Let me rephrase what I think you are saying though. If an application is sending a constant data stream for some presumed legitimate purpose, there could potentially be a steganographic message or malicious device built within it, and it could be very hard to detect. I completely agree with this. If you didn't write the software yourself, you aren't going to know exactly what is going on. You can infer what it is doing with tools, but if it is designed well, you may never piece it all together.
Here's an example of a protocol that you could
never prove doesn't contain a hidden message, no matter if you knew the exact specification of the protocol and saw every byte transmitted between client and server.
A client connects to a server and sends a single integer. The server replies by generating that many bytes using a random number generator and sending those bytes to the client. This is a simple protocol that a client can use to fetch random numbers from some random number generator server.
Now, suppose the server and client are in cahoots and the server has a secret message to send to the client. When the client asks for
n bytes, the server takes the next
n bytes of the secret message, encrypts them with some pre-shared key (maybe based on a password that only the client and server know) and sends those bytes. Encrypted data is indistinguishable from random data, so anybody watching cannot prove that the data is
not random. The client, however, can decrypt the message.
No matter how long you sat in front of Wireshark and looked at packet dumps of this protocol, you would never be able to determine when the server was sending random data and when it was sending encrypted data.
Now imagine that you can embed this random number generation feature into some other protocol. For example, maybe your favorite VOIP program needs to fetch random numbers. Any protocol with this capability contains the ability to transmit hidden messages that
cannot be detected by anybody listening.
Facebook
Twitter