Industry Observations-Technical Insight

North Korea’s Naenara Web Browser: It’s Weirder Than We Thought

Naenara Browser is the DPRK’s version of Firefox that comes built into Red Star OS, the official operating system of North Korea. I recently got my hands on Naenara Browser version 3.5. My first impression in playing with it is that this is one ancient version of Firefox. Like maybe more than a half dozen major revisions out of date? It’s hard to tell for sure in cursory checking but the menus remind me of something I used to use 5+ years ago. That’s not too surprising; it’s tough to have a browser and update it all the time, especially with such a small team devoted to the project, as I’m sure they have a lot of other things going on.

When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run. That may not mean much to someone who doesn’t deal with the Internet much, but it’s a big deal if you want to know how North Korea’s Internet works.

If you want to send a request to a web address across the country, you need to have a hostname or an IP address. Hostnames convert to IP addresses through something called DNS. So if I want to contact www.whitehatsec.com DNS will tell me to go to 63.128.163.3. But there are certain addresses, like those that start in “10.”, “192.168.” and a few others that are reserved and meant only for internal networks – not designed to be routable on the Internet. This is sometimes a security mechanism to allow local machines to talk to one another when you don’t want them to traverse the Internet to do so.

Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office. The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!

But it doesn’t stop there! No! No sirrreee… I started digging through their configuration settings and here are some gems:

  1. They use the same tracking system Google uses to create unique keys, except they built their own. That means the microtime of installation is sent to the mothership every single time someone pulls down the anti-phishing and anti-malware lists (from 10.76.1.11) in the browser. This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser.
  2. All crash reports are sent to the mothership (10.76.1.11). So every time the browser fails for some reason they get information about it. Useful for debugging and also for finding exploits in Firefox, without necessarily giving that information back to Mozilla – a U.S. company.
  3. All news feeds go back to the mothership in a specially crafted URL: http://10.76.1.11/naenarabrowser/rss/?url=%s At first it was unclear if that actually does anything or not, since we can’t see the IP address, but it looks like it probably does act as a feed aggregator.
  4. Strangely, the browser adds “.com” instead of “.com.kp” as a suffix when the browser can’t find something. It’s odd because this means in some cases this might accidentally be contacting external hosts when someone typos something in the country. A bad design choice, but perhaps meant for usability since most things live on .com.
  5. There are quite a few references to “.php” on the mothership website. I would be unsurprised if most things on it were written in PHP.
  6. Then I spotted this little number: http://10.76.1.11/naenarabrowser/%LOCALE%.www.mozilla.com/%LOCALE%/firefox/geolocation/ This is the warning that pops up when users turn on geolocation. But here’s the really crazy part: if you remove the DPRK specific URL part and just leave it as %LOCALE%.www.mozilla.com/%LOCALE%/firefox/geolocation/ and substitute %LOCALE% with “ko” you end up on Mozilla’s site translated into Korean. Could the mothership be acting as a proxy? Is that how people are actually visiting the Internet – through a big proxy server? Can that really be true? It kind of makes sense to do it that way if you want to allow specific URLs through but not others on the same domain. Hm!
  7. More of the same. This time the safe browsing API that Google supports to find phishing/malware stuff — http://10.76.1.11/naenarabrowser/safebrowsing.clients.google.com/safebrowsing/diagnositc?client=%NAME%&hl=%LOCALE%&site= — if you remove the preceding part of the URL and fill in the variables it’s a real site. And there are a bunch more like this.
  8. Apparently they allow some forms of extensions, plugins and themes, though it’s not clear if this is the whole list or their own special brand of allowed add ons: http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/extensions/ http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/plugins/ http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/themes/

  9. Apparently all of the mail from the country goes through the single mothership URL. Very strange to build it this way, and obviously vulnerable to man in the middle attacks, sniffing and so on, but I guess no one in DPRK has any secrets, or at least not over email: http://10.76.1.11/naenarabrowser/mail/?To=%s I found a reference to “evolution” with regards to mail, which means there is a good chance North Korea is using the Evolution project for their country.

  10. Same thing with calendaring? So many sensitive things end up in calendars, like passwords, excel spreadsheets, etc… it’s still very odd that they haven’t bothered using HTTPS internally: http://10.76.1.11/naenarabrowser/webcal/?refer=ff&url=%s

  11. This one blew my mind. Either it’s a mistake or a bizarre quirk of the way DPRK’s network works but the wifi URL for GEO still points to https://www.google.com/loc/json – not only is there no way for this to work since Google hasn’t gone through the country with their wifi cars, and it’s on the public Internet without going through their proxy of doom, but also it’s over HTTPS, meaning that if it were able to be contacted, the DPRK might have a hard time seeing what is being sent. Would they allow outbound HTTPS? More questions than answers it seems.
  12. The offical Naenara search function isn’t Google, and it’s not even clear if it’s a proxy or not. But one thing makes me think it might be – it’s in UTF-8 charcode, and not something that you might expect like BIG5 or ISO-2022-KR or SHIFT_JIS or something. http://10.76.1.11/se/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&keyword= But wait a tick, after a little digging I found a partial match on the URL: /search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1 and where did I find this? Google. Are they proxying Google results? I think so! That means that depending on what Google can put on those pages, they technically can run JavaScript and read the DPRK’s email/calendars, etc. using XMLHTTPRequest, since they are all on the same domain. Whoops!

  13. In looking around at the certificates that they support, I was not surprised to find that they accepted no other certificates as valid – only their own. That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them. Likewise, no other governments can man in the middle any connections that the North Koreans have (I’m saying that with a bit of tongue in cheek, because of course they can according to Wikileaks docs, but this probably makes the DPRK feel better — and more importantly they probably don’t know how to do it in the same way as the NSA does, so they have to rely on draconian Internet breaking concepts like this).

  14. The browser automatically updates, without letting the browser disable that function. That’s actually a good security measure, but given how old this browser is, I doubt they use it often, and therefore it’s probably not designed to protect the user, but rather allow the government to quickly install malware should they feel the need. Wonderful.
  15. Even if the entire Internet is proxied through North Korean servers, and even if their user agent strings are filtered by the proxy, an adversary can still identify a user using Naenara by looking at it in JavaScript space using navigator.UserAgent. Their user agent is, “Mozilla/5.0 (X11; U; Linux i686; ko-KP; rv: 19.1br) Gecko/20130508 Fedora/1.9.1-2.5.rs3.0 NaenaraBrowser/3.5b4” So if you see that UserAgent string in JavaScript you could target North Korean users rather easily.
  16. Although the Red Star OS does lock down things like their file manager that only shows you a few directories, disables the command-O (open) feature, removes the omnibar feature and so on, it’s still possible to do whatever you want. Using the browser users can go to file:/// to view files and they can write their own JavaScript using javascript: directives which give them just about any access they want, if they know what they’re doing. Chances are they don’t, but despite their Military’s best efforts the Red Star OS actually isn’t that locked down from a determined user’s perspective.
  17. Snort intrusion detection system is installed by default. It’s either used as an actual security mechanism as it was designed or it could be re-purposed as a way to constantly snoop on people’s computers to see what they are doing when they use the Internet. Even if it didn’t phone home necessarily, the DPRK soldier who broke down your door could fairly easily do forensics and see everything you had done without relying on any IP correlation at the mothership. So using your neighbor’s wifi isn’t a safe alternative for a political dissident using Red Star OS.

My ability to read North Korean is non-existent, so I had to muddle my way through this quite a bit, but I think we have some very good clues as to how this browser and more importantly how North Korea’s Internet works, or doesn’t work as it might be.

It is odd that they can do all of this off of one IP address. Perhaps they have some load balancing but ultimately running anything off of one IP address for a whole country is bad for many reasons. DNS is far more resilient, but it also makes things slower, in a country with Internet connectivity that is probably already pretty slow. If I were to guess, the DPRK probably uses a proxy and splits off core functions by URL to various clusters of machines. A single set of F5s could easily handle this job for the entire country. It would be slow, but it doesn’t seem the country cares much about the comforts of fast Internet anyway.

Ultimately the most interesting takeaway for me personally was what lengths North Korea goes to to limit what their people get to do, see and contribute to — Censorship at a browser and network level embodied in the OS called Red Star 3.0. It’s quite a feat of engineering. Creepy and cool. Download the Red Star OS here.

  • David Coursey

    Good read, I’m going to pull RSOS down myself to poke around.

    I don’t think it’s so weird that they proxy the entire Internet, any good dictatorship must have absolute control or things go south fast. They could care less if it’s bad design or slow, so long as KJU can get to his Pinterest account everybody else can wait. (Actually he’s probably on a different network than the proletariat.)

    As far as the engineering, you have probably seen more private corporations than I have with proxy hardware handling more users than DPRK can imagine.

  • https://twitter.com/shewfig shewfig

    Given how odd the design is for the browser, it’s conceivable that the address is non-unique, but rather a well-known IP which is implemented upstream in the packet path, similar to most US consumer-grade routers being 192.168.1.1. That would provide scalability and still allow central control.

  • https://twitter.com/geeknik geeknik

    North Korea has the following block assigned to them via APNIC: 175.45.176.0/22.

    inetnum: 175.45.176.0 – 175.45.179.255

    netname: STAR-KP

    descr: Ryugyong-dong

    descr: Potong-gang District

    country: KP

    status: ALLOCATED PORTABLE

    mnt-by: APNIC-HM

    mnt-lower: MAINT-STAR-KP

    mnt-routes: MAINT-STAR-KP

    changed: 20091221

    source: APNIC

    210.52.109.0/24 is also used by North Korea, but is assigned to China Telecom. Lastly, a Russian ISP (SatGate or IntelSat) provides 77.94.35.0/24 to North Korea.

  • Sam

    Just because they all connect to the same IP doesn’t mean they all connect to the same server. They could easily have each city be its own little localnet with that IP as the gateway into the wider network.

    Lots of things have a gateway of 192.168.1.1 but they aren’t all talking to the same device

  • Pwned

    I think you forgot about certain HTTP headers, which watermark the current Naenara browser user, such as:

    NaenaraBrowserHeaderMAC: 10.37.130.8=001C4225AF4F

    HardwareSN:

    User_AgentSystem: 《붉м„》사용자용체계 3.0нЊђ

    Host: 192.168.1.168

  • Pingback: Messing Around With Naenara, North Korea’s Web Browser | Hackaday()

  • http://dominoembedded@wordpress.com Domino

    It’s interesting how North Korea refers to itself as the DRPK – Democratic Peoples Republic of Korea, when they are the single greatest threat to democracy and freedom the world has ever seen.

    Thanks for the insight, it was a very interesting read.

  • Pingback: Messing Around With Naenara, North Korea’s Web Browser | Hack The Planet()

  • Lance

    “This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser.”

    Can you elaborate on this? Is this the install date and time down to a fraction of a second store in some variable somewhere? Is there an easy way to disable this? Maybe an extension everyone can use to reset theirs to Jan 1st 2000 at 12:00:00.00?

  • Maciej Swic

    A 10.x.x.x address doesnt mean anything if you know nothing about the network. They may be using static routing and could still assign public ips. Telia in Sweden did that a while back, DNS was 10.10.0.1 but i still had a genuine public ip.

  • Pingback: Inside North Korea's Naenara Browser | Threatpost | The first stop for security news()

  • jorn

    It’s interesting to see the efforts they go through to simulate both an OS and Internet experience, given that the consumers has no actual benchmark of that reality.

    It’s not like their citizens are going “Wow, this totally looks like the real thing!” when most will have never seen the real thing at all.

    Why bother impressing somebody with a Bentley when they have never seen a horseless carriage before? 😉

  • Pingback: North Korea’s Naenara Web Browser: It’s Weirder Than We Thought | blog.istvankis.net()

  • Pingback: Leaked RedStar OS hints at bizarre North Korean Internet()

  • Pingback: #HackerKast 17: UK Bans WhatsApp and iMessage, Instagram Privacy Issues, Cross Site Content Hijacking (XSCH), Amazon S3 Bitcoin Hack | WhiteHat Security Blog()

  • Pingback: Liquidmatrix Security Digest Podcast – Episode 0x50 - InfosecHotspot()

  • shinkang

    Posting is interesting. I am writing from South Korea. Even me, this is the first time on How North Korea Browser looks and works!!!

  • Pingback: One SSL Certificate to Rule Them All – SSL Information and FAQ()

  • Pingback: Securing Obama’s “Internet Cathedral” – Who are its priests? | A Collection of Bromides on Infrastructure()

  • Pingback: Naenara, el navegador de RedStar OS, revela cómo funciona la red en Corea del Norte - Tecnologia()

  • Pingback: Actualidad: Naenara, el navegador de RedStar OS, revela cómo funciona la red en Corea del Norte | Revista Nueva Era()

  • Pingback: Naenara, el navegador de RedStar OS, revela cómo funciona la red en Corea del Norte - Redbai()

  • Pingback: Naenara,el Navegador Web perfecto | Gengytech()

  • Pingback: Liquidmatrix Security Digest Podcast - Episode 50 | Liquidmatrix Security Digest()

  • Ben Aston

    This is one of the most advanced trolls I have ever seen.

    You poke fun at the DPRK’s unsophisticated attempts to monitor its internet users and call it “creepy” in full knowledge of highly sophisticated Western government programs to do the same.

    I particulary liked this line:

    “I guess no one in DPRK has any secrets, or at least not over email”

    Touché.

    • Cyril Schmedlap

      The concept that humor can be negated by a counterexample is an interesting one. Please discuss this further.

  • Alice

    Hanlon’s Razor, never attribute to malice that which is adequately explained by stupidity. Any similarities or possible connections to the outside world will be either coincidence or mistake.

    The last time I heard anything about North Korean networks, the actual internet was completely air gapped from the internal networks. And very few people had access to rooms where you could connect to the external internet under heavy monitoring. In which case, it doesn’t really matter that they’ve missed a few things.

  • arnold

    At the end of the day, tech savvy westerners get around the barriers, just as North Koreans do. A browser is a socket reader with an HTML parser anyway.

    So they should be sorry for not being able to access the “free world” internet? You know, with all it has to offer…

    Western governments in the other hand are really creepy. Facebook, Google… Wikipedia is seriously biased, and don’t make me start with the major news websites… it just couldn’t be more creepy how biased and hypocritical statements you can find in internet. And people is hopelessly lured to hand over their personal data, and agree to be tracked, spied down to their private thoughts. We could say western internet is censored from the very source, the content itself is twisted.

    Removing all the capitalist propaganda entry points they can does not amount to “limit what their people can do”.
    The average westerner can’t do much really, he just does as he is told, leaves the defaults as they are, works, conducts a life more or less enjoyable, he is much more worried about his wife reading his messages than any mass surveillance.

    • Oliver Tectus

      Found the commie.

      • fluffy doge

        The comment smacks of tankieism, but you can’t really deny that Facebook, Google, and the mainstream media are a little bit on the skeevy side.

        • Oliver Tectus

          Of course not. I have no intention of denying it. However, stating that people are censored in the west because many choose to limit their access to a select few sites is laughably fallacious. The important difference is that no one else is limiting their access. If you choose to limit yourself then that’s on you. However, I have nearly the entirety of the web at my fingertips the moment I boot up any computational device with a browser. Sure, the private data being mined and sold is iffy and needs to be addressed, but his comparison of western internet access to North Korean on the basis of censorship alone is unfounded.

          • Oliver Tectus

            The fact that we HAVE access to this plethora of sites with a myriad of biases proves that we’re free from censorship. As opposed to a hand selected list of sites that cater to one bias and one alone.