Digital Photocopiers Loaded With Secrets

skids writes 'File this under "no, really?" CBS news catches up with the fact that photocopiers, whether networked or not, tend to have a much longer memory these days. When they eventually get tossed, few companies bother to scrub them. Couple this with the tendency of older employees to consider hard-copy to be "secure," and your most protected secrets may be shipped directly to information resellers — no hacking required. "The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas — loaded with secrets on their way to unknown buyers in Argentina and Singapore."'

No problem

[eln]

I always take care to disguise my ass before photocopying it. You can never be too careful these days.

Re:No problem

[Darkman,+Walkin+Dude]

If you get the moustache just right you can do a passable Mr Potato Head.

Re:No problem

[Monkeedude1212]

I somehow knew this topic would be the butt of every joke.

Re:No problem

[Scarletdown]

I always take care to disguise my ass before photocopying it.

Well in my day...

"People wrote books and movies, movies that had stories so you cared whose ass it was and why it was farting. And I believe that time can come again!"

Re:No problem

[KC7JHO]

Ya, just imagine if the oil companies ever get wind of it ....

Re:No problem

[Abstrackt]

I somehow knew this topic would be the butt of every joke.

Only the cheeky ones.

Re:No problem

[Hoi+Polloi]

It was your butt? That explains why one image filled the whole copier hard drive.

Thats supposed to be obvious?

[EricX2]

I never would have guessed the copy stayed in memory on the device. When I copy, scan to email or, scan to file it doesn't give me the option to 'scan again without reinserting original'... or does that imply the ones we have don't have this 'feature'?

Re:Thats supposed to be obvious?

[fuzzyfuzzyfungus]

It depends on the calibre of the device. Your basic deskside all-in-one isn't much of a risk. The real cheap seats might only have enough onboard storage to show up on the USB bus and have their firmware blob dumped to them by the driver.

Many of the nicer models, though, have an internal HDD, often with a webserver, to support use cases like "scan, retrieve document through web interface" or "receive and store faxes without printing them all". Those are the ones you have to watch out for.

Given that most printer manufacturers can't seem to design UIs that aren't exercises in pain, it may or may not be obvious based on using the device how much storing it is doing.

Re:Thats supposed to be obvious?

[YttriumOxide]

I never would have guessed the copy stayed in memory on the device.
When I copy, scan to email or, scan to file it doesn't give me the option to 'scan again without reinserting original'... or does that imply the ones we have don't have this 'feature'?

Generally it doesn't. Many devices have the ability to store at the same time as copy, however it's a feature you generally have to explicitly choose (unless enabled as a security mechanism by the device administrator). Some devices also have the option to keep the last job in memory (however not permanent storage such as HDD) in order for a "fast reprint" or "fast resend", but it's not a common feature, so I wouldn't be too surprised that the ones you're using don't have it.

A far more pressing concern than memory is the permanent storage. Most devices these days have an HDD that will store data for various purposes. Actual images of copy/print/scan jobs are only rarely stored, and usually only when explicitly set to do so (as above), however user data information in the form of job logs, counter information, credit information (for embedded accounting applications) and so on can be quite a concern. Most decent devices will however have a "secure erase" feature to be used by the administrator before disposing of the device, and often also an option whereby data going through HDD and RAM is encrypted on the way in/out (except of course actual operating code - but that doesn't contain YOUR sensitive data, only the manufacturers...).

To all: Feel free to ask for clarification on anything copier/MFP related... writing code for these things is my day job. Many things in the article are half-truths and some are just flat out wrong.

Re:Thats supposed to be obvious?

[Em+Emalb]

that and a lot of them these days have email capabilities (scan and email) so you get the directory full of usernames and email addresses. We actually barely remembered in time to do this when we shipped back a bunch of dell all in ones after their lease was up.

Re:Thats supposed to be obvious?

[xOneca]

Your basic deskside all-in-one isn't much of a risk.

You mean cheap all-in-one are more secure than expensive ones? I wouldn't say that if it wasn't for this article...

Seems one more thing to have in mind when buying a printer...

Re:Thats supposed to be obvious?

[Jaysyn]

Security thru lack of features, maybe.

Re:Thats supposed to be obvious?

[interkin3tic]

It's supposed to be obvious when your giant MFP has a goddamn HARD DRIVE in it, and I've seen many that do.

See, I don't even know what an MFP is, so whether or not mine has a hard drive in it is really not obvious to me or my coworkers at the buffalo police office sex crimes division.

(For those of you who didn't RTFA, the "buffalo police office sex crimes division" was a humorous reference to the article. You missed out on that very funny joke. That'll learn you to not RTFA.)

Re:Thats supposed to be obvious?

[drooling-dog]

Well, the original submission says,

Coupled with the tendency of older employees to consider hard-copy to be "secure"...

...so it looks like this is only a problem for the geezers; after all, digital photocopiers are like magic to them. There's virtually no chance that any of the savvy young hipsters in your organization could fail to be aware of this threat.

Re:Thats supposed to be obvious?

[YttriumOxide]

Sadly true... Well, true that I don't do the UI (our marketing guys don't either... we actually have a dedicated team for UI design, and they constantly make me cringe)

Re:Thats supposed to be obvious?

[wjousts]

In the same way that a wall is more secure than a door. It has less features to start with.

Re:Thats supposed to be obvious?

[Lennie]

I think what is happening is, the operating system of the printer (which I hear in some cases is Linux ?) works like most operating systems when deleting a file. It just removes the directory entry. So the file-data is still on the disk, but it has no name or length, isn't connected to a directory and parts could be scattered all over the disk.

S/N

[paiute]

If they are anything like our photocopiers, the criminals will have to wade through a sea of lolcats and fail posters to get to any actual business information.

Re:S/N

[interkin3tic]

the criminals will have to wade through a sea of lolcats and fail posters to get to any actual business information

Unless they find a way to make the text searcheable and just search for "social security number" or "credit card number" and look at what's written right next to it. And while I don't know how to do that personally, it seems like the type of thing that would take about 10 minutes to figure out and then another 10 minutes to actually do.

Why?

[kabloom]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

Re:Why?

[SoTerrified]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

In the old days, if you wanted 5 copies of a sheet of paper, the scanner would scan 5 times. Then someone thought "Hey, what if we could save the scanned image?" So you could scan once, and print out 5 copies. The easiest method is just to toss in a hard drive, and store the copies on there. Now, copying a variable number of pages, then erasing them immediately is extra wear and tear on the HD. You can get a longer drive life by distribute the data all over the HD so it's easily written, then only overwrite when the entire HD was full.

Pretty simple, really. The only downside is that the HD inside contains the last items scanned, up to the memory of the device. (So while it doesn't keep a copy of "everything ever copied", it could easily be the last several thousand items copied.)

Re:Why?

[Corporate+Drone]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

The news report is being sensationalist, and leading you to believe that it's keeping the data. Listen to the report again: they use a forensic program to get at the files. In other words, unless you tell the device to save the image, it's deleted. (The catch is that "deleted" means "entry deleted", not "file wiped off the drive".)

In other words, companies aren't wiping the hard drives of leased copiers. (Then again, are companies wiping the drives of leased PCs? Of PCs they owned, then threw away?)

Sun rises in east. Water is wet. Files that aren't wiped are able to be recovered from hard disks. Yawn...

Re:Why?

[iamhassi]

" Now, copying a variable number of pages, then erasing them immediately is extra wear and tear on the HD."

Sure that makes sense, but why the long-term storage? Why does it store the copies from 6 months ago? Shouldn't it go through every week wipe anything over a week old?

Of course that's not perfect, there's still going to be that final week on there, but at least no one will be "downloading tens of thousands of documents" from a photocopy machine like they did.

Also shouldn't the manufacture's be responsible for this somewhat? It's obvious when you save a document to a computer that the drive needs to be wiped, not so obvious when it's a copy machine. Shouldn't there be big warning labels and a "wipe all" button on the back somewhere? Sharp apparently offers a product to wipe copy machine hard drives.... for $500:
"One product from Sharp automatically erases an image from the hard drive. It costs $500. "

WTF Sharp? You couldn't just put a button on the back that does a DoD wipe?

Re:Why?

[CAIMLAS]

It probably comes down to cost.

If a printer has a 22ppm rate and has 64MB of RAM, you're not going to be able to print more than one or two larger print jobs at a time - particularly if they're RAW jobs. You'll need a print server for that, and you'll have a significant bottleneck before getting to the printer/the printer accepts the job. This leads to user agitation.

So, while 128MB costs $100 (at the time), a 40G disk costs roughly the same amount - and you can cache to disk with marginal overhead and provide a more seamless user experience than the RAM would provide - all while increasing how many jobs can be accepted to queue at a time.

Re:Why?

[mlts]

Every HDD out there, as part of the ATA standard, supports a secure erase command. The utility HDDErase is one such tool which tells a drive to erase itself. And since this is done at the drive level, it is a lot faster than a dd if=/dev/zero of=/dev/sdwhatever because there is no data having to be moved through the drive's I/O channels, the drive head is just writing the zeroes itself. Some drives AES-256 all the contents automatically, and a secure wipe tells the drive just to drop the existing key it uses for encrypting/decrypting data, and generate another one. This is a lot faster because once the old key is erased and a new key is put in, the remaining data on the disk is useless.

Another method is to do a file encryption method similar to how Windows Mobile post 6.0 stores encrypted files on a memory card: Generate a random 256 bit key for every item going on the HDD. Store the key to every file in the copier RAM (unless there is a reason to have persistent storage, then store it on some non-volatile memory that is easily erased.) Then when done with the copy and the data on disk isn't needed, drop the key from RAM (perhaps overwrite it in RAM a few times), and delete from the disks's filesystem. Since the encryption key only persists in volatile RAM for the lifetime of using the file, this method makes it almost impossible to recover data, unless someone is attacking the copier while it is live and in use (which then there are even bigger problems.)

Re:Why?

[Obfuscant]

That would be extra wear and tear, what's wrong with just overwriting data when the HD is full?

I think we've pretty much covered "what's wrong" already. CBS did a story on it. We've been discussing it in this thread.

So shredding the file you've just printed out is a little more wear and tear on the disk. These were LEASED copy machines that are under maintenance agreements. Charge $100 more per year for maintenance and replace the disk when it fails, and do the right thing by shredding data that isn't intended to be stored on disk long term.

How about you, the customer (most likely a company), figure out what exactly you are buying before using the *blackbox* to handle your *sensitive information*.

That's nice. How many copier companies report what file system they are using on the disk, the size of the disk, and that they are making essentially permanent digital copies of everything you copy or print?

However, I do agree that it should be easy to wipe the HD, if it isn't that's some bullshit.

The CBS story said that they used some open source file system forensic program to recover the data. This implies a standard file system of some sort, probably VFAT. It would not have required a true shredding operation to overwrite the data with zeros to prevent a simple forensic recovery of thousands of "deleted" files.

If you want to store digital copies of forms on the copier, that's trivial for the copier maker to do. Create a directory of non-shredded files and store your copy there. If you need to enter a PIN to print a secure document, then the document should have been encrypted using that PIN to start with and not stored in the clear. And then once the document is printed, overwrite it.

And for God's sake, if you want a long-term repository of electronic data, BUY A FREAKING DISK ARRAY where you can apply security rules so that people can and can't get to the data they are or aren't supposed to get to. Don't expect your freakin copy machine to be your file system or database server or asterix server. And if you do, don't let the damn thing roll out the door without pulling the freakin disk.

Re:Why?

[YttriumOxide]

Agreed, and in reality this is how it's done. Adding the HDD is NOT for storing temp copies of current job data - RAM is used for that. The HDD is used when RAM is full (essentially, swap), and for anything DESIGNATED as being longer term storage.

No one will bother

[GigsVT]

No one is going to sort through millions of pointless memos about employee picnics and birthday party announcements on the off chance that there's something potentially valuable to someone somewhere.

Re:No one will bother

[rhsanborn]

No one is going to go dumpster diving and digging through reams of discarded employee picnic announcements just to try and find some corporate secrets, wait... shoot.

Ok, let's try this again. No one is going to go through piles of keylogger data most of which is filled with lols and a\s\l?s to try and find a persons banking credentials, wait ... frick.

No one will do it, except the people that do. There is a buck to be made, people will do it.

Re:No one will bother

[bdsesq]

No one is going to sort through millions of pointless memos about employee picnics and birthday party announcements on the off chance that there's something potentially valuable to someone somewhere.

Want to bet? Oh, that's right you already are betting. If no one goes through your copier data you win -- nothing. If someone finds a password or credit card number you lose -- big time.

So nothing to gain and everything to lose. Sounds like wiping the copier disk is a "must do"!

Re:No one will bother

[_Sprocket_]

Data is valuable. Labor is cheap.

Re:No one will bother

[logjon]

It's really not. Command line OCR is a reality, and anything with a command line interface makes for easy scripting.

Re:No one will bother

[logjon]

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours. rtfa

Secrets

[Z34107]

I'm not surprised - there are all sorts of nifty things mere "copiers" do. They can store documents forever, especially "secure" ones that you have to release with a PIN. They provide network services - some include (hackable!) FTP servers.

HPs printers support SNMP, but usually in the most insecure method possible. One of the simpler things you can do (Google it, perhaps not using SNMP) is remotely change the LCD text and blink the status lights. I wrote a script that would make all the HP printers on campus flash an animated ASCII Kirby dance.

Print servers are just that - servers. But, they look like copiers, so they get thrown out with secrets.

Re:Secrets

[zill]

I wrote a script that would make all the HP printers on campus flash an animated ASCII Kirby dance.

Travis! You finally made a slip of tongue. Us sysadmins has been hunting the culprit for years now and now we finally got you!

Re:Secrets

[Lumpy]

My favorite was to change the language file and make "ready" be "insert coin"...

Some people don't listen

[bfmorgan]

I have pointed this out to my company's computer security guy and his response was, "I don't worry about copiers, that is a human resource issue". I have sent him this story. Maybe that will get him worried. Oh, and I cc'd the CEO.

Re:Some people don't listen

[Red+Flayer]

Why didn't you email the local head of HR? The guy told you who is responsible...

Instead now you have a situation where you're calling someone out on something that is not their responsibility... that's not the nicest (or most effective!) way of handling it.

Re:Some people don't listen

[vbraga]

Better write 'Pro golf tips at the bottom' in the subject or the CEO isn't going to read it.

From the article

[Itninja]

Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine.

Having worked in the digital industry up until 2007 I can tell you, that is a laughably inaccurate statement. We had half a dozen industrial-class copiers, all from 2004 or newer. The only one with a 'hard drive' in it was the high end color copier/printer; and we had to specifically add that option. I think it would be accurate to say that nearly all digital copiers might be configured to use a hard drive, though many are external and often separated from the device when it's sold.

Re:From the article

[Itninja]

Indeed. But even storage used by the machine would required some physical presence. Having torn these machine down to almost the bare frame on more than one occasion, if there's a hard drive in there, it's invisible. Maybe some flash memory on the board somewhere, but I doubt it could store more than the last 100 pages or so....

Re:From the article

[michaelwv]

And I suppose that's really the distinction. If you asked people, "does the copier right now have a copy of that page you just copied?" that might not be surprised by that, but "does the copier right now have a copy of that page you copied last year?" they would be, and the difference comes down to how much storage and whether or not you have persistent storage.

that's an interesting bank statement, mr salesman

[wfmcwalter]

My company recently bought a used copier/scanner/printer, which had supposedly been reconditioned and cleaned. It included a "document server" feature, whereby jobs could be scanned to its internal disk (or print jobs could be stored in the printer for later printing). The salesman who sold it to us had helpfully left scans of his current account statement in the document server, together with some placating letters to other customers. After thinking about what uses we'd actually have, I decided just to turn the document server feature off for everyone. I did leave the deferred-jobs part on (as it's useful when someone is printing on weird stock or printing something confidential) - thus ensuring that anything left on the copier (the company is now defunct, the copier presumably resold) is guaranteed to be juicy.

new feature idea...

[Stewie241]

Isn't there a spec for deleting data? Seems it would be a good selling feature and cheap to implement a system in the BIOS of all PCs and any device that has a hard drive a way to securely delete all data. This would make it much easier to get rid of old equipment without having to worry about what data is left.

I discovered this fact the hard way...

[xandercash]

...(in 1999) when I copied an offer letter for better employment on my current employer's copier, then left for a long weekend. I came back on Monday to find my offer letter pasted all over the company.

Digital Everything

[colmore]

I'm starting to really think that we're making a mistake putting full-fledged computers in everything we build. They allow for an amazing array of features, but it makes fully understanding our machines much more difficult. Security problems like this one are inevitable.

A dumb analog xerox machine is pretty easy to understand, and one that runs on a microcontroller and a few KB of ram (if that) isn't much harder. But who but the most dedicated hacker has any real idea about what is going on inside a modern Xerox. It *might* not have any undocumented "features," but you have no way of knowing. Security has gone from being a matter of applied common sense to involving a large amount of blind trust in these manufacturers.

It's a symptom of a larger issue though. We're rapidly getting away from having a society where a well educated and technically minded person can understand the actual inner workings of the technology they interact with every day. The tradeoff might be worth it, I'm not a luddite. But we should remember that we are entering into a new kind of relationship with our machines,

true story

[cinnamon+colbert]

many years ago, in the ages of DOS 4.0 and so forth, we had a hewlett packard laser jet, which we thought pretty slick, that connected with a huge fat parallel port cable. One day, I unplug the printer and hook it up to another PC, which, children, in those far off days was quite an adventure in drivers (this was before you could download drivers off the web.....almost pre historic) While, I send some print jobs, say job1, job2.... to the printer, some of which print and some of which vanish, but, eventually, I get all the printouts I need and hook the laserjet back to its orignal computer. A month or two later, printjob2 popped out of the printer. snce the software for this was not installed on the pc the printer was hooked up tow, the job must have sat in the printer all that time (this is long before any "wireless" was available - it would be 2 or 3 years later that the marvel of 802.11A came along)

Re:true story

[EdIII]

I just had this wonderful image of you in a lawn chair, pants up to your nipples, with a bunch of little tykes sitting attentively on your lawn while you waxed nostalgic about the days of the parallel port, the Internet being a bunch of BBS's, and having to enter in the heads and cylinders of your hard drive into CMOS. When CPUs had numbers and not fancy marketing names given to them by Nancy boys with MBA's and real men used punch cards....

*sniff*

I got to call my Gramps, brb

Admin rights required!!

[IrishHammo]

Even nicer, I remember a few years ago I needed to scan the work permit in my passport for HR. So I went to the photocopier, did a scan to storage, and from my desktop retrieved from the photocopier storage and emailed. Job done I went to delete my passport from the photocopier storage. No Dice, windows admin rights required, and when I asked a windows admin to delete it for me (and the other 8 confidential documents sitting there with full read access) I got a very blank look.

Re:Captain Obvious asks -

[FaxeTheCat]

All the major manufacturers offer options that will delete/overwrite data from the internal hard drive after it has been output. They also offer encryption of all user data on the drives, so that the drive content cannot be read outside of the machine.

As most of the machines in this class now run on Linux, adding that kind of features should be pretty simple.

Re:Other Copier Security Risks

[YttriumOxide]

Yes, both of those are pretty much "open secrets". Here's some details:

color copiers can detect certain unique features of currency, and will refuse to copy a document that has those features.

The currency detection routines are pretty much hardcoded in the image processing ASICs are NOT a part of the copier firmware that gets flashed in a routine firmware upgrade. This means that in general it's not easily updated for new currencies (although can be in some cases where image processing boards are physically replaced). It also means it's incredibly hard to bypass and extraordinarily annoying when it misdetects something.
Most devices will block out ALL further output if a certain number of detections are made in a row. This however is generally just a flag in the nonvolatile RAM which a service technician can then clear from the device's service mode. The legal proceedings for doing so differ by country (in most of Europe for example, there's no specific law, and the techs just do it as a matter of course without any special procedures. In Australia, they're required to contact their head office who will then contact the appropriate government agency before the technician may clear that bit. I don't know about the US though sorry.).
In some poorly designed devices, you can work around the currency detection by bypassing the image processing. This would be done by getting data in to the MFP in the raw raster format that the MFP uses (essentially the format that print/scan/copy jobs are processed as internally before being output on paper or as a scan job) and then getting the MFP to print that directly. The exact method would vary by MFP, but if the MFP has a "box" function where data is stored in user specific folders on the MFP's HDD, then copying the raster data in there would probably do the trick for many device types. I can say from my own work that this will NOT work on all devices though as the devices I work with don't allow raster data to be printed directly from any storage source - all user data on the HDD must be either "image" (PNG, JPG, TIFF, etc) or print data (PCL, PS, PDF, XPS, etc) format, or it will be ignored and deleted during the internal security processing of the firmware (and data coming in from external won't even make it to image processing if it doesn't match a valid type).

color printers put a virtually invisible unique pattern of tiny yellow dots on every sheet they print, so that the sheet can be traced back to its owner.

The yellow dots will match to the manufacturer, model and serial number. It's up to the local laws of the country to determine if the government has the right to request the manufacturer to store and divulge that information. It's also worth noting that in many models (almost every model from every manufacturer, but not ALL) the serial number is electronically entered during the MFP's "run up" (initial factory setup) and so CAN be altered in the case of someone wanting to avoid being tracked simply by clearing the nonvolatile RAM (making it believe it's "factory fresh" again) and then following the service procedures for running the device up. The process is basically impossible to know without the appropriate documentation though, as it's deliberately esoteric and weird (things such as "enter the date, then the serial number, then go back to the date screen, then press OK, otherwise it won't accept the serial number" (note: not a real example)) as a kind of security through obscurity on top of the requisite knowledge to do this sort of thing. A copier technician under normal circumstances doesn't get told about the yellow dots, although we don't really keep it secret from them - just don't specifically tell them. So, I'd say most of them do know about them, but don't know the finer details such as that the electronic serial number is a part of it... If they did know this, then yes, they most certainly COULD take any MFP they know how to service and change the serial nu