Government backdoors and Hiding in emojis, oh my! πσ σ σ σ σ σ ©σ
Sometimes inspiration for the coolest tricks comes from some otherwise novel things. Such seems to be the instance for this guy (https://paulbutler.org/2025/smuggling-arbitrary-data-through-an-emoji/), on which post he seems to have gotten inspiration from a comment about unicode's zero width joiner features and rabbit holed until he found a fun way to copy-paste-able emojis that are hiding data in them. To do this, as he explains, he basically took to the unicode format specifications and specifically around these and emojis. Long story short, he came up with something that gives this emoji (for instance):
You can also do the encoding on cyber chef as well (as seen in that picture and this next one). But it's a much more manual process.
If you go check the issues page on the github, you can see this has even more people making bash and python versions of the tool.
However what I wanted to mention today is that there are a number of legitimate reasons to conceal information inside things like this. While several malware families have adopted unicode secrets as a transfer mechanism (they've also used things like cat pictures, ai models, and docker container registries), people and modern governments don't seem to want to discuss apt reasons for these things. Things like victims of abuse, victims of oppressive governments, trade secret protection, and simply wanting to not be spied on. Lets take a look at how people hide data for each of these benefits.
Abuse
Victims of abuse are actually among the first to talk to me seeking out ways to communicate in secret. This is usually due to not having a manner to do so already planned for and being spied on, monitored, or harassed in ways that limit their exposure or ability to communicate without being reprimanded for it. Often part of romantic relationships, but sometimes family or work relationships too suffer this problem.
Oppressive governments
Government overreach into monitoring it's citizens has been a known problem for many many years across the world. Some countries monitor for things spoken against their regimes, some under the banner of "security", and yet others just expect companies doing business to provided unencrypted messages to the government on-demand because they have no clue how to handle technology. This leaves entire countries and sometimes their enemy countries, vulnerable to the whim of government agencies where its criminalized. An example of this, freenet (later i2p), and tor, were primarily housing russian speaking operators not because they're the cyber criminals, but because the russian government's oppressive control over private conversations.
Trade Secrets
Big business needs trade secrets as a means of safe guarding against someone else taking their work in it's entirety and claiming it for their own. To discuss these secrets, privately encrypted messaging has been the way to go for almost 40 years now. I'll speak more on this in a second.
People being people
How to help!
For starters, go buy people like this a coffee or something for finding secret ways to hide arbitrary data. Then, automate those ways and place them as an overlay for any and every public platform.
Now, y'all may not believe this, but there is long standing history of tor and i2p (typically associated with hacking and cyber criminals in the media) providing privacy in all of these realms. But lets assume people have access only to what is in front of them and/or public posts on social media. In such scenarios, particularly abusive scenarios either by relationship or government, providing ways to communicate is key to keeping yourself and your friends safe.
Encryption protocol layering
One such way, is to maintain keys (pgp, kyber, etc...) and ensure you have your public key exposed so when you write a message to your friends, they can know it came from your private key and that it's actually from you. You can overlay this on top of an end-to-end encrypted communication in the event the operators store or have a way of recovering either side's private keys. That end-to-end encryption can sometimes be done on top of tls encryption. You can add another along side it to function as a parody/smokescreen transmission just to hide further.
Hidden tunnels
By creating a channel using a series of arbitrary data structures inside abnormal data pools is a great way to hide your information. Doing this, as well as managing your own keys, would get past most events. So, lets give a scenario, you have a username that can contain unicode characters. You change this frequently anyway with various emojis. Then you find tools like this emoji encoder and decide you want your emoji to say something like πσ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ €σ σ ¦σ σ σ σ σ σ σ σ σ σ σ σ σ σ σ ©σ σ σ σ ₯σ £σ σ σ σ €σ σ £σ σ σ σ but you're afraid it'll be found. Luckily you have a smart bunch of friends. We're gonna do something like this:
echo "Someone help, i'm being held captive, be behind my house at 3 am" | gpg --encrypt --armor -r torvalds@kernel.org
gpg: 88BCE80F012F54CA: There is no assurance this key belongs to the named user
sub rsa2048/88BCE80F012F54CA 2011-09-20 Linus Torvalds <torvalds@kernel.org>
Primary key fingerprint: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
Subkey fingerprint: AEE4 16F7 DCCB 753B B3D5 609D 88BC E80F 012F 54CA
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----
hQEMA4i86A8BL1TKAQf+Oc1aOIjIqwgTfjJxZ65uRU5pvLSyF+g2OI47dADf8EQxlxZ6kDBarKCtQyPBIjP8MnsR4nPvamQ1d4ACfqT7QI++wIWGuND6aoJV2qfmH7aBIgY04W7uy3BpjgU+VGxsWI7l0tf3loaJ2lreL8diI3B+1BNQ41rN6417McWMf6MLdzsSRylQNTaxMrdu0z1IX6iE7aMKItSzTLh4bxRg0HLs5G6tTie2VgKJ8wqAPjfyR7OnN9NfZjmjtZK9L6rxEDrjsfdWyRkh3xcfjROALjXtaClM1oma74Q3/pT4HvlxYplpYQGM4BsX/e45Hx1bKHHRowPqQPpw5U+RxmBzH9J3AXRa2PSCUFQwcobVBfHIHMzD0c5xa8CJN0kLvro7Bg6qApUh4NSIwLazlBza/nu8MejenT6v5ggLZQPgrHAo4yRWvjASFSNXFW0MWA+SV3iA+1H+whs1Zj4MVR10CBiNYRBdBbHUGgbz4O30a9OtKY5bn+cAwUA==NsyJ
-----END PGP MESSAGE-----
Then we're going to take that message over here and encode it to a hidden unicode inside the emoji: πσ σ σ σ σ σ ²σ ΅σ ·σ Ήσ Ύσ σ σ ·σ σ σ ½σ ΅σ σ σ ±σ ·σ ΅σ σ σ σ σ ︊︊σ σ σ ΅σ ½σ ±σ €σ σ ¨σ ¦σ ±σ ¨σ ²σ Όσ ‘σ σ »σ ±σ σ σ σ Ώσ σ ‘σ σ Ώσ Ήσ σ Ήσ ‘σ §σ σ σ σ σ Ίσ ¨σ σ ¦σ ₯σ ₯σ σ σ ₯σ σ ¦σ Όσ σ ©σ Άσ σ σ ’σ Ώσ Ήσ €σ §σ σ ±σ ΄σ σ ¨σ ΅σ σ ¨︊σ σ ¨σ σ ¦σ σ ΄σ ²σ σ ’σ »σ ³σ €σ σ ©σ σ ²σ Ήσ σ σ ¨σ ½σ σ £σ σ €σ σ σ ¦σ σ σ σ ‘σ σ €σ ±σ ³σ σ ‘σ σ §σ σ Ήσ σ σ §σ Ήσ σ ·σ ₯σ Ύσ ΄σ ¦σ σ σ Ίσ σ ’σ ‘σ σ σ Έσ §σ σ ²︊σ Ήσ σ σ σ €σ σ §σ ₯σ ©σ £σ ²σ σ σ σ σ σ σ ·σ ¨σ £σ σ Ήσ §σ σ σ €σ σ £σ σ σ σ Ίσ ’σ σ ’σ σ Όσ ¨σ σ σ Ήσ £σ ²σ σ ‘σ ²σ Ύσ σ €σ ‘σ ’σ Ύσ ¦σ €σ ‘σ §σ ½σ σ σ ½σ σ ¦σ ½σ Ό︊σ σ ͺσ £σ σ σ ©σ σ σ Ύσ σ σ ¨σ ½σ ’σ σ ₯σ σ ͺσ ‘σ Ήσ σ ¦σ σ ΅σ §σ σ ½σ »σ Ήσ €σ σ ͺσ σ Όσ σ €σ σ ¨σ σ σ σ Έσ Όσ £σ ₯σ ·σ ¦σ €σ σ σ σ ’σ σ σ »σ Ίσ ¨σ §σ ‘σ ±σ σ σ σ ©︊σ σ §σ Ώσ σ Ύσ ©σ Ύσ σ σ σ σ σ €σ σ »σ ©σ Όσ ¦σ ’σ ¨σ ΅σ ΄σ ’σ σ £σ σ σ σ ©σ σ σ σ £σ ¨σ σ σ σ σ Ώσ ±σ Όσ σ σ €σ σ ³σ σ ½σ ‘σ σ σ σ §σ €σ σ £σ σ σ σ €σ Έσ ¦σ σ ¨︊σ σ σ σ σ σ σ ·σ ½σ €σ ²σ £σ σ σ σ €σ ₯σ Έσ ¨σ ‘σ σ »σ Έσ Έσ σ σ §σ σ ‘σ σ σ σ §σ ₯σ σ σ σ ¨σ σ ²σ ͺσ Έσ ©σ Ίσ £σ ±σ σ σ σ ’σ σ σ ³σ σ Άσ σ §σ σ σ σ σ ²σ σ Έσ Ή︊σ Έσ ½σ ͺσ ΄σ σ σ ₯σ ¨σ σ ¨σ ³σ Ίσ Ύσ σ σ Όσ ¦σ ’σ σ §σ ²σ σ ¦σ ‘σ ±σ σ σ σ €σ Ύσ σ Ήσ §σ Όσ σ ͺσ σ ²σ ͺσ σ σ σ ₯σ ¨σ ½σ σ σ σ σ σ ¦σ ¦σ ₯σ σ σ Όσ σ σ σ σ ’σ Έσ ±σ ︊σ €σ ©σ σ σ ¦σ σ ±σ σ Άσ σ Ύσ σ Άσ σ σ ½σ σ ±σ σ σ σ £σ σ ±σ σ ‘σ Έσ σ §σ σ £σ ‘σ σ σ €σ ½σ σ σ ‘σ σ ³σ ²σ σ Ύσ σ σ ²σ σ ²σ σ Έσ σ ·σ σ σ ͺσ €σ Ώσ £σ σ σ ©σ Ώσ €︊σ »σ σ ₯σ σ σ σ σ ±σ §σ σ ±σ ︊σ σ Ύσ £σ ©σ Ί︊σ σ σ σ σ σ ΅σ Ύσ ΄σ σ σ ·σ σ σ ½σ ΅σ σ σ ±σ ·σ ΅σ σ σ σ σ That emoji can then be placed on your x account, your facebook, your work slack profile, etc.. and only it's intended recipient(s) can handle it. You could even do this without anything fancy like gpg and manually encode messages using series of non-breaking spaces typed into a computer that can be decoded by someone who knows the series that you're going to use. You can use lexicon allusions to reference something without stating it. You can communicate with a dns server using the subdomains requested and the txt fields, you can use picture exif data, you can use arbitrary added strings at the end of an image file if the format doesn't have a required footer, you can use subtle changes in almost anything on any platform to be used as a transmission tunnel. These are called canales ocultos, or hidden channels.
Tool monitoring
- side channels, such as those introduced when transmission platform and encryption platform are ran in the same memory space. Another example, when sending messages to a phone via rcs can include html tags that can send your entire conversation, decrypted, to an attacker if they leverage the other party's authentication and therefor encryption keys against it
- controller validation, such as validating that your friends are still in control of the other end of the communication.
- ensuring no addition traffic is sent or the tunnel isn't exposing any extra, such as in the username changing scenario, accidently adding a link to where they can decode it (lol)
Encouraging others to encrypt unresponsibly
Many of the world's governments are encouraging companies to use "responsible" encryption by essentially controlling the keys to decrypt. By encouraging others evade that by doing these steps that protect everyone, you can forego the nonsense of every agency and company spying on your, by providing your own communication tunnel, even over otherwise spied on data.
Comments
Post a Comment