0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: mawright
July 1, 2017

Printer Steganography

By: mawright
July 1, 2017
By: mawright
July 1, 2017
After a recent event of an NSA contractor being tracked down via hidden codes on a leaked document, I was interested in learning more about these tracking codes, and how they work. Back in the 90's, manufacturers of color laser printers came together with the government to implement a hidden tracking code within their printers. This was to help the government track counterfeiters. Think of it as a watermark on photos and important documents. Most color laser printers and copiers have this tracking code in place. In the event of the arrest of the NSA leaker, the documents she leaked had small grids of yellow dots printed repeatedly across the color page. This is nearly invisible to the naked eye. By using a magnifier or blue light, you can start to see the grid on these documents. This square grid is used in Xerox printers and other vendors but it is not a standard. Canon, for example, uses a different schema. If the yellow is low or out, these dots may not appear on the document.

Code Tracking Breakdown

This square grid has 14 7-bit bytes. All rows and columns, except for the top row, should have odd parity. This means that there should always be an odd number of yellow dots. If you read an even number, then it has been interpreted incorrectly. Let's look at the picture below, notice that all equal to an odd number.Now let us break down what each row and column mean. The columns indicate a section and the rows indicate a number from 0 to 127.Notice that row 1 and column 1 are for parity. This ensures the number of dots equal an odd amount. Columns 9 and 15 are unused and unknown. Also, note that column 3 and 4 are unused in the time section. Below is a more detailed description.Now add up all the binary from the original grid. We get the numbers below.These numbers are read from right to left. The serial number may or may not include column 14.
Printer Serial Number: 535218 (or 29535218)
Date: 5/9/17 
Time: 6:20
The time could be incorrect due to wrong time zone settings on the printer but you should be able to track where it was sold by the manufacturer.

Other Coding

Another interesting fact I came across while looking into printer code tracking was the EURion Constellation. This consists of 5 circles that could be yellow, green or orange. They follow the pattern below.This was implemented to prevent color copiers from reproducing counterfeit money. Usually, it is hidden within the design on the bill. Some software, such as Adobe PhotoShop, will recognize this pattern and refuse to open the file for editing. Let's look for example at a US $20 bill. Notice all the little "20s" to the right and left. Some of the zeros follow this EURion constellation. Take a look.I hope you enjoyed this article. I found this interesting and it's fun to dig deeper when these things come up in the news.

Do you like to write about your infosec knowledge, skills, opinions, or exploits?

Blog Icon

Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry