Digital Photocopiers Loaded With Secrets

skids writes 'File this under "no, really?" CBS news catches up with the fact that photocopiers, whether networked or not, tend to have a much longer memory these days. When they eventually get tossed, few companies bother to scrub them. Couple this with the tendency of older employees to consider hard-copy to be "secure," and your most protected secrets may be shipped directly to information resellers — no hacking required. "The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas — loaded with secrets on their way to unknown buyers in Argentina and Singapore."'

Why?

[kabloom]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

Secrets

[Z34107]

I'm not surprised - there are all sorts of nifty things mere "copiers" do. They can store documents forever, especially "secure" ones that you have to release with a PIN. They provide network services - some include (hackable!) FTP servers.

HPs printers support SNMP, but usually in the most insecure method possible. One of the simpler things you can do (Google it, perhaps not using SNMP) is remotely change the LCD text and blink the status lights. I wrote a script that would make all the HP printers on campus flash an animated ASCII Kirby dance.

Print servers are just that - servers. But, they look like copiers, so they get thrown out with secrets.

Re:Thats supposed to be obvious?

[xOneca]

Your basic deskside all-in-one isn't much of a risk.

You mean cheap all-in-one are more secure than expensive ones? I wouldn't say that if it wasn't for this article...

Seems one more thing to have in mind when buying a printer...

new feature idea...

[Stewie241]

Isn't there a spec for deleting data? Seems it would be a good selling feature and cheap to implement a system in the BIOS of all PCs and any device that has a hard drive a way to securely delete all data. This would make it much easier to get rid of old equipment without having to worry about what data is left.

Re:Thats supposed to be obvious?

[Anonymous Coward]

How long has it been taking you to improve the horrible UI?

Re:From the article

[Itninja]

Indeed. But even storage used by the machine would required some physical presence. Having torn these machine down to almost the bare frame on more than one occasion, if there's a hard drive in there, it's invisible. Maybe some flash memory on the board somewhere, but I doubt it could store more than the last 100 pages or so....

Digital Everything

[colmore]

I'm starting to really think that we're making a mistake putting full-fledged computers in everything we build. They allow for an amazing array of features, but it makes fully understanding our machines much more difficult. Security problems like this one are inevitable.

A dumb analog xerox machine is pretty easy to understand, and one that runs on a microcontroller and a few KB of ram (if that) isn't much harder. But who but the most dedicated hacker has any real idea about what is going on inside a modern Xerox. It *might* not have any undocumented "features," but you have no way of knowing. Security has gone from being a matter of applied common sense to involving a large amount of blind trust in these manufacturers.

It's a symptom of a larger issue though. We're rapidly getting away from having a society where a well educated and technically minded person can understand the actual inner workings of the technology they interact with every day. The tradeoff might be worth it, I'm not a luddite. But we should remember that we are entering into a new kind of relationship with our machines,

true story

[cinnamon colbert]

many years ago, in the ages of DOS 4.0 and so forth, we had a hewlett packard laser jet, which we thought pretty slick, that connected with a huge fat parallel port cable. One day, I unplug the printer and hook it up to another PC, which, children, in those far off days was quite an adventure in drivers (this was before you could download drivers off the web.....almost pre historic) While, I send some print jobs, say job1, job2.... to the printer, some of which print and some of which vanish, but, eventually, I get all the printouts I need and hook the laserjet back to its orignal computer. A month or two later, printjob2 popped out of the printer. snce the software for this was not installed on the pc the printer was hooked up tow, the job must have sat in the printer all that time (this is long before any "wireless" was available - it would be 2 or 3 years later that the marvel of 802.11A came along)

Admin rights required!!

[IrishHammo]

Even nicer, I remember a few years ago I needed to scan the work permit in my passport for HR. So I went to the photocopier, did a scan to storage, and from my desktop retrieved from the photocopier storage and emailed. Job done I went to delete my passport from the photocopier storage. No Dice, windows admin rights required, and when I asked a windows admin to delete it for me (and the other 8 confidential documents sitting there with full read access) I got a very blank look.

Re:Why?

[iamhassi]

" Now, copying a variable number of pages, then erasing them immediately is extra wear and tear on the HD."

Sure that makes sense, but why the long-term storage? Why does it store the copies from 6 months ago? Shouldn't it go through every week wipe anything over a week old?

Of course that's not perfect, there's still going to be that final week on there, but at least no one will be "downloading tens of thousands of documents" from a photocopy machine like they did.

Also shouldn't the manufacture's be responsible for this somewhat? It's obvious when you save a document to a computer that the drive needs to be wiped, not so obvious when it's a copy machine. Shouldn't there be big warning labels and a "wipe all" button on the back somewhere? Sharp apparently offers a product to wipe copy machine hard drives.... for $500: [cbsnews.com]
"One product from Sharp automatically erases an image from the hard drive. It costs $500. "

WTF Sharp? You couldn't just put a button on the back that does a DoD wipe? [smartcomputing.com]

Re:From the article

[michaelwv]

And I suppose that's really the distinction. If you asked people, "does the copier right now have a copy of that page you just copied?" that might not be surprised by that, but "does the copier right now have a copy of that page you copied last year?" they would be, and the difference comes down to how much storage and whether or not you have persistent storage.

Also beware the scan to network folder...

[Anonymous Coward]

I got tons of confidential at my last company from having one of those fax/scanner/copiers dump the scans into a network folder that everyone had access to. We were a smallish startup, and at times I felt our CEO was being less than forthcoming about our financials and the potential customers we had lined up, and that network folder more or less confirmed that, among other things. I couldn't believe the stuff that people would just leave there for weeks and months, no one realized that "hey I can just go and read all this stuff, so everyone else must be able to as well!"

I know its a bit off the topic at hand here, but these devices can ruin the best laid security plans- our admin at that company was top notch, and it blew right by him as well.

Re:Thats supposed to be obvious?

[YttriumOxide]

Sadly true... Well, true that I don't do the UI (our marketing guys don't either... we actually have a dedicated team for UI design, and they constantly make me cringe)

Re:Captain Obvious asks -

[FaxeTheCat]

All the major manufacturers offer options that will delete/overwrite data from the internal hard drive after it has been output. They also offer encryption of all user data on the drives, so that the drive content cannot be read outside of the machine.

As most of the machines in this class now run on Linux, adding that kind of features should be pretty simple.

Re:Why?

[mlts]

Every HDD out there, as part of the ATA standard, supports a secure erase command. The utility HDDErase is one such tool which tells a drive to erase itself. And since this is done at the drive level, it is a lot faster than a dd if=/dev/zero of=/dev/sdwhatever because there is no data having to be moved through the drive's I/O channels, the drive head is just writing the zeroes itself. Some drives AES-256 all the contents automatically, and a secure wipe tells the drive just to drop the existing key it uses for encrypting/decrypting data, and generate another one. This is a lot faster because once the old key is erased and a new key is put in, the remaining data on the disk is useless.

Another method is to do a file encryption method similar to how Windows Mobile post 6.0 stores encrypted files on a memory card: Generate a random 256 bit key for every item going on the HDD. Store the key to every file in the copier RAM (unless there is a reason to have persistent storage, then store it on some non-volatile memory that is easily erased.) Then when done with the copy and the data on disk isn't needed, drop the key from RAM (perhaps overwrite it in RAM a few times), and delete from the disks's filesystem. Since the encryption key only persists in volatile RAM for the lifetime of using the file, this method makes it almost impossible to recover data, unless someone is attacking the copier while it is live and in use (which then there are even bigger problems.)

Other Copier Security Risks

[Anonymous Coward]

It's a fairly open secret that the US and other governments have strong-armed color copier vendors into including anti-counterfeiting and steganographic identification features. Specifically, color copiers can detect certain unique features [wikipedia.org] of currency, and will refuse to copy a document that has those features. Also, color printers put a virtually invisible unique pattern of tiny yellow dots [wikipedia.org] on every sheet they print, so that the sheet can be traced back to its owner.

To what extent are those features visible and controllable by copier technicians?

Re:Why?

[Obfuscant]

That would be extra wear and tear, what's wrong with just overwriting data when the HD is full?

I think we've pretty much covered "what's wrong" already. CBS did a story on it. We've been discussing it in this thread.

So shredding the file you've just printed out is a little more wear and tear on the disk. These were LEASED copy machines that are under maintenance agreements. Charge $100 more per year for maintenance and replace the disk when it fails, and do the right thing by shredding data that isn't intended to be stored on disk long term.

How about you, the customer (most likely a company), figure out what exactly you are buying before using the *blackbox* to handle your *sensitive information*.

That's nice. How many copier companies report what file system they are using on the disk, the size of the disk, and that they are making essentially permanent digital copies of everything you copy or print?

However, I do agree that it should be easy to wipe the HD, if it isn't that's some bullshit.

The CBS story said that they used some open source file system forensic program to recover the data. This implies a standard file system of some sort, probably VFAT. It would not have required a true shredding operation to overwrite the data with zeros to prevent a simple forensic recovery of thousands of "deleted" files.

If you want to store digital copies of forms on the copier, that's trivial for the copier maker to do. Create a directory of non-shredded files and store your copy there. If you need to enter a PIN to print a secure document, then the document should have been encrypted using that PIN to start with and not stored in the clear. And then once the document is printed, overwrite it.

And for God's sake, if you want a long-term repository of electronic data, BUY A FREAKING DISK ARRAY where you can apply security rules so that people can and can't get to the data they are or aren't supposed to get to. Don't expect your freakin copy machine to be your file system or database server or asterix server. And if you do, don't let the damn thing roll out the door without pulling the freakin disk.

Re:Thats supposed to be obvious?

[Lennie]

I think what is happening is, the operating system of the printer (which I hear in some cases is Linux ?) works like most operating systems when deleting a file. It just removes the directory entry. So the file-data is still on the disk, but it has no name or length, isn't connected to a directory and parts could be scattered all over the disk.