s easy to use and there’s also a 3rd party GUI out there). Second, it only supports simple TXT messages and the original audio stream needs to be in the WAV format.
Basically you use MP3Stego to combine your secret TXT file into a WAV file and convert it to an MP3 file -– it works and the data is next to impossible to detect, though it might not appeal to everyone.
A more versatile solution is OpenPuff 3.2 -– a freeware steganography tool that is being kept up-to-date on a regular basis (don’t let the 1998-style Fortunecity website and the retro look fool you, this tool is top notch). It supports MP3, 3gpp, Aiff, Wave and other various formats. Keep in mind: In order to be distortion-free, each MP3 file has a limited number of bytes that you can use to store data.
In the example above, we needed to select multiple MP3 files (each with about 450 Bytes to 1.8 Kbytes of available hidden storage) in order to squeeze our 5.4 Kbyte Excel file in. While that makes the amount of data a bit bulky, it also heightens the steganography effect: An outsider would need all of the MP3 files in order to even be able to detect that there’s (encrypted!) material inside.
The moment you hit “Hide Data!”, you’re good to go.
Steganography of VoIP audio streams
One of the more recent uses of steganography is to create a “covert channel” inside a regular VoIP audio stream. This real-time approach to steganography makes anyone who is tapping into a VoIP conversation record a totally different audio file. There are some proof-of-concept scenarios out there that explain and demonstrate VoVoIP (Voice-over-Voice-over-IP) and how it’s using the G.711 codec to hide real-time data in streams. Yet again, there are some challenges to face such as compensating for data packet loss or audio decoding. One tool to keep an eye on in that area is SteganRTP, once presented at the Defcon Hacker conference (PDF) and available on SourceForge, which provides a full-duplex covert channel.
Companies need to keep an eye out
Steganography is still not widely used, and in the rare instances when it is used it is hard to identify. That’s what makes it so appealing (that, and feeling like a character on 24 or X-Files for a couple of minutes). If you need to transmit data from one person to another or simply hide the very existence of that data on your hard disk, steganography in combination with encryption is a good attempt. On the other hand, enterprises need to be aware of this type of attack, as it poses a serious data leakage problem. The problem is that many companies don’t deploy countermeasures to steganography because they’re not aware of the problem.
Bottom line: it’s a technology to keep an eye on – both from the perspective of the enterprise needing to protect sensitive information, as well as the individual who wants to transmit data via one of the safest ways possible.
