Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Digital Copy Machines - Security Risk? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Digital Copy Machines - Security Risk?

I just happened upon a CBS News video that gave me pause for thought.  This once posted back in April however
I missed it until now.

http://www.cbsnews.com/video/watch/?id=6412572n

The video talks about the fact that "modern" digital copy machines, those sold after 2002, contain a hard
drive.  These hard drives store the images copied.  These machines are traded in for new models and then
refurbed and resold. However, the hard drives more than likely are not getting scrubbed to remove the content.
One of the copy machines in the video not only contained content on the hard drive but also still had documents
left on the copy bed.

This brings up some interesting discussions.  What is on your copymachine hard drive?  When it is sent in for
repair what information may be gleaned from a quick glance at the drive?  Is your copy machine another potential
target to aid in identity theft?

Food for thought.  Should there be processes and procedures in place for the disposal of these devices? Do you
know what other devices in your organization contain a hard drive or other storage device?  Is there a process
for cleaning before disposal?

Let me know what you think?  What does your company do if anything to ensure that no confidential data is
leaked by disposal of old equipment?

Deb Hale Long Lines, LLC

Deborah

272 Posts
ISC Handler
Talk to your copy vendor if you lease/rent. Most vendors have responded to this with a program that aids in this. Our vendor, at the time they remove a copier, asks us if we want to keep the drive. They remove it for free and hand it over. If not, they perform an appropraite scrub onsite.

Again talk to your vendor or whomever removes your copiers to give you the drive or srub onsite. Vendors acknowledge this, and are helping to protect from this threat. I'm happy to share more details if needed.
Anonymous
Posts
There have been many articles and new stories about the potential disclosure of data from copy machines, but very few of them deal with the practical issue of how to effectively eliminate residual data. Copiers use proprietary firmware and operating software, so you can't just download and run a utility to wipe the disk.

You can pull the hard drive, slave it and effectively wipe it with a utility. You can also degauss or destroy the hard drive to eliminate any possibility of data recovery. But since most office equipment is leased, you face potential penalties and charges for equipment that needs to be returned in operating condition. If you own the equipment, you've effectively eliminated any resale value or potential reuse. Pulling the drive to destroy data only seems to make sense for equipment that's being discarded.

It would be interesting to see an article about any hacks that might be available to access the copier's service menus and potentially wipe residual data. I'd be surprised if any older copiers have this capabilitity, but would expect that as new copiers are developed, they'll have a user option to perform a data purge on a recurring basis.
Anonymous
Posts
I would also like to add, newer multifuntion copier/printer/scanners include a new technology to help prevent the hard drive from being accessed from a connected PC. They use proprietary software to process data, which makes accessing hard drive information extremely difficult. Some vendors (Ricoh for example) have been doing this since 2002.

DATA OVERWRITE SECURITY SYSTEM (DOSS)
DOSS overwrites the sector of the hard drive used for data processing after the completion of each job. During the overwrite process, all data is destroyed to prevent recovery. Additionally, DOSS also offers the option of overwriting the entire hard drive up to eight times. This feature may be used at the end of the lease or if the MFP or printer is moved to another department. DOSS may be added before or after the initial system installation.

HARD DRIVE ENCRYPTION OPTION
This option provides security for information that needs to be stored on the MFP or printer and reused again. Examples of information that may need to be stored for reuse include administrator and user passwords and address books. The Hard Drive Encryption Option differs from DOSS in that the information encrypted is not destroyed, but locked up so only authorized users may access the information. DOSS destroys data so it cannot be reused. The Hard Drive Encryption Option and DOSS may be used in conjunction and will not interfere with MFP or printer operation.

HARD DRIVE SURRENDER AT LEASE-END / TRADE-IN vendor offers a hard drive surrender option with which customers my elect to have vendor remove the hard drive from the MFP and give the customer custody of the hard drive before the MFP is removed from the site. Customers then have the discretion to maintain or destroy the hard drive.
Anonymous
Posts
I am pushing for data protection evaluation way sooner than when equipment is going out the door. I say a continous ongoing lifecycle approach makes sense. Things will still come-in with a security afterthought so you will always have to address them as part of any plan. Gouing out the door is your last chance to check it should not be the only time you do.

I am handling a plotter which according to the mfg specs has an 80 GB HDD. It is actually a 160 GB 2.5" SATA. I will be cloning the original to a replacement disposable. I will be checking for firmware level capatity clipping to reproduce the configuration.

I would not be surprised to find a FAT filesystem with TIFF image files, maybe postscript or PDF.

Encryption would be good, but is it an effective implementation?

This plotter includes overwrite functions as well, a full drive overwrite is estimated to take many hours. I can pull the drive, mount it, execute the embedded ATA overwtite, reimage and reinstall the drive in far less time and meet NIST guidance. I bet the overwrite is some archaic 3, 6, 7, or 35 pass software implemented routine.

The authority on the subject, Peter Gutmann, as I recall last publicly stated that a few random passes is the best you can hope for with modern drives. That was when perpendicular recording was just emerging.
G.Scott H.

48 Posts Posts
Excellent suggestions. Just got done tweaking our Equipment Disposal policy to make sure everyone understood that anything w/ persistent, non-volatile storage needs to be wiped or destroyed to include copiers and printers and whatever else.

As Nick said, most vendors are being very helpful. We are putting together an Memorandum of Agreement to make things a bit clearer on options and ports enabled on receipt and disk wipe on return.

The claim (you mention soemthing above also) "The built-in hard disk of the MFP is automatically protected by a password. This password is stored in the hard disk BIOS and prevents access to the hard disk data, as long as the correct password has not been entered. Therefore, even the removal of the hard disk and installation into a PC, laptop or other MFP would not give access to the hard disk." raises a flag for me. Encryption is an expensive add on. Think they quoted soemthing like $600 a copier.
Dean

135 Posts Posts
error in my post above. should be - they quoted something like 600 dollars per copier.
Dean

135 Posts Posts
I saw this story a couple of months or so ago and followed up the problem with our vendor. Fuji Xerox has optional software that overwrites the HDD after a copy job. However, stored documents, scans, etc. need to be manually deleted.

The recommendation is to wipe the entire HDD when disposing of the equipment. One person I spoke to purchases a replacement HDD and drills a hole through the old HDD and retains it. It would probably be cheaper in the long run to at least replace the HDD.
Anonymous
Posts
On penetration tests I've found the following on smart printers' hard drives: payroll information, pieces of personnel files, lists of phone numbers, lists of accounts, VPN configuration information... there's little point in belaboring the point, they're a hazard. There are probably copiers out there that automatically delete these files after they've been printed (statistically, there have to be) but I've yet to actually run into one.

That there are some copier companies that charge extra for WDE is, to be blunt, for the birds. This should be a basic security measure (then again, gravity 'should' be repealed every time someone moves into a non-ground floor apartment to help with the furniture, and we all know how often that happens.)

Commenter Scott H. is correct, often the drives are formatted VFAT and can be mounted and picked over normally. FTPing into the printer works just as well.

I agree with commenter Mike Rohwedder - physically destroy the drive. Drill presses work well for that, but my favorite technique involves a few screwdrivers to open the drive and a 15-20 pound sledgehammer.
No Love.

37 Posts Posts
(Two disclaimers ahead. I work for SHARP, a MFP manufacturer, who started selling CC certified Data Security Kits for MFPs in 2001. And I offer my private opinion only.)

Yes. There is a risk. This is why by now, all major products (by all majow vendors) offer the ability to encrypt data written to the hard disk and to overwrite it afterwards. This ain't rocket science. It is not trivial,m though. Try erasing a SSD sector for instance - which is why we use traditional hard drives.

But hard drive theft is not really common, to put it mildly. If you are concerned, buy or enable the repective feature in your MFP. Compared to machine price, this is a small amount of money to spend. Mind, though, that the overwrite costs time. While the machines will typically encrypt/decrypt AES utterly fast (AES being the main standard for this), scans and print jobs can use a lot of space. Overwriting this up to (say) seven times can have a negative influence on performance.

You can also ask to buy the hard disk after the lease time. As vendors cannot gaurantee that just any hard disk will work in a certain MFP, expect to pay spare part prices, which are a bit higher than what you would pay in your friendly neighborhood computer shop.

But we are worrying about a minor issue by comparison. The "SiFo Study 2009" claims that 70% of attacks leading to loss of intellectual property are caused by own employees.

What happens?

FIrst, there is the waste paper basket. Have one next to your MFP? Don't worry about a data security kit. People will discard almost everything using the most convenient method. Dumpster diving is much easier than extracting copier data from a hard drive with a proprietary file system which you also had to steal in the first place.

I'd replace it with a shredder or a locked document disposal container offered by specialized companies.

The bigger MFPs often have their own room, traditionally called the copier room.
You print, walk to the copier room, pick up the job waiting for you. Unless someone else was first. Or you went to lunch, can't find your output and blame it on your memory ("I msut have forgotten to print it, then!"), or your equipment ("Stupid print server ate my document!"). Also, somone really clever could have taken your interesting print job, copied it (MFPs can copy, after all) and replaced it. Would you notice?

This is why confidential printing standards (print job is held until you authenticate to the machine) are an industry standard. Free. For more comfort, consider a product offering follow-me printing. Walk to ANY MFP in the building and have your print job sent to it.

If you are serious about MFP security, use something released by the German BSI, the Federal Office for Information Security. They let you download for free the English language version of their "module B 3.406".

The URL right now is https://www.bsi.bund.de/cae/servlet/contentblob/479612/publicationFile/28017/moduleb03406_pdf.pdf

What else?
You could compare Security Targets of Common Criteria certified solutions. Differences in vendor assumptions regarding operating conditions can tell you a lot about the strength of the solution. ("Need to trust admin and change PIN every 90 days" sounds better to me than "Need to trust admin, all users, service engineer - and must keep machine in locked room all the time.")

Best regards,
Jens Stark

(Open to comments, curses, complaints and discussion at <firstname>@<lastname>.net)

Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!