The Scary Truth about Copiers

Tuesday, May 25, 2010



IT professional or not, surely you have come across copiers. You know the ones most organizations have now a days. Those multi-function devices that print, scan, copy, fax, email, staple, punch holes and make egg omelets…ok maybe no omelets, but you get the point. They are feature rich and each one of those features come with a price. While you don’t necessarily have to work on them or support them you’ve had some form of interaction with them.


Now, how many of us have walked up to these devices and scanned, copied, or emailed documents to ourselves and or someone else? What about stood next to it while you waited for a fax to come in with personal and sensitive information? I’m not a betting man, but I would put money down that we’ve all done this at one point or another. Whether at our place of work or not, we’ve done so. Now how many of us bother to delete the documentation off of that device before walking away? Show of hands? I know I don't.

Did you know that everything that is faxed, scanned, copied and in some cases printed, is stored on a local hard drive in the copier? Hundreds and even thousands of digital copies of documents sitting there waiting for someone to “inquire within”. Think about it, anyone anywhere in the world can call up a copier reseller and purchase a few used copiers for several hundred dollars, and walk away with much more than they bargained for. And not in a good way! In the wrong hand, this could be very damaging to an organization and individuals everywhere.  I can across this video this morning and I have to say, it was a wakeup call. This is a very scary reality that seems is being over looked not only by the IT industry but also by the copier industry.

From past experience having been through a copier upgrade, not once did I think about the information on the hard drives in the copiers that were being hauled away! Not to mention the vendors and sales people that never mention this as a security issue! Or having gone through PCI audit with a financial company and not once did the QSA questioned our practices in regards to copiers and sensitive information! I shudder at the thought of what’s out there on those hard drives. And this is not even touching on the public places like Kinko’s (UPS stores now I believe) and what kind of security messures they have in place to protect against this problem. 

A quick Google search revealed that this problem has been known for some time.  So why hasn’t there been more of a push to fix this problem? If nothing more awareness and education in both industries, my own opinion, would go a long way. Even better would be if the manufactures of these devices would include a way for us IT Professionals to manually and permanently erase this information when a lease is up and devices are being upgraded / returned.

What do you think? Who should be responsible? What can we do to fix this problem? 

Your thoughts?

Security Awareness Breaches Privacy
Post Rating I Like this!
Anthony M. Freed Video states the PII found on machine number four "may be a violation of Federal Law."

Oh, it is definitely a violation of HIPAA and the HITECH Act.

Makes me wonder how long this has been exploited by the bad guys - then it came to me: probably the whole time.

How long have hard drives been used in copiers? 20 years? Ouch!

I am just imagining all the confidential material I have copied or printed and faxed on the big hub machines at work - all leased of course.

And Kinko's? Get out of here!

Collectively, copiers would have to represent the biggest breach of sensitive information ever, or at least since Prometheus gave us fire.
dgonzalez Because most organizations lease their copiers, that means their IT department is not allowed to crack those bad boys open and get to the HDD to format / scrub them. It would also probably void some part of the lease contract that would most likely incur additional costs to the business. Even more additional costs are the ones for the security features that the video makes reference to that most business DO NOT pay the extra money for.

The way it seems this responsibility should fall squarely on the vendor/sellers and resellers of the devices. They should also be required to provide documentation of and that proper measures were taken to destroy any and all data on the hard drives.
Mourad Ben Lakhoua That is terrible. Companies manufacturing these devices should provide a simple and fast way to clean all these information. this is a big risk!
Mourad Ben Lakhoua The only solution for those hard drive or RAM's is by removing and destroying them. For the non-sensitive information it is possible to just reformatting the device by referring to the constructor. this will charge money. but less risk!
Eric Batchelor Any device that has "memory" can store things that an individual may not want to be known by any other individual. It is alone up to the individual to realize that when they interact with the these devices containing "memory" the device will remember what they typed, stored, scanned, copied, faxed, and or recorded.
dgonzalez Eric, I agree with you to a certain degree, however when I see or hear the term "memory"
I perceive it more as being stored short term rather than long, temporary not permanent, and a small or minimum amount of data (or as much as the "memory" size/capacity).

Now with these copier devices having 80 to 100 GB hard drives, we are now talking about many, many months, if not years worth of documents and information.

The thing is that these copiers are basically file servers on a network, except no one thinks of them that way; hence they pay them no mind.

I still think there could be software incorporated that would prompt the user immediately after their scan, fax or copy, whether they want to retain a permanent copy on the copier.

Another option would be a setting within the copier configuration that enables admins to enable or disable the "save everything forever" feature. Of course the problem I see with the latter is if the business requires this feature to be on for discovery purposes.

Machines I’ve worked with have neither.

Ray Tan Yeah,now we begin to pay more attention on the instruments of our network besides the computer.
Ron Baklarz Think this is bad, just wait until toasters, ovens, refrigerators, and god knows what else get IP addresses!
Anthony M. Freed Ron's right - good example: not long ago 100+ cars where hacked and disabled in Houston via their IP's - reference Theresa Payton's article:

Malike Bouaoud Well i guess this violates most of the data protection laws all over the world, especially when nobody seemed to be aware of it (contracts might have "forgotten" to mention it?)
Maybe Software should be updated with a a "disk wipe" function for administrators that can be used at the end of the product life cycle.
Anthony M. Freed As a result of the CBS story, the Federal Trade Commission are investigating:

Privacy & Information Security Law Blog
Katie Weaver-Johnson Also wanted to share my recent blog regarding this topic:

"Copy Machines: A Wake Up Call for Security"
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.