Using a hard to read font does not mean the message is safe

07. July 2013 Security 1

Nope
There are people out there that believe a font like the one i used in the above image can be used to encrypt messages and keep it’s contents hidden from the NSA or whoever it’s meant to be hidden from. This is not a correct assumption. If you rely on techniques like this to secure your messages please stop. I’ll explain.

Here are two text documents with a simple ‘abcdefg’ in it. One uses Helvetica, the other uses a mix of ZXX.
samples
While the ZXX sample is harder to read for us, it is still very doable. Our brains are smart enough to read between the garble and put it all together in a way that forms words that make sense, we just have to read a little bit slower. The ZXX sample may confuse a machine though if it is in a picture. A machine will only see ‘sample.jpg’ (the name of the image above) and even if a type of font recognition is used, it may fail. If the image is somehow flagged, a human will open it and read it’s contents.
If the ZXX font is used in an email or in a text document attached to an email unfortunately the font you use won’t make any difference. The text may look completely different but the underlying code is the same. Open up any text file in a hex editor and you will see that a=61, b=62, c=63 etc. It would be far easier for a machine to just focus on the code that makes up a document rather than trying to figure out what kind of font is used.

'abcdefg' using Helvetica
‘abcdefg’ using Helvetica
'abcdefg' using ZXX
‘abcdefg’ using ZXX

A machine will see “4E 69 63 65 20 74 72 79 20 62 75 74 20 69 20 77 61 73 20 61 62 6C 65 20 74 6F 20 72 65 61 64 20 74 68 69 73 2E” which translates back to “Nice try but i was able to read this.” even though i used hard to read fonts, mixed different fonts, made some letters 1pt small and white etc. It doesn’t matter.

In the case of a font like this being used in an image, all the administrator of a system has to do is make the system aware of the font that is being used. Once the machine knows that the letter ‘a’ can look like this, this and that, it will read the text from your image in a split second. This is called Optical Character Recognition (OCR). The creator of the ZXX font has put a lot of work in to it’s creation for the purpose of disrupting OCR systems and while it may fool some consumer products, i highly doubt it will cause an issue for government style machines. Even if it has in the past or currently is going undetected, it really won’t be for long.

So, use fonts like this to make a statement or use it because it looks cool and different but don’t use it because you think it secures your message in any way.

Feedback and comments welcome.


1 thought on “Using a hard to read font does not mean the message is safe”

  • 1
    Bena on October 16, 2013 Reply

    A better and even simpler way to hide a message is to write it in handwriting on a piece of paper, scan it and send the pdf. Of course, the message could be read by someone who intercepted it, but it would take a human being to carry out the task, and the NSA has a budget. I doubt whether it could be machine read.

    So unless you are a high profile target, what you have written won’t be in a data base in any kind of meaningful form. And if you (or your recipient) can’t or won’t encrypt, its probably second best.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.