S400 Scanner Modified For Finding Hidden Watermarks

Computer hardware is by and large compromised out of the box. Whether it’s sloppy factory code, or government-installed backdoors, it’s difficult to trust anything. A great example is that of color laser printers, the vast majority of which place hidden watermarks on printed pages. It’s a somewhat forgotten issue these days, but back in 2005, [bunnie] set out to modify a scanner to help better image and investigate these watermarks.

The watermarks in question have been investigated by the EFF, and often, but not always, consist of tiny yellow dots printed on the page. They can store data such as the name of the computer that printed the document, as well as the serial number and model of the printer used. With this functionality baked into the firmware, all prints made on such a printer are compromised.

The easiest way to see these watermarks is with blue light, which is reflected by the white paper, but causes yellow dots to show up as dark spots. To make scanning affected documents quick and easy, [bunnie] whipped up a linear LED light array, installing it in a spare slot in his scanner’s light assembly, next to the stock white CCFL. Usage is a little more complex, with the scanner’s automatic calibration getting confused if the blue LEDs are left on at the start of a scan. Instead, the LEDs must be turned off initially, and then powered up once the calibration is complete.

Results are good, with the tiny dots made much clearer in the test scans [bunnie] performed. Unfortunately, the watermarking technology has moved on, and it’s likely that modern printers use a variety of techniques that are even harder to detect. By and large, ransom notes are best made the old fashioned way – by cutting up some old magazines.

31 thoughts on “S400 Scanner Modified For Finding Hidden Watermarks

    1. I am guy guessing that bunnie scanned in grayscale mode or had a grayscale scanner and grayscale tends to use green light and not white light to illuminate the page.
      A blue filter might then absorbe too much green light to make it work.

  1. >> “By and large, ransom notes are best made the old fashioned way – by cutting up some old magazines.”

    What are these, “magazines” you speak of? Were they a form of ancient communication?

      1. But where will you buy an old printer with a Selectric “Golf Ball” print head (or a dot matrix print head) to make those “old printouts”, it is not like you can buy old printouts. The purchase of a 40 year old printer will leave some kind of trail.

        I think he meant to say “by cutting up old typewritten pages”

        All modern printers pretty much print their make, model and serial number on every single page.

      1. At this point it’s probably cheaper to buy a label maker on craigslist, write your note and then sell it on the craigslist (if you want to sell it at all – I doubt there is any watermarking in label maker prints).

      1. Melt a hole and drain all the toner from all color cartridge. (do it outside with high quality mask, those toner could cause you to spit up rainbow phlegm!)

        No more hidden marks!

  2. Fun factoid – Xerox brand color copiers(others as well) can recognize US money (not sure about other countries) and will in some cases either refuse to copy or lockdown and present an error when someone tries to copy currency. So if your into denial of service just try to copy some $20 or $100 bills on a color Xerox. Likewise I have seen errors trying to scan money using Fujitsu ScanSanp’s – this has to deal with something similar to this article as there are hidden marks in some negotiable instruments that cause the firmware to lockout the scan/copy.

    Now for some fun, just put that pattern in paper work you give others :)

      1. That would only stop petty criminals, which is a good thing as they are the most common, but anyone with half a brain would realise that if the registration on a printer is good enough that they can double print a page so that there is no complete and detectable watermark on any single printing pass. Same applies to scanners, you scan twice with alternating parts of the note removed. Meanwhile things have moved on and money is made of plastic or not even physical at all in most transactions.

        1. We tried. (And caused lots of questions on company front desk, where the copying machine was :)).
          All in all – one half scans okay, another does not, even when folded. USD and Euro are both protected, russian roubles were not.

  3. I worked for a company making casino games and one of the electronic card dispensers used a constellation of tiny yellow dots to identify and authenticate cards. It was the only one that worked reliably no matter how fast any of drew us the cards.

  4. Heh, such a simple hack, and you can probably defeat the scheme by having a lot of random yellow dots of your own in the background of whatever you are printing. Would be interesting to see what the noise tolerance of their encoding was. As for “ransom notes” nah, they simply needed a way to catch money counterfeiters and identity document forgers etc.

  5. hack a CIS style scanner instead, these are relatively cheap and already have blue LEDs as part of the mechanism, or just use it straight up (ahem) as they are designed to do specifically these type of things quite often.
    Reference A(eh) https://compo.canon/en/product/cis/
    and https://compo.canon/en/product/cis/download/catalog.html
    that’s likely one of many. Looks as if they often use a white LED (Cannon?)
    http://www.mitsubishielectric.com/bu/contact_image/cis/index.html
    also http://www.csensor.com/cis_modules.htm
    Just a “how can this be done differently” thing. As most USB based scanners
    1 USE a CIS imaging element
    2 Have flash memory installed in the controller board
    3 Use a standard processor
    Just hacking a scanner to do this might not be as difficult as (the above). However it may not be possible to use the accompanying software (for the scanner) as you just wiped it out. Copying the original FW is unlikely (as most companies lock processor specific JTAG memory read operations and only the erase command will undo that).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.