you're reading...
Deep Packet Analysis, Hacking / Counter Intelligence, Lawful Intercept

Audio Steganography PT2: Attacking MP3Stego

MP3Stego was developed by Cambridge University for the purpose of hiding information in MP3s. While being a purely academic exercise I am sure, its source code and binaries are available online, and have been used as the basis of a lot of steganographic programs. As MP3 is the most commonly distributed music format, using the format to hide information bypasses a lot of choke points of data. P2P networks discretely handle the delivery of your message, and audio steganography is harder to detect. These 3 items of cost, anonymity, and difficulty of detection, has made this form of steganography a threat to national security and a target of DARPA. Conversely the DMCA is looking at the technology as the future of discrete copyright infringement tracking, though the later hold little interest as a simple re-encoding of the file will remove any tracking the DMCA was able to embed.

MP3Stego is attacked by changing the lowest bit at part2_3_length because the secret information is hidden in the part2_3_length offset. MP3Stego can be detected by analyzing the statistics of part2_3_length. The inner iteration loop of the MP3 encoding process can be ended when the part2_3_length is less than the specified max_length, but the loop will continue to the hidden bit. The final part2_3_length becomes smaller and the next frame’s part2_3_length becomes larger. Directly proportional the block length variance becomes larger.

MP3Stego’s variance distribution is dependant on the encoder being used, a difference in encoders can make it appear that the MP3 either does or does not have any hidden data. The wide variety of open source encoders makes detection of block length variances marking steganography very difficult.

Below is a snip of MP3Stego calculating part2_3_length:

void  ResvFrameEnd(L3_side_info_t *l3_side, int 
mean_bits )
{   … 
    if(stuffingBits) {  … 
#ifdef MP3STEGO //to satisfy the request of odevity 
        if (stuffingBits % 2) { 
            gi->part2_3_length += stuffingBits - 1; 
            stuffingBits = 1; 
        else gi->part2_3_length += stuffingBits; 
     gi->part2_3_length += stuffingBits;  
//in normal case this request is not needed 
    }  … 

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: