Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Copy Machines - Changing Scanned Content SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Copy Machines - Changing Scanned Content

One of our readers, Tomo dropped us a note in order to assist getting the word out on this one as this issue has a potential to be very far reaching into the fields of military, medical and construction to only name a few where lives could be impacted.  

It appears there is a possibly long standing issue where copy machines are using software for some scanning features.  These features are using a standard compression called JBIG2, which is discovered to have some faults that change the original documents.  

Xerox has released two statements to date. If you are interested  in the latest info, jump to link two. [1] [2]

There is plenty of reading on this issue.  I wanted to get something out to you as soon as possible.   A very good analysis was produced by David Kriesel. [3]   He has been very good at updating that page with consist and relevent links.  A job well done by David.

David also provides very good analysis of the feature that is causing the issue with the Xerox Workcentre devices. Those are the devices in his deploy.  He cites model numbers in every post and even a work around for those affected by the issue. [4]    It  has also been discovered that since JBIG2 is a standard compression software, that other copy machine manufacturers are likely affected. [5]  

Please take this discussion to the forum and share any facts that you can.  



ISC Handler

Kevin Shortt

85 Posts
ISC Handler
Aug 9th 2013
I read about this the other day on the full disclosure list. I am wondering if it goes beyond just copying to other scanning operations, such as scan to a file in pdf format. I use a cute little portable scanner with my laptop that comes with software to produce a pdf file that is OCR processed so that it is searchable, copyable with the mouse, etc. I am wondering if the pdf software to post-process these scans also used JBIG2, an hence could also be vulnerable. Perhaps we are only seeing the tip of the iceberg right now. Perhaps any image to pdf conversion that uses JBIG2 could be vulnerable. Just a [nasty] thought...

133 Posts
I believe most OCR implementations use TIFF format. It is still a possibility for JBIG2 to be utilized with OCR. JBIG2 seems to be designed for high speed copying. Non-OCR scanning may use it as well. I began looking at documents I previously scanned for "8" or "6" swapping. I leave OCR on for most scanning and I know the images are TIFF encoded by my scanner.
G.Scott H.

48 Posts

Sign Up for Free or Log In to start participating in the conversation!