[Written on December 4th 2003]

Breaking a steganography software in 10 seconds:

SQFileHide


Steganography strength (is it easy to see there is hidden data?): Low
Cryptography strength (is it easy to recover the hidden data?): Low


     1. First look, first surprise

A company called MicroIdea sells a steganography / cryptography shareware called "Safe and Quick File Hide" version 2002, for 20 dollars. This program can nicely hide files from Explorer windows, making them harder to find, encrypt files, or camouflage them into an innocuous looking carrier, like image or sound data. It has a nice non-rectangular interface. There is an original routine: it protects itself against desinstallation, apparently by running two similar programs at the same time that appear to protect each other (so you have to close both at the exact same time, which is almost impossible by hand). If you don't know the password, you cannot uninstall it. In theory.

It's incredible how you can have a rough idea about a program just by reading its web presentation, or help files. I read the whole stuff, which has a little bit of the usual snake-oil ("unbreakable military grade crypto algorithm") but not that much. And then I almost choked when I read their point no9: "Password-Get-Back support. Sometimes you may forget the password. Don't worry about it; just click the button in the login dialog, then your password will safely return to your email box". Arg.

In a strong cryptographic system, if you lose your password, you're toasted. There is absolutely no way to get your data back. That's why it's secure. That's the whole point of cryptography. If there is an easy way to get back a forgotten password, that means that this password is stored somewhere in plain text. If someone (in this case, the developpers of this software) can guess your password and send it back to you, than everybody can guess it too.

Which means that this system is not secure at all. Anybody can read, directly or remotely, with the help of some trojan, what is inside your encrypted files. Even if they are encrypted with a strong algorithm (in this case, some strings in the executable seem to point to RC4 by RSA Labs). Who cares, the attacker has the password!

A simple analogy would be something like to install a ultra-solid 10 cm thick steel door with a super-secure lock, and let the key sit just right there in front of the door. Or to encrypt your hard drive with PGP and let a post-it on the side of the screen with your password written on it. Security is a whole system, not just the utilisation of one secure algorithm. A single weakness in the system, and the overall security is compromised, everything crumbles down. The global security level is as best as the security level of the weakest step.

Some people may think "But nobody can and will access my computer! So no person will get the password!". It's a circular argument. If you are absolutely certain sure that nobody will ever break into your computer, than you don't need cryptography in the first place.

     2. So where is the damn password and how did you find it?

These pages are supposed to talk about detection of steganography. Okay, just for a minute, let's talk about how to get the password.

No complex reverse engineering was necessary. Everybody can do the same. I used Filemon to see which file was opened by SQFileHide while it was checking the password validity. This file contains the password. It is a "hidden" file in a "hidden" directory that contains a few other things: it does not appears in the Explorer. But it is still here. If you type the complete path in an editor, you're going to load it. Then you will see that it has the same length than the password (maximum 18 bytes), and, by comparing its content after a few password changes ("aaaa", "aaab" for example), that it is XORed with a fixed hardcoded 18 bytes key. This key is:

B0 63 E6 0F E7 0C F8 AD A9 D7 1B 6A 1D 21 D8 AD 3B E1

This is how the developpers can recover your password. But now, of course, anybody can do the same. Security by obscurity does not work.

     3. What about the steganography routine?

The steganography part took me ten seconds to crack. And I'm not even kidding.

8 seconds to start the software, look around, and do a first test by hiding a small text file called "hidden_file.txt" inside a very small JPG image file.

1 second to open the resulting carrier image file in an hexadecimal editor.

1 second to scroll down and see the file in its entirety.

0 second to understand how it works: it is evident if you know a little bit some usual file formats.

Here is the resulting file in an hexadecimal editor. Anybody who is even remotely familiar with the ZIP compression file format ("PK" markers; several directories containing the names of the files in the archive) will understand right away: my hidden text has been zipped, and the ZIP file has been fused at the end of the JPG (you may recognize the underlined "FF D9" mark of the JPG file format end). The JPG is in white, the ZIP in yellow.

00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 ......JFIF.....H 00000010 00 48 00 00 FF DB 00 43 00 06 04 05 06 05 04 06 .H.....C........ 00000020 06 05 06 07 07 06 08 0A 10 0A 0A 09 09 0A 14 0E ..............¶. 00000030 0F 0C 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A ....¶...¶....%.. 00000040 1B 23 1C 16 16 20 2C 20 23 26 27 29 2A 29 19 1F .#... , #&')*).. 00000050 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07 -0-(0%()(...C... 00000060 07 0A 08 0A 13 0A 0A 13 28 1A 16 1A 28 28 28 28 ........(...(((( 00000070 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 (((((((((((((((( 00000080 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 (((((((((((((((( 00000090 28 28 28 28 28 28 28 28 28 28 28 28 28 28 FF C0 ((((((((((((((.+ 000000A0 00 11 08 00 70 00 5A 03 01 22 00 02 11 01 03 11 ....p.Z.."...... 000000B0 01 FF C4 00 15 00 01 01 00 00 00 00 00 00 00 00 ..-.§........... 000000C0 00 00 00 00 00 00 00 08 FF C4 00 14 10 01 00 00 .........-.¶.... 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF C4 ...............- 000000E0 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 .¶.............. 000000F0 00 00 00 00 FF C4 00 14 11 01 00 00 00 00 00 00 .....-.¶........ 00000100 00 00 00 00 00 00 00 00 00 00 FF DA 00 0C 03 01 ...........+.... 00000110 00 02 11 03 11 00 3F 00 95 00 00 00 00 00 00 00 ......?.ò....... 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150 00 00 00 00 00 00 00 00 7F FF D9 50 4B 03 04 14 ..........+PK..¶ 00000160 00 02 00 08 00 9C B3 84 2F EB 42 27 A2 10 00 00 .....£¦ä/.B'ó... 00000170 00 0E 00 00 00 12 00 00 00 68 69 64 64 65 6E 5F .........hidden. 00000180 6D 65 73 73 61 67 65 2E 74 78 74 0B FA 96 9D 97 message.txt.·û¥ù 00000190 99 97 AE 90 F2 2D 25 B1 48 11 00 50 4B 01 02 00 Öù«É.-%.H..PK... 000001A0 00 14 00 02 00 08 00 9C B3 84 2F EB 42 27 A2 10 .¶.....£¦ä/.B'ó. 000001B0 00 00 00 0E 00 00 00 12 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 68 69 64 64 65 6E 5F .........hidden. 000001D0 6D 65 73 73 61 67 65 2E 74 78 74 50 4B 05 06 00 message.txtPK... 000001E0 00 00 00 01 00 01 00 40 00 00 00 40 00 00 00 00 .......@...@.... 000001F0 00 5B 01 00 00 96 00 00 00 CC 99 FF 66 .[...û...¦Ö.f

You can just rescue this concatenated ZIP by copy-pasting the bytes, save it under the name you want, and open it with your favorite ZIP manager like Winzip: it is perfectly valid and not even encrypted. It's actually smart to use the robust ZIP file format to archive the hidden files (or even folders) and not just invent a new one. But of course, the security is very low. Anything added at the end of strictly defined file formats like JPG is as detectable as a nose in a face.

     4. Conclusion

This program uses a very detectable technique similar to the one used in Camouflage. The level of security is as low. I don't think I need to code any program to retrieve the hidden data here. Just use an hexadecimal editor, and a ZIP manager. My hope is that the developpers will increase the security level of this software with the next release. They showed some originality in several ideas, now they just have to think a little bit more about the security side.

Have a nice day!


     Guillermito, December 4th 2003






[Back]