Steganography in .m4a files
Steganography is the art and science of communicating hidden data within other, non-hidden data.
You can read more Here.
Often, when they talk about steganography, they do not go beyond LSB in pictures (although in pictures you can do something more original ).
In this post we want to talk about link steganography (you can read the principle of link steganography here) in .m4a(.mp4) format.
General principle
To begin with, let’s outline how it generally works. Any file can be encrypted and presented in base64 text form. Then it can be sent to a one-time message service (for example https://onetimesercet.com/ )
By sending a message we receive a link like https://onetimesecret.com/secret/jqr1s0o5bvlts8cyice71fvwv0o0ltx
Then we send the link itself to the link shortening service, and we receive the shortened link; for example for goo.su: https://goo.su/SAsb.
As we see, we have only 4 bytes, if we know in advance which service we are using (in real steganography it is wiser to use your own service), if we have the decryption key in advance (key exchange is a separate task), then we only need to send 4 bytes to transfer the desired file .
This is the principle of link steganography – we transmit a link to a message, not the message itself.
As an additional benefit, the one-time message service ensures that in the future, even if this key is compromised, a third party will not have access to download this file after it is opened.
Detailed Steganography Algorithm
m4a or mp4
It is correct to say m4a, since mp4 hides many other formats (M4A, M4V, M4R, M4B and others). Next we will write m4a
Parsing metadata
Metadata is a collection of the following standardized information about a file:
author’s name,
permission,
color space,
copyright,
keywords
etc.
Metadata in M4A is a complex structure containing many containers and chunks.
The number of structures in M4A metadata may change. The main ones are in the diagram presented above.
We stopped at chunk of “moov”.
After analyzing this chunk, we noticed that we can use a set of hexadecimal values to change the creation and editing time, while leaving the audio track itself intact.
It would be possible to choose other chunks. It can also be combined with “classic” steganography in audio files by slightly changing them. See works about LSB principle.
Since only 4 bytes need to be transferred, the audio change will be negligible.
For a deeper study of the chunks of the .m4a file, we will leave a link where we described all the chunks in detail.
Work algorithm
The first step is to insert a message into the stego container.
Step 1. Write a message
In order to write a message, we used one-time note services (onetimesecret.com or safenote.co)
Step 2. Shorten the link
The entire link of a one-time message will not fit into the stego container, so we used a third-party service goo.su for shortening links, when using which we get 4-7 characters after the last slash (https://goo.su/SAsb these characters in this example would be “SAsb”).
Step 3: Insert Symbols
We divide the symbols from this example into a list [S, A, s, b] and using special dictionaries we translate into days, hours, minutes and seconds. Then we insert them into special subsections: mvhd-create-date, mvhd-modify-date, tkhd-create-date and tkhd-modify-date.
Message hidden
Stego message extraction
Step 1: Extract Characters
Through reverse dictionaries, we extract the characters that we wrote into temporary subfiles.
Step 2. Follow the link
We insert the extracted characters into the link goo.su/ after the slash and follow it.
Message read
Important note. You can open a note only once by running the reverse algorithm, that is, by extracting characters from the metadata and following the service link goo.su. This gives additional security to the steganographic solution.
Sources of embedding and extraction can be downloaded from the link: https://github.com/kib-sources/stego-mp4-link
Risks and Disadvantages
Our project has its own risks in use:
Use of third party services. Any of the above services that we use may go offline or simply stop working. At this time, our solution will not work. This can be solved by embedding information into several services at once and/or developing your own services for reference steganography.
Random date change in file metadata. A simple example is the touch command. Touch – A Unix command used to set the time a file was last modified or accessed at the current time. This can seriously damage the link or simply change it, making it impossible for anyone to read the hidden message. This can be solved by interspersing the information in multiple places in the metadata.
How can one detect a stegocontainer in a file?
It is important to understand that detecting stegocontainers in multimedia files, especially using dictionaries and timestamps, is a complex task that requires specialized algorithms and in-depth analysis of the necessary tools. Implementing an accurate and reliable algorithm may require additional research and experience in the field of steganography.
We think the number of music files is quite large. Also, modern neural networks can generate files (their names are legion: https://www.riffusion.com/, https://mubert.com/render, … and much more), for this reason we do not see any special ways to detect steganography. Perhaps we are wrong, we will be glad to hear criticism in the comments.
Sources
We did not have the task of making a full-fledged solution; everything was implemented for research purposes. Ready for harsh but constructive criticism.
The work was done in collaboration with @nurovAm. We thank @PavelMSTU for advice and help.
