Do you trust your copier? A gaping hole in document security uncovered

Ask the average user to define 'secure printing' and you'll likely get a wide swath of answers. The most common concern is that confidential documents sitting unattended on the output tray are particularly prone to being read or taken. The more advanced user might even tell you that network printing over unencrypted data connections is easy to intercept. The security hole that many users don't ever think about when asked about secure printing and copying is in the copier itself. CBS News uncovered the little-known secret that many enterprise-level imaging machines hide below the surface. Since 2002, virtually every digital copier built ships with a hard drive that records and stores a copy of every processed document. These hard drives, when returned to a leasing company or resold without proper data wiping and maintenance, are a veritable source of confidential and personal information, most likely far more valuable than the copier itself.

In their investigation, CBS retained the services of John Juntunen, owner of the California-based company Digital Copier Security, to see how deep the security hole really was. They went to an imaging components warehouse to buy some used business-level copiers, and came away with four heavily-used machines. In just a few hours, Juntunen was able to remove the hard drives and, using a free computer forensics tool, was able to recover tens of thousands of documents, many of which were highly confidential. As it turns out, one of the machines was from a sex crimes police unit out of Buffalo, NY, and contained detailed lists of sex offenders and ongoing domestic abuse cases. A machine that came from a New York City construction company had pay stubs with names, $40,000 worth of copied checks, and social security numbers. The last machine they investigated was the one that is now making news. A copier from Affinity Health Plan, an insurance company, had 300 pages of detailed medical records. Ira Winkler, a former NSA analyst, was disturbed by this one. "You're talking about potentially ruining someone's life, where they could suffer serious social repercussions. You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up."

Affinity didn't waste any time. Dark Reading reports that Affinity notified some 400,000 customers that there had been a potential security breach from one of their copiers that had been returned on lease. The press release says that they have not reviewed all the data yet, but they are notifying anyone that could possibly be affected by it. They did not mention any kind of action plan in place to deal with the problem. 

Juntunen created a software product called INFOSWEEP that deals specifically with the problem of hard drives in copiers. INFOSWEEP wipes all data off a copy machine's hard drive so that no data is vulnerable to theft or abuse. Juntunen, along with other security professionals, have been warning people about this problem, but they're not satisfied with the reactions they see. Ed McLaughlin, president of Sharp Imaging, when asked by CBS if the industry has failed to provide enough support and education to the public regarding copier security, said "Yes, in general, the industry has failed. It's falling on deaf ears, or people don't feel it's important, or 'we'll take care of it later.'"

In our own investigation of the problem, Neowin.net looked at various manufacturers' websites to see if there were satisfactory security products in place in enterprise imaging solutions to mitigate the problem of document security. HP has a product called Secure Hard Drive, which not only encrypts all data with AES encryption (a high-quality cipher), but also prohibits access to the contents of the hard drive if it is removed. However, the equipment isn't standard, and comes with a $550 price tag. Konica Minolta, on their higher-end BizHub printers, include multiple security tools like encryption, sanitizing, and copy protection, without extra costs. Sharp offers a wide variety of security tools to fit any business need, from small companies to secure government agencies. In general, the manufacturers seem to be doing their part in building out products that meet established security standards. The problem, emphasized by Sharp's McLaughlin, is that the general population, and many network administrators, simply don't feel that document security is a priority, and more robust public education about the relevant threats is absolutely necessary to make the available security tools worthwhile and effective.

Image courtesy of Sharp

Thanks to forum member Phenom II for the tip!

Report a problem with article
Previous Story

EVO 4G gets rooted before it even launches

Next Story

HP Slate to run WebOS, or not.

27 Comments

Commenting is disabled on this article.

We use Canon here. Practically everything we copy on it is highly confidential. Our copiers are pretty new, but I think I'd better look into the security situation.

Well, it is interesting that that security dude used a software that is posted freely on the internet to decrypt all those files. What happens if the hard drive crashes in the copier? Will it still make copies or give a nice error message?

JonathanVP said,
Well, it is interesting that that security dude used a software that is posted freely on the internet to decrypt all those files. What happens if the hard drive crashes in the copier? Will it still make copies or give a nice error message?
As far as I can remember, that guy didn't decrypt those files. He instead recovered stored/deleted files on the drives.

I thought this was common knowledge among people who actually buy/lease the photocopiers. I mean if you were a business that has a substantial turnover, you'd know exactly what is in the photocopier before you buy it? In fact, (and I don't know for sure so you can correct me) isn't this sort of thing advertised anyway?

testman said,
I thought this was common knowledge among people who actually buy/lease the photocopiers. I mean if you were a business that has a substantial turnover, you'd know exactly what is in the photocopier before you buy it? In fact, (and I don't know for sure so you can correct me) isn't this sort of thing advertised anyway?


Yep. You are entirely correct. I run all the copiers and printers in my local authority - the hard drives are pretty much a feature tbh. They are not secret... and they are not reporting home, or used to track documents... they are there for use by the software/user.

We have Toshiba's where I work that are like this.

But they are configured to save to a network server not to the internal HDD when you scan documents for this very reason.

Why do printers/copiers need these in the first place? I thought the copiers could just store the documents in memory while they are processed, then remove it from memory. ???

LaserWraith said,
Why do printers/copiers need these in the first place? I thought the copiers could just store the documents in memory while they are processed, then remove it from memory. ???

Two fold: Businesses could keep track of what their employees were coping (attempting to ensure that no documents were getting out of the building), and law offices could track all documents so they could charge their clients.

Others may come up with other reasons for the HDDs.

LaserWraith said,
Why do printers/copiers need these in the first place? I thought the copiers could just store the documents in memory while they are processed, then remove it from memory. ???

It's less about document tracking, and more about software. Somewhere is needed to store all the embedded software - Canon's for example have their MEAP features.

Also a lot of devices have secure release features - they need somewhere to store the documents that are sent to them, for release at a later date.

This is only part of the problem.
The other part is end-user education, what good is an encrypted hard drive in a copier when confidential data still gets sent in unencrypted e-mails? (This still does happen, believe me.) Or when people don't remove documents from the printers memory?
I remember that back in high school we could browse the printers memory using the limited controls on the copier itself and print data from other people that was still in memory (read: printed after the last power-cycle and not manually erased). Every once in a while, when there was a problem, somebody would pass by, unplug the power cord and plug it back in. "To free the memory..."

Glendi said,
Wasn't this on the forums like a week ago?

the news itself is old. In fact, it's been around since 2002, when hard drives started shipping with hard drives.
What's new is that people are finally starting to take notice.

Tzvi Friedman said,

the news itself is old. In fact, it's been around since 2002, when hard drives started shipping with hard drives.
What's new is that people are finally starting to take notice.

I hate when hard drives ship with hard drives

.Rik said,

I hate when hard drives ship with hard drives
hahaha, yea. that just ****es me off when i get shipped a second hard drive when i only wanted one

timster said,
hahaha, yea. that just ****es me off when i get shipped a second hard drive when i only wanted one

Even worse is when your hard drive ships with a hidden copier.

Glendi said,
Wasn't this on the forums like a week ago?

Yeah Neowin is pretty late to the game on this one, it's been all over the news the past couple of weeks.

Interesting that the largest Copier manufacturer of them all wasn't mentioned (Xerox).

I actually found this news article very informative and I think you're looking for problems where there are none, particularly since you haven't backed up anything of what you've said with any shred of evidence.

Thank you Tzvi for reporting this.

vaximily said,

Interesting that the largest Copier manufacturer of them all wasn't mentioned (Xerox).

They were probably just going to say the same thing as everyone else.

vaximily said,

Interesting that the largest Copier manufacturer of them all wasn't mentioned (Xerox).

Yeah, I thought that was interesting too. Read my comment below, maybe that's why they didn't mention them?

vaximily said,

Yeah Neowin is pretty late to the game on this one, it's been all over the news the past couple of weeks.

Interesting that the largest Copier manufacturer of them all wasn't mentioned (Xerox).

I thought Xerox lost it's #1 position a long time ago...

sviola said,
I thought Xerox lost it's #1 position a long time ago...

In the 90's, but it made a huge comeback starting in 2000 / 2001 and has been #1 for quite a while again now.