Digital Photocopiers Loaded With Secrets

skids writes 'File this under "no, really?" CBS news catches up with the fact that photocopiers, whether networked or not, tend to have a much longer memory these days. When they eventually get tossed, few companies bother to scrub them. Couple this with the tendency of older employees to consider hard-copy to be "secure," and your most protected secrets may be shipped directly to information resellers — no hacking required. "The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas — loaded with secrets on their way to unknown buyers in Argentina and Singapore."'

Re:Thats supposed to be obvious?

[fuzzyfuzzyfungus]

It depends on the calibre of the device. Your basic deskside all-in-one isn't much of a risk. The real cheap seats might only have enough onboard storage to show up on the USB bus and have their firmware blob dumped to them by the driver.

Many of the nicer models, though, have an internal HDD, often with a webserver, to support use cases like "scan, retrieve document through web interface" or "receive and store faxes without printing them all". Those are the ones you have to watch out for.

Given that most printer manufacturers can't seem to design UIs that aren't exercises in pain, it may or may not be obvious based on using the device how much storing it is doing.

Re:Thats supposed to be obvious?

[YttriumOxide]

I never would have guessed the copy stayed in memory on the device.
When I copy, scan to email or, scan to file it doesn't give me the option to 'scan again without reinserting original'... or does that imply the ones we have don't have this 'feature'?

Generally it doesn't. Many devices have the ability to store at the same time as copy, however it's a feature you generally have to explicitly choose (unless enabled as a security mechanism by the device administrator). Some devices also have the option to keep the last job in memory (however not permanent storage such as HDD) in order for a "fast reprint" or "fast resend", but it's not a common feature, so I wouldn't be too surprised that the ones you're using don't have it.

A far more pressing concern than memory is the permanent storage. Most devices these days have an HDD that will store data for various purposes. Actual images of copy/print/scan jobs are only rarely stored, and usually only when explicitly set to do so (as above), however user data information in the form of job logs, counter information, credit information (for embedded accounting applications) and so on can be quite a concern. Most decent devices will however have a "secure erase" feature to be used by the administrator before disposing of the device, and often also an option whereby data going through HDD and RAM is encrypted on the way in/out (except of course actual operating code - but that doesn't contain YOUR sensitive data, only the manufacturers...).

To all: Feel free to ask for clarification on anything copier/MFP related... writing code for these things is my day job. Many things in the article are half-truths and some are just flat out wrong.

Re:Thats supposed to be obvious?

[Em Emalb]

that and a lot of them these days have email capabilities (scan and email) so you get the directory full of usernames and email addresses. We actually barely remembered in time to do this when we shipped back a bunch of dell all in ones after their lease was up.

Re:Why?

[SoTerrified]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

In the old days, if you wanted 5 copies of a sheet of paper, the scanner would scan 5 times. Then someone thought "Hey, what if we could save the scanned image?" So you could scan once, and print out 5 copies. The easiest method is just to toss in a hard drive, and store the copies on there. Now, copying a variable number of pages, then erasing them immediately is extra wear and tear on the HD. You can get a longer drive life by distribute the data all over the HD so it's easily written, then only overwrite when the entire HD was full.

Pretty simple, really. The only downside is that the HD inside contains the last items scanned, up to the memory of the device. (So while it doesn't keep a copy of "everything ever copied", it could easily be the last several thousand items copied.)

Re:No one will bother

[logjon]

It's really not. Command line OCR is a reality, and anything with a command line interface makes for easy scripting.

Re:No one will bother

[logjon]

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours. rtfa

A helpful guide

[Anonymous Coward]

Unless they find a way to make the text searcheable

http://en.wikipedia.org/wiki/Tesseract_%28software%29 [wikipedia.org] and it is open source, too

and just search for "social security number" or "credit card number" and look at what's written right next to it.

http://en.wikipedia.org/wiki/Grep [wikipedia.org] is probably familiar. Can be used with regular expressions too.

And while I don't know how to do that personally

Now you do.

it seems like the type of thing that would take about 10 minutes to figure out and then another 10 minutes to actually do.

I bet it wouldn't have taken you that long to figure out.

Re:Other Copier Security Risks

[YttriumOxide]

Yes, both of those are pretty much "open secrets". Here's some details:

color copiers can detect certain unique features of currency, and will refuse to copy a document that has those features.

The currency detection routines are pretty much hardcoded in the image processing ASICs are NOT a part of the copier firmware that gets flashed in a routine firmware upgrade. This means that in general it's not easily updated for new currencies (although can be in some cases where image processing boards are physically replaced). It also means it's incredibly hard to bypass and extraordinarily annoying when it misdetects something.
Most devices will block out ALL further output if a certain number of detections are made in a row. This however is generally just a flag in the nonvolatile RAM which a service technician can then clear from the device's service mode. The legal proceedings for doing so differ by country (in most of Europe for example, there's no specific law, and the techs just do it as a matter of course without any special procedures. In Australia, they're required to contact their head office who will then contact the appropriate government agency before the technician may clear that bit. I don't know about the US though sorry.).
In some poorly designed devices, you can work around the currency detection by bypassing the image processing. This would be done by getting data in to the MFP in the raw raster format that the MFP uses (essentially the format that print/scan/copy jobs are processed as internally before being output on paper or as a scan job) and then getting the MFP to print that directly. The exact method would vary by MFP, but if the MFP has a "box" function where data is stored in user specific folders on the MFP's HDD, then copying the raster data in there would probably do the trick for many device types. I can say from my own work that this will NOT work on all devices though as the devices I work with don't allow raster data to be printed directly from any storage source - all user data on the HDD must be either "image" (PNG, JPG, TIFF, etc) or print data (PCL, PS, PDF, XPS, etc) format, or it will be ignored and deleted during the internal security processing of the firmware (and data coming in from external won't even make it to image processing if it doesn't match a valid type).

color printers put a virtually invisible unique pattern of tiny yellow dots on every sheet they print, so that the sheet can be traced back to its owner.

The yellow dots will match to the manufacturer, model and serial number. It's up to the local laws of the country to determine if the government has the right to request the manufacturer to store and divulge that information. It's also worth noting that in many models (almost every model from every manufacturer, but not ALL) the serial number is electronically entered during the MFP's "run up" (initial factory setup) and so CAN be altered in the case of someone wanting to avoid being tracked simply by clearing the nonvolatile RAM (making it believe it's "factory fresh" again) and then following the service procedures for running the device up. The process is basically impossible to know without the appropriate documentation though, as it's deliberately esoteric and weird (things such as "enter the date, then the serial number, then go back to the date screen, then press OK, otherwise it won't accept the serial number" (note: not a real example)) as a kind of security through obscurity on top of the requisite knowledge to do this sort of thing. A copier technician under normal circumstances doesn't get told about the yellow dots, although we don't really keep it secret from them - just don't specifically tell them. So, I'd say most of them do know about them, but don't know the finer details such as that the electronic serial number is a part of it... If they did know this, then yes, they most certainly COULD take any MFP they know how to service and change the serial nu

Re:Thats supposed to be obvious?

[Anonymous Coward]

The HDD is used when copying after the machine runs out of imaging RAM. 1GB is a usual amount for new machines, so for black text you have to scan quite a few pages before the machine starts to save images on the HDD. When printing and scanning everything usually goes trough the HDD.

Newer machines have encrypted file systems with keys stored in hardware, so removing the disk from the machine won't get you anywhere by itself. One product I've been serving even renders the software on the disk useless on the first boot if put in another machine by the same type.

Speaking from my own experience, private companies rarely cares about security, but state (esp. military) customers are always aware of the risks involved, and removes HDDs from any machine leaving their premises.

I've been a technician on MFPs and copiers for 12 years serving products from Xerox, HP, Lexmark, OKI and Canon. To me it seems focus on data security have been improved somewhat the last few years, parent can probably elaborate on that.

Re:Why?

[YttriumOxide]

Agreed, and in reality this is how it's done. Adding the HDD is NOT for storing temp copies of current job data - RAM is used for that. The HDD is used when RAM is full (essentially, swap), and for anything DESIGNATED as being longer term storage.