Should you use steganography to hide your communications?

Image of a boy hiding behind him hands - Destination Certification

Steganography is a field of study and practice that involves hiding the existence of communications. With steganography, you aren’t just hiding what was said—you’re hiding that any communication is taking place at all. We can easily use encryption to hide the details of our communications, but anyone observing the communication channel can tell that encrypted data is flowing between the parties. We can use various steganographic techniques when we want to hide this data flow from adversaries.

Steganography conjures up a world of spies and international intrigue: invisible inks, microdots hiding messages in tiny print, and much more. These days the digital realm presents us with many more opportunities. We can hide communications in pictures, audio and video through a range of different techniques. When steganography is done effectively, this media containing hidden messages will appear just like any other normal picture of video. The average observer will have no clue that it contains hidden communications.

There are specialist tools that can help to detect when steganography is being used. However, due to the large volumes of data flowing in and out of an organization and the many different techniques that can be used to hide data, it is incredibly difficult to detect all communications hidden by steganography.

It’s important to note that steganography is considered security through obscurity when used by itself. However, this can be mitigated by encrypting data prior to hiding it.

When should you use steganography?

Before you consider using steganography, you need to analyze your threat model: Are there potential adversaries who may be able to see the communication taking place? Is it strictly necessary that these adversaries are unable to detect the communication taking place?

As an example of when you might want to use steganography, let’s say you’re a criminal arranging a hit on a rival gang leader. You could just use WhatsApp to talk to the hitman. The contents of the conversation would be encrypted, so even if WhatsApp turns over all of the data to the authorities, the police won’t know what you discussed. However, WhatsApp does collect metadata, including which parties are communicating and when. If the authorities know that you were talking to the hitman just prior to the murder taking place, it’s possible that they could link you to it.

In this scenario, steganography is one option that could help you—you don’t want the authorities to suspect that you and the hitman are discussing murder for hire. If you and the hitman had previously shared a secret key, you could hide an encrypted message as part of a family photo and send it to the hitman via email. Even if the authorities had access to the email, they may not detect the secret communication taking place, making it much harder to link you to the hit—it’s just a family photo after all.

Steganography concerns at the enterprise level

As a cybersecurity professional, we hope that you won’t be ordering any hits in the near future. But there are a few aspects of steganography that you should be wary of. One is that insider threats may use it to hide data exfiltration. In 2018, a man was charged for stealing trade secrets from General Electric. He hid data in an innocent looking picture of a sunset and then emailed it out of the organization. Another major threat comes from attackers using steganography to hide malware in seemingly innocent files. This can help them bypass security tools that would have otherwise picked up the malicious code.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]