Schneier on Security
A blog covering security and security technology.
« Side-Channel Attacks on Encrypted Web Traffic |
| Schneier Blogging Template »
March 26, 2010
Hard Drives in Photocopy Machines
Modern photocopy machines contain hard drives that often have scans of old documents.
This matters when an office disposes of an old copier. It also matters if you make your copies at a commercial copy center like Kinko's.
Posted on March 26, 2010 at 11:27 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thank you, I know many solicitors who should know about this.
I suspect the ones at Kinkos would have the data overwritten fairly quickly given the volume.
I hope so, since Kinko's is where I photocopied the bank statements, W-2s, etc, when I applied for a mortgage.
I can understand some memory but why hard drives? There's no need for permanent storage unless it's a fax or something like that. Anyway, if companies really cared they would leave behind magnetic media and use some solid state drives. Erase it and it's gone.
This is why I despise fax machines. I hate it when my medical records or other confidential information is faxed, because I know the secretary at the doctors office etc has no idea how to clear my personal information properly (or that she even can). I ultimately have resorted to doing as much as I can in-person. Its sad, because there are so many technical ways that would work better, but nobody seems to push them.
For most of these devices (fax, p/copy etc), I suspect it would be trivial to for the manufacturers to alter the firmware to overwrite once or twice with random/zeros, which would be adequate for most purposes, instead of simply unlinking the files when they're no longer needed. A more thorough purging-by-default of deleted files would not require much more effort.
So, perhaps the issue isn't the presence of persistent storage, but the laziness/ineptitude of the device manufacturers, and their inability to recognise the security implications of their current designs.
However, they also seem to bend over backwards to facilitate spying upon their customers, c.f. the discussion here and elsewhere a few years back re: Hewlett Packard Color LaserJet printers covertly printing steganographic identification codes onto all documents for unspecified 'law enforcement' purposes.
True story: a network-attached copier with an embedded operating system (which shall go unnamed) at a particular university was the source of a DMCA complaint, as it was hacked and serving out copies of The Two Towers via FTP.
Ah, embedded operating systems.
Pat Calahan: Well, but this could also have happened to a device without any infringing activity, see http://dmca.cs.washington.edu/ ("Why My Printer Received a DMCA Takedown Notice").
Harddrives are cheaper than memory.
if you have a 300page document that you want collated the machine has to store the entire document to print pages in the correct order. 300 pages * 120sq-in * 300dpi^2 is a lot of memory.
Also the same unit can probably work as a fax, printer with stored letterheads etc.
Old news, but something that is worthwhile mentioning from time to time.
Incidentially, larger printers can also have HDDs with the same problem.
And for the paranoid: Memory in printers can theoretically have the same issue, mine for example has basically some Unix-like OS with a ramdisk for storage. Makes for easy implementation of FTP upload an the like. Hacking and physical attacks on the memory seem to apply.
I just sent a link to the article to one of the techs at one of my client sites (LARGE health care provider) asking about HIPAA compliance implications.
I was sitting on a random network once years ago and saw a strange looking machine with the sun-rpc port open. rsh'ed to it, no password. it was an printer and the manufacturer had not turned of the vxworks debugging console before shipping. This sort of thing happens in the real world and doesn't wait for you to throw the printer out.
Modern copiers do some pretty fancy stuff, emailing copies to people, some even acting as file servers for small offices. It doesn't surprise me very much that this is an issue, though I can' say I actually thought of it before. I was under the impression that most offices leased expensive copy machines, so I'm not totally sure how much of an issue disposal is.
I know that at least some government offices lease their computers as well, I wonder if there are standard procedures for wiping computers that never came in contact with data that was classified, but still potentially sensitive. I'm familiar with the various DOD wipe procedure stuff, but do they actually bother to do all of that with every single computer they lease?
The copiers at our place can only run at full speed when they're running from source on the hard drive. If they're going from paper originals, they have to slow down to the speed the originals can be fed at (which is slower than fresh paper since it's not likely to be pristine paper). You can send documents to them over the network and have it save them then print copies later at will.
The printers also have hard drives - they can hold jobs for security reasons - if you want to print a copy of your tax return to a shared printer down the hall, for instance, you can tell it to hold until you are there, and give it a security code - it won't print until you pull the job up on the console and give the code.
Also by storing outbound faxes on hard drive, you can queue up a bunch of jobs, and have them retry as many times as necessary until the fax goes through, without holding up other jobs.
Wow, way to get your facts wrong. It happened because incompetents gather "evidence" as basis for DMCA notices in completely bogus ways.
This is a new - and worse - version of an old problem. Old typewriters could be hacked by stealing the discarded ribbon. There's a way to hack the old electric typewriters (not by stealing ribbon) which I can't remember off the top of my head at 5.30 am. It required access to the machine. The Soviets did it, by setting up KGB-owned typewriter repair shops around the US Embassy in Moscow.
The difference between the old hacks and the new is - as it often is - scale. The old hacks were retail. The new ones wholesale.
Manufacturers who don't perform a disk wipe of the used space after each complete job are *very* rare. I've been doing IT security evaluations of these types of devices for over 6 years, and have never seen one without a disk wipe. They typically have two types of wipe; one to remove individual job data files, and one that can be done at the request of the sysadmin when it is decommissioned -- the second wipe overwrites the entire partition where data was stored.
For more info, search for "security target" + device manufacturer name.
I'm actually really surprised that this article is news to anyone -- copiers have been nothing more than linux servers with fancy inputs and outputs since the 90's.
"copiers have been nothing more than linux servers with fancy inputs and outputs since the 90's."
Close but no cigar if you'ld said *nix boxes you'd be right.
Most of the early systems used Sun OS on Sparc or BSD on 68K platforms form the late 1980's
We've used this technique on several occasions over the years in prosecutions... sometimes in RAM.
Depends on the machine, often over-writes... but has proven to be useful.
And then of course there are is the cached material on PC's and servers.
And we've been taking the film-type ribbon cartridges out of premises we've searched as standard practice for years.
This is why "we" invented (I work for a major MFP manufacturer) something called a MFP Data Security Kit many years ago. It encrypts data written to the HD using AES and overwrites it afterwards.
(We checked solid state drives and found them difficult to erase, btw.)
There is actually a lot of security features built into modern MFPs, the major issue being customer awareness of the issues. We (and competitors) offer a lot, but you need to tell people over and over and over again about the risks involved. Which are mostly much more trivial (and as overlooked) as MFP hard disk security.
It is scary to know that your personal information is still staying in the drive and prone to misuse. I think scanner and copier devices should include some sort of switch to clear old & temporary data.
It was an embedded NT4 OS running IIS for the web interface, and yes, it was hacked. At least, according to the source I got the story from, which I would regard as reliable. I admittedly didn't discover this one myself.
There are (particularly on university campuses) hundreds of devices with embedded operating systems that could easily wind up being warez servers.
phenoelit (http://www.phenoelit-us.org/fr/tools.html) had some years ago a nice tool for messing with printers. Other than changing variables it also allowed file up/download to/from HP-printers.
Might be a good idea to store encrypted key-files e.g. for truecrypt-containers in the printer. Who will look there?
Slightly off-tangent, but this reminds of a very exasperating boss I had who would not allow anything to be paid through the Internet, as they were sure the numbers would be stolen that way. Instead, they insisted on sending a photocopy of their credit card via fax, considering this a far more secure method. Nothing we said could convince them otherwise. It's amazing how people misunderstand technology or how a photocopy of a cc is so much easier to steal than an encrypted Internet transmission.
"They typically have two types of wipe; one to remove individual job data files ..."
It varies from manufacturer to manufacturer of course but I've dealt with several where the areas that are wiped are divided up. Some types of jobs (e.g. print) do get overwritten but others (e.g. scan to email) do not.
On a related note, many MFDs are difficult to harden because a hard reset (either deliberate, accidental, or neccesary during 'fixing') will sometimes wipe out all your security settings (again varies from model to model).
I once gave an hour-long talk to some like-minded security folks on the risks of MFDs. I included a brief video to keep them awake. At the end of the presentation I revealed ... drum roll ... the entire presentation (including video) was run from RAM on an unsecured MFD at the hosting organization. Of course I had back-up copies in other MFDs in case someone turned off the particular one I was (ab)using at the time.
The only effective risk mitigations
- firewall each MFD or put them all on a restricted network
- awareness (don't let "just some copier guy" work on your MFD or take it away)
- destruction policy/practice
I can understand some memory but why hard drives? There's no need for permanent storage unless it's a fax or something like that.
There are some good reasons here, but I think it's also because employers just love to tell their employees that they can bust them making personal copies or copies of "unauthorized" materials.
It makes them feel all warm and squishy inside that they can catch little Mary Jane sneaking to make 100 copies of a flyer for her church car wash.
If you're in OC, I probably wrote the
AES driver code, including the crypto
that requires a PIN (etc) at the
machine to actually get hardcopy.
I also chatted with the person
writing the disk overwrite routines.
The folks in that group were well
aware of risks to printers in banks
and airports and other public places.
Anyone have the physical retention of hard drives when copiers are de-installed as an item in their vendor contracts or printing/output policies?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.