Kenneth F. Belva

Attack Vectors Through the Pragmatic Use of Steganography

The BBC reports that Fujitsu has discovered pragmatic uses for steganography. Unfortunately, by redirecting the mobile phone’s browser automatically, this could lead to using these images as attack vectors. Here are some quotes from the BBC report:

“The key is to take the yellow hue in the picture and we skew that ever so slightly to create a pattern,” said Mr Nelson.

“A camera is perfectly sensitive to that yellow hue but the human eye doesn’t see it very well.

“Any camera, even those in mobile phones, can decode it very easily.”

Pictures printed with the technique look perfectly normal but a camera can see the code printed into the image.

The technique can currently store just 12 bytes of information – soon to rise to 24 – the equivalent amount of data in a barcode.

That data could be a phone number, a message or a website link.

Printed materials can then connect to the online world by storing information which tells the phone to connect the web.

Almost any mobile phone can be used but a small java application must be downloaded before it can be used to decode the information. Other devices such as PDAs with a camera could also be used.

Later on:

And because most modern mobiles can connect to the net they act as a gateway to content that firms want to send to people who have decoded the steganographic pictures, such as music and video.

This leads me to believe there are entirely new avenues for attack.

One Comment

  1. swampthing Feb 16, 2007 at 9:53 am | Permalink

    I wonder if Mobot and Fujitsu should work together to improve the software for taking pictures with your cell phone.

    Then with the Qode platform your mobile phone / PDA will be your mouse to the physical world.

    If the picture or photo had a registered web address you could take a pic of the photo to get to the web address.

    One click instead of multiple clicks is what the industry needs.

    Why is eveyone sleeping on this idea?


Post a Comment

Your email is never published nor shared. Required fields are marked *