Stealing Data from Disk Drives in Photocopiers

This is a threat I hadn’t thought of before:

Now, experts are warning that photocopiers could be a culprit as well.

That’s because most digital copiers manufactured in the past five years have disk drives—the same kind of data-storage mechanism found in computers—to reproduce documents.

As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier’s disk aren’t protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

Posted on March 21, 2007 at 12:10 PM20 Comments


Keith March 21, 2007 12:46 PM

Many of those machines have a “default” setup that allows you reproduce one of the last ten (at least) photocopy jobs. I’m sure you could walk into a photocopy store where the owners haven’t been conscious of this and find out what the last few customers were copying. Same would apply in an office.

Tremaine March 21, 2007 12:51 PM

This has been an issue for as long as these multifunction machines have had hard drives in them. I’ve always warned clients that when replacing or retiring these systems that they need to ensure the drives are securely scrubbed or destroyed.

Baron Dave March 21, 2007 12:55 PM

Many years ago, the issue was the little microfilm that copiers kept of every image. Then as now the process involves an intermediate step between the original and the copy, and the question becomes: What to do with the internal recording?

To my knowledge, the issue was never resolved. I’m not sure what will happen this time either.

Marcus Ranum March 21, 2007 1:07 PM

I seem to recall this trick was played in the cold war. I forget whether it was a KGB or CIA op, but the victims got suspicious when someone other than the “regular copier guy” opened the machine and found a lot of unusual gear inside. Sure enough, the copier had been making an electronic duplicate to internal memory, which was being downloaded whenever the thing broke down – which was suspiciously regularly. 🙂

A pretty clever hack, huh?

Pat Cahalan March 21, 2007 1:17 PM

Some time ago, campus security got a DMCA complaint that an IP address was serving out copies of “The Two Towers”.

Turns out the IP address in question was assigned to a copy machine (running embedded NT). Vendor insisted that it was not possible for the machine to be hacked across the Internet.

Good times.

AMW March 21, 2007 1:20 PM

When these first came out 10+ years ago, the miliary instantly banned them from use with classified materials for this reason.

Ray Potter March 21, 2007 1:37 PM

Marcus- IIRC, there was even a case where a small camera was installed to capture who was making the copies. Apparently just having the data wasn’t enough… they wanted to know who else knew about it.

Interesting stuff.

Steve L. March 21, 2007 1:39 PM

If the HD is used for just data you could in theory just zap the HD with a nice powerful magnet to erase anything on it, say do it once a week. However, if it contains some kind of OS or other system info then it could become a major pain to get it back.

Matt from CT March 21, 2007 1:57 PM

Never mind just the HD.

A lot of them use Windows or even better ‘nix OS. If you can own it, you can have loads of fun and excitement on someone’s network.

One site I was on recently the PC wasn’t even embedded — it was a laptop on a platform/arm bolted to the side.

TheSquirrelfish March 21, 2007 2:11 PM

I think the hd’s run about 500 mb’s in the standard small to medium office machines.

Matthias March 21, 2007 3:28 PM

@Steve L.
Better don’t zap the disk with a magnet. AFAIK these beasts store their firmware on the platters. You don’t want to zap that.

nbk2000 March 21, 2007 6:23 PM

How hard would it be to use something, like a GumStix computer with wireless LAN, to turn the copier into a server, with the page images being served up to the attacker as they are created?

False Data March 21, 2007 6:33 PM

Those hard drives ought to be discoverable in a law suit. Something to think about when updating your company’s data retention policy, I guess.

Dave Aronson March 22, 2007 7:50 AM

@bob: Sure you can make copies of guns. Lots of companies, like Kimber and Springfield, make darn good copies of “Ol’ Slabsides” (Colt 1911), and many of the Taurus revolvers are copies of assorted Smith & Wessons. 🙂

Now if only producing them were as cheap as copying of a piece of paper….

FP March 22, 2007 9:46 AM

Our copiers are also print servers, connected by ethernet. A bad guy could easily install some code to send out every document that was printed.

derf March 22, 2007 12:00 PM

Unfortunately, most of these devices have multiple configuration interfaces. Web interfaces are the most obvious, so they will typically get a shared password. IT groups often forget or underestimate the telnet interface. Some printers now come with wireless NICs that default to Ad-Hoc mode.

Even more sinister than the document problem is that the operating systems of the devices can be modified to run custom code. This basically creates a machine that isn’t monitored that can do anything it wants on your internal network. One nasty scenario would be to have it actively scan for network hives and try to copy that data to external entities.

Jenny June 4, 2007 1:20 PM

I remember the Xerox 9000 series fax machines and how wonderful they were while I was working full-time. I also remember the MEMORY after faxing something. When I go to Kinkos-Fed-Ex and fax something, I delete it from the memory after it is sent and after I am done. You CAN recall pages and pages of previously faxed documents from the customers before you.
Does this mean they are stored on the memory even though you have deleted the fax you just sent???

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.