April 10, 2013

Digital Copiers: A Massive Passive Security Threat


SAT-for-TechNotes.jpgOne of the most innocuous devices in your office may be a stealth security threat to your company.  And it might not even be under the control of your IT department.  This device might be considered to be an office supply, and acquired like paper clips. That "stealthy" device is your copier.

For decades, copiers mostly used a process called xerography,which duplicated images using an electrostatic process.  Since this is a combination of physical and electrical processes, no digital information is involved so electronic security is not exactly a big deal.  (In fact, as noted in the reference above, the process was invented in 1938!)

However, over the past decade, xerography has, for excellent reasons, been largely replaced by digital technology.  In many ways, this is analogous to the move from film to digital photography. With the two-step process the original image is first scanned digitally, and then it is printed from the digital image copy.  This multifunction device (MFD) is capable of acting as a copier, scanner, printer and fax machine.  

The key component of digital image reproduction is memory of some form for the scanned images so that multiple users and multitasking can be easily accomplished. And in industrial-strength copiers, a standard hard drive is often used for this storage. And even though the MFD is a part of your corporate network, the management of this drive may have slipped under the radar of your security infrastructure.

This issue has been well-documented, including coverage on national news shows - highlighting the ease of data theft and release of highly confidential information. (The news clip highlighted here is five minutes, and I really recommend that you watch it.  You'll see many familiar components that will help drive home the reality of this situation.)  But it's our hunch even though this security issue has been known about for a couple of years, it is not covered by many companies' current security policies. 

Of course, the easiest and simplest breach of this information comes when a copier is sold, taken off lease, or otherwise leaves the company.  If the hard drive in the device is not appropriately wiped, it's an extremely straight-forward process for even a semi-skilled hacker) to access the access the information.

While we are not aware of any instances when an MFD has been actively hacked, it seems infinitely simple and "doable" - especially for internal attacks from within the local network.  (And just think of the possibilities with Wi-Fi-enabled MFDs!)

So what are the recommended actions?

  1. Knowledge is power.  Make sure that all involved parties are aware of this "feature" in MFDs.

  2. Make sure you have corporate policies in place to deal appropriately with equipment that is being taken out of service.

  3. Include copiers (as MFDs) as a part of your overall network security architecture.

  4. Investigate partners who might be able to include MFDs as a part of your network security infrastructure.  For instance, McAfee and Xerox have issues both a security alert and a case study highlighting their cooperative plans.

Please share your experiences and how you are dealing with this threat.



This article is brought to you in part due to the generous support of:



4 Comments

Are people in your company aware that items that are “copied” or “faxed” are stored electronically? Do you have a policy concerning users advising users of this fact? For instance, is there an informative label (warning) on MFDs?

One of the scariest parts of the hack shown on CBS was that the disk drives were standard hard drives like in desktop computers. So the ability to see data on a “normal” drive is well-known. But this raises the question of the extent to which consumer/SMB MFDs have similar issues.

My guess is that it probably depends on both the manufacturer and physical form factor for the storage. But I would be very interested in anybody providing further insight on this issue.

Here are some useful links on this subject. Even though the issue has been identified for quite a while, the awareness level seems to be quite low.

From the Federal Trade Commission:
Copier Data Security: A Guide for Businesses
A great, concise overview. One section of the document highlights the fact that this is a critical privacy compliance issue.

From a rather unlikely web source:
Technical details from a copier supplier.

Always a good reminder. Most copiers have an encryption kit. In the old days you could choose to have no HDD - this in no longer a choice. Add copiers to your policies that cover the disposal of electronic media.

Get E-News and Notices via Email


  

 



  

I accept Webtorials' Terms and Conditions.

Featured Sponsor Microsites






















Recent Tweets

Archives

Notices

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at https://www.webtorials.com/Sonus_logo.jpgreg/.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2015, Distributed Networking Associates, Inc.