Do you trust your copier? A gaping hole in document security uncovered

Ask the average user to define 'secure printing' and you'll likely get a wide swath of answers. The most common concern is that confidential documents sitting unattended on the output tray are particularly prone to being read or taken. The more advanced user might even tell you that network printing over unencrypted data connections is easy to intercept. The security hole that many users don't ever think about when asked about secure printing and copying is in the copier itself. CBS News uncovered the little-known secret that many enterprise-level imaging machines hide below the surface. Since 2002, virtually every digital copier built ships with a hard drive that records and stores a copy of every processed document. These hard drives, when returned to a leasing company or resold without proper data wiping and maintenance, are a veritable source of confidential and personal information, most likely far more valuable than the copier itself.

In their investigation, CBS retained the services of John Juntunen, owner of the California-based company Digital Copier Security, to see how deep the security hole really was. They went to an imaging components warehouse to buy some used business-level copiers, and came away with four heavily-used machines. In just a few hours, Juntunen was able to remove the hard drives and, using a free computer forensics tool, was able to recover tens of thousands of documents, many of which were highly confidential. As it turns out, one of the machines was from a sex crimes police unit out of Buffalo, NY, and contained detailed lists of sex offenders and ongoing domestic abuse cases. A machine that came from a New York City construction company had pay stubs with names, $40,000 worth of copied checks, and social security numbers. The last machine they investigated was the one that is now making news. A copier from Affinity Health Plan, an insurance company, had 300 pages of detailed medical records. Ira Winkler, a former NSA analyst, was disturbed by this one. "You're talking about potentially ruining someone's life, where they could suffer serious social repercussions. You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up."

Affinity didn't waste any time. Dark Reading reports that Affinity notified some 400,000 customers that there had been a potential security breach from one of their copiers that had been returned on lease. The press release says that they have not reviewed all the data yet, but they are notifying anyone that could possibly be affected by it. They did not mention any kind of action plan in place to deal with the problem. 

Juntunen created a software product called INFOSWEEP that deals specifically with the problem of hard drives in copiers. INFOSWEEP wipes all data off a copy machine's hard drive so that no data is vulnerable to theft or abuse. Juntunen, along with other security professionals, have been warning people about this problem, but they're not satisfied with the reactions they see. Ed McLaughlin, president of Sharp Imaging, when asked by CBS if the industry has failed to provide enough support and education to the public regarding copier security, said "Yes, in general, the industry has failed. It's falling on deaf ears, or people don't feel it's important, or 'we'll take care of it later.'"

In our own investigation of the problem, Neowin.net looked at various manufacturers' websites to see if there were satisfactory security products in place in enterprise imaging solutions to mitigate the problem of document security. HP has a product called Secure Hard Drive, which not only encrypts all data with AES encryption (a high-quality cipher), but also prohibits access to the contents of the hard drive if it is removed. However, the equipment isn't standard, and comes with a $550 price tag. Konica Minolta, on their higher-end BizHub printers, include multiple security tools like encryption, sanitizing, and copy protection, without extra costs. Sharp offers a wide variety of security tools to fit any business need, from small companies to secure government agencies. In general, the manufacturers seem to be doing their part in building out products that meet established security standards. The problem, emphasized by Sharp's McLaughlin, is that the general population, and many network administrators, simply don't feel that document security is a priority, and more robust public education about the relevant threats is absolutely necessary to make the available security tools worthwhile and effective.

Image courtesy of Sharp

Thanks to forum member Phenom II for the tip!

Previous Story
EVO 4G gets rooted before it even launches
Next Story
HP Slate to run WebOS, or not.