Steganography in Tweets

Clever, but make sure to heed the caveats in the final two paragraphs.

Posted on May 12, 2014 at 4:04 PM • 17 Comments


AnuraMay 12, 2014 4:40 PM

This particular method just screams "FIGURE OUT WHY THIS MESSAGE LOOKS SO WEIRD!"

Steganography is a tool, and like any tool you need to realize its strengths and limitations. Steganography is useful when it's covert, and no one is expecting it. You also need to make sure that someone can't do a wide sweep to detect them. Take an image off the internet, set the least significant bit of every color of every pixel to your message, and you risk getting caught by someone with a tool that crawls and downloads all images it can find on the internet.

Take a large image, apply some filters, resize it, and then embed your message with an algorithm that modifies the message to appear more or less random, and it becomes very difficult to detect. Encrypting the data is ideal, but not always possible; a nonlinear function applied to all prior bits might be sufficient.

FoxtrotMay 12, 2014 7:38 PM

How To Make Steganography Undetectable

Suppose that you want to hide messages in digital photos. You can change the least significant bits of the file, without changing the image much. The problem is that the changes in the file can be detected. The least significant bits are not random, but when they are changed to an encrypted message, those bits now look random. The solution is simple, but it would be difficult to implement.

First, you need a program, a graphics program for working with photos, or a video editing program for working with video. The program must be free and very widely distributed. It must be competitive with other free or inexpensive software in the same genre, so that many people will use it.

But the program also would have a special feature. Every completed file would use steganography to embed either an encrypted pseudo-random number or an encrypted message in the file. This would be automatic for every file. The user could add a message, and the program would encrypt and embed the file. But if a user chooses not to do so, the program must embed an encrypted pseudo-random number that is indistinguishable from an encrypted message.

If the program was in wide enough use, it would not be suspicious if a small percentage of persons used it for steganography. And no amount of analysis would be able to tell if the file that is hidden in the least significant bits was an encrypted message or an encrypted random number.

WaelMay 12, 2014 8:58 PM

It's possible to combine steganography and cryptography, let's call it Crypto-steganography, to hide both the existence of the message and the meaning of the message. This will give the communicating parties a way out (repudiation). The purpose of Encryption is to make the message look like channel noise; the purpose of Steganography is to provide a reason for denial. Steganography also suffers from method sharing challenges, just like Cryptography has key management challenges. Maybe there are similar ways to exchange a key that acts as a SDF (Steganography Derivation Function). The SDF will use the key for hiding the message rather than hiding it's meaning. SDF is the input to a diffusion function that spreads the message in the "right places"... Without prior arrangements between the the sender and the receiver, it would be hard to communicate the "secret" or get assurances that the receiver understood this hidden message. I tried this with @ Clive Robinson previously. He got the message, but I wasn't sure if it reached him, and had to ask in the open...

Steganography is useful when it's covert, and no one is expecting it...
Seems you need more sleep...
Steganography: The science of hiding the existence of the message
Cryptography: The science of hiding the meaning of the message
If it's not covert, it's not steganography and if no one is expecting it, then why send it? :)
But the example given in the article is crude -- very crude. So your comment stands...

ThothMay 13, 2014 12:10 AM

If the message can be encrypted and then hidden (do not hide the keys in the message), it would improve security. During a security training course, we were taught to use some crypto-stenography tool that allows you to encrypt a message in RC4 and hide it in an image of your choosing. If that can be done to tweets, it would be useful. Considering that tweets are really small in size, using lightweight ciphers like Hummingbird 2, Speck (yes... it's NSA), KLEIN, LED, FeW (newly published onto IACR ePrint), TEA/XTEA, IDEA, KATAN and many other lightweight small ciphers, it would be very interesting how you can secure messages on a publicly viewable media.

Clive RobinsonMay 13, 2014 4:53 AM


If you think back to the end of the last century there was a lot of noise about Digital Rights Managment via a process called "Watermarking".

I would sugest you have a look at it because it was designed to hide short messages such as copyright and serial numbers in a picture or movie or sound track or other analog source with a low threashold of detection such that it could be removed or replaced.

Some of these systems worked in such a way that you could certainly hide a URL or crypto key in the natural analog noise of the source by using methods similar to Direct Sequence Spread Spectrum (DSSS) and other low probabiliry of intercept methods.

GweihirMay 13, 2014 9:31 AM

Low amateur level. Go via time, number of lines or words in the message (module a small number), etc. Not much bandwidth, but if done right, not detectable.

Ben RobinsonMay 13, 2014 10:59 AM

On my "things to try to build someday" list is a Twitter steganography method based on retweets.

You would post a tweet with a prearranged unusual characteristic, like a typo in a hashtag that you use often and normally spell correctly (a 1-bit steganographic message is easier to hide than the actual block of text).

After the start signal, the recipient watches for you to RT other people's tweets. One word in each RT is part of the message. Which word is pseudo-random (something like the character count of the previous tweet modulo a prearranged constant).

The end-of-message signal could be another 1-bit message embedded in an original tweet, or it could be RTing a tweet with a hashtag at the active word position.

Advantage? Nobody's looking for steganographic messages embedded in text that somebody else wrote.

Disadvantage? For you to find plausible tweets to retweet, the entire covert message will end up in your search history. Better hope the adversary doesn't have a network position between you and Twitter.

AnuraMay 13, 2014 12:03 PM

I wonder if steganography becomes more diffiult to detect if you are using pencil and paper rather than computers. For pencil and paper, one possible method for steganography would be to use lined paper and encode a message in binary where each letter represents a single binary digit: if the letter falls on or below the line, it's a 0, if it is entirely above the line, it's a 1.

name.withheld.for.obvious.reasonsMay 13, 2014 3:33 PM

@ Anura

For pencil and paper, one possible method for steganography would be to use lined paper and encode a message in binary where each letter represents a single binary digit: if the letter falls on or below the line, it's a 0, if it is entirely above the line, it's a 1.

Is that big or little endian--hope the encoding is UTF-8 compatible too?

AnuraMay 13, 2014 3:37 PM


Big Endian? What is this? Bizarro World?!

Richard HMay 14, 2014 5:19 AM

The use of "steganographic messages embedded in text that somebody else wrote"
dates back to 1605 if not before.

Eiji KawaguchiFebruary 26, 2015 7:12 PM

I myself is a steganography researcher in Japan. We invented a large data-hiding capacity steganography which was termed "BPCS-Steganography." The following Web site will lead you to a free program downloading page of this Steganography (for Windows).
We have been seeking geeks who can crack our steganography. But the fact is, noone dare to tray it, yet.

Dirk PraetFebruary 26, 2015 8:32 PM

@ Eiji Kawaguchi

Any chance of you also doing a Linux or OS/X version, Kawaguchi San?

Clive RobinsonOctober 14, 2016 4:31 AM

@ David Vassallo,

The original idea of using "to big to be blocked" sites for a Command and Control Channel can be found posted on this blog some years ago.

The idea I had was not just to use to big to be blocked sites but also as a way of breaking the back chain to the directing mind.

Thus the idea was to make command posts to any number of open blog or comment networks or news groups etc that got searched by the likes of Google etc. The zombies would thus run a search on the search engine for a key tag which would identify the command post.

The use of a "key tag" would be done in a way that would protect it from being filtered out. Such techniques can be developed from primatives described in the research work of John Young and Moti Yung.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.