A little over a decade ago I wrote a piece for Forbes describing a method of protecting electronic communications from unauthorized access, through the hiding of message contents within photos and video files. At the time, I even created a contest – embedding an unencrypted Amazon gift card number within an image displayed on the Forbes website alongside my article; despite my having provided clues as to what was hidden, and in what image it was hidden, and despite a hundred thousand people or so reading the article since, nobody ever successfully extracted the gift card number, which I have now taken the liberty of using myself.
Since 2013, of course, there have been multiple efforts by governments to spy on users of digital communications and to force technology companies to provide access to the electronic communications of suspected criminals. While some messaging systems now offer end-to-end encryption that prevents the providers of such services from decrypting messages, metadata – including who communicated with whom and when and where – is still available to governments.
So, is there a way to truly protect communications from snooping?
Of course, no encryption method is perfect. But, one way to improve on the security offered by encryption is to literally hide the confidential information in plain sight using a technique known as steganography.
Steganography refers to the practice of hiding small amounts of data within large collections of other data in such a way that only authorized parties — in this case, the sender and the intended recipient of a message — know that the concealed material even exists within the larger dataset.
To read data protected through the use of steganography, a hacker (whether a government employee or other party) would need to first find the secret information — which, when steganography is properly utilized, is usually exceedingly difficult, if not practically impossible, to do.
Additionally, while a message that clearly contains encrypted data may arouse the curiosity of parties who intercept it, data hidden using steganography typically looks totally innocent, even when it is both hidden and encrypted.
Online, steganography can be easily achieved using pictures or video files; both are commonly shared online by billions of people, via various social media platforms and on websites, and, therefore, hardly appear suspicious.
How does steganography actually work?
Pictures typically use 24 or 32 bits of data to represent the color of each pixel (i.e., each pixel is represented by a series of 24 or 32 1s and 0s, which may be stored in a file directly as 24 of 32 digits or may be represented using alternate means that employ one or more of various compression algorithms). (Along with such information is various metadata, much of which should be removed prior to using steganography.)
To hide data within an image, a person (using an automated tool, of course) can store single bits of the confidential information one at a time in the least significant bits (“the ones column of the color’s number”) of certain pre-agreed upon pixels, modifying bits from 0 to 1 or vice versa if necessary. A sender and their intended recipient can share data while leaving the image visually unmodified as far as the human eye is concerned, since single-step color changes are far too small to be perceivable by people. Steganography engines can also modify other bits in surrounding areas of the picture in order to avoid detection by anti-steganography tools. In short, once data is hidden – it is extremely difficult to find by parties who do not know where it is.
In fact, various other techniques employed by steganography software can protect the data even further. Such methods include:
* Encrypting data before embedding it
* Selecting photos in which a significant percentage of the relevant bits are already set to the values needed
* Modifying extra non-information-containing bits
* Utilizing images of which no other copy exists online
* Including decoy images in communications – such as images with irrelevant data stored within them using steganography
So, have you ever tried using steganography?