Photocopiers save files from copy actions, without encryption

[Bsmith]

The big old office photocopier, which company doesn't have them?

Well, it might be an idea for companies to set up a policy around them, because photocopiers store a digital file of everything they copy, without encryption or any other security measures, unless you get the "upgrade".

 

Quote

Juntunen picked four machines based on price and the number of pages printed. In less than two hours his selections were packed and loaded onto a truck. The cost? About $300 each. 

Until we unpacked and plugged them in, we had no idea where the copiers came from or what we'd find. 

We didn't even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division. 

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid. 

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks. 

But it wasn't until hitting "print" on the fourth machine - from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

"You're talking about potentially ruining someone's life," said Ira Winkler. "Where they could suffer serious social repercussions."

Winkler is a former analyst for the National Security Agency and a leading expert on digital security. 

"You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up," Winkler said. 

The Buffalo Police Department and the New York construction company declined comment on our story. As for Affinity Health Plan, they issued a statement that said, in part, "we are taking the necessary steps to ensure that none of our customers' personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future." 

Ed McLaughlin is President of Sharp Imaging, the digital copier company.

"Has the industry failed, in your mind, to inform the general public of the potential risks involved with a copier?" Keteyian asked. 

"Yes, in general, the industry has failed," McLaughlin said. 

In 2008, Sharp commissioned a survey on copier security that found 60 percent of Americans "don't know" that copiers store images on a hard drive. Sharp tried to warn consumers about the simple act of copying. 

"It's falling on deaf ears," McLaughlin said. "Or people don't feel it's important, or 'we'll take care of it later.'"

All the major manufacturers told us they offer security or encryption packages on their products. One product from Sharp automatically erases an image from the hard drive. It costs $500.

The possibility to wipe drives is there of course and judging by this scenario, that $500 sounds to more then worth it, especially if you work with information regarding drug criminals or medical information from people.

 

The fact that those copiers can just be bought from auctions without hassle even though they have been from police departments or insurance companies like the case has been in this research, to make matters worse these copiers even go to different continents when sold, who knows what happens there to them. 

Quote

The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas - loaded with secrets on their way to unknown buyers in Argentina and Singapore.

 

source:
https://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

[Deus Voltage]

This is indeed highly disturbing. What I find even more disturbing is the following quote: 

Quote

"It's falling on deaf ears," McLaughlin said. "Or people don't feel it's important, or 'we'll take care of it later.'"

I wonder at times if we already live in a Huxlian interpretation of Brave New World.

[Terryv]

This isn't the first time I've seen a story like this. Years ago there was an extortion case involving data aquired this way in my area.

[mr moose]

Reminds me of that filing cabinet the Aus, government sold, they failed to empty of secret documents first. 

 

People be people I guess.

 

[Sauron]

So yeah, factory reset your printers before you sell them. Duh? Or take the drive out and dump a bunch of 0s on it if you're particularly paranoid.

[yolosnail]

I thought everybody knew this already. The photocopier that I used to use at school saved everything that was copied and who copied it. It even saved any files that were printed to the copier so you could go back to the copier later and reprint a file without having to resend it.

In an environment like a school I think it is a good feature as the amount of times inappropriate things were printed off and stuck around the school and this allows you to go back into the history and see when it was printed and by who. 

What I don't understand is why they need to charge so much money for a feature to delete the copies straight away, surely it's just a setting they have to enable that cost them literally nothing to code in. But then again, they are selling to businesses so like a German car, everything is an optional extra

[asus killer]

it kind of makes no sense to blame the manufacturers for not advertising more the hdd feature when they leave documents on the copier glass. People are idiots.

 

btw not every manufacturer does this.

[Dabombinable]

7 minutes ago, asus killer said:

it kind of makes no sense to blame the manufacturers for not advertising more the hdd feature when they leave documents on the copier glass. People are idiots.

 

btw not every manufacturer does this.

Some person being forgetful doesn't excuse the fact that the photocopiers are storing documents and the complete lack of at least basic security. It's as shitty as that stunt HP pulled with printer firmware.

[matrix07012]

[WkdPaul]

Thread moved to the General section.

 

This is old news, nothing new here.

[asus killer]

40 minutes ago, Dabombinable said:

Some person being forgetful doesn't excuse the fact that the photocopiers are storing documents and the complete lack of at least basic security. It's as shitty as that stunt HP pulled with printer firmware.

it's not a question of forgetfulness, that's my all point. Whenever you sell or just simple hand over tech to someone else ( for repair for example ) you should always be careful of what you're doing. Or even cabinets.

But i agree with you there should be at least a label like car mirrors and i'm not excusing one behavior for the other.

[Dabombinable]

15 minutes ago, asus killer said:

it's not a question of forgetfulness, that's my all point. Whenever you sell or just simple hand over tech to someone else ( for repair for example ) you should always be careful of what you're doing. Or even cabinets.

But i agree with you there should be at least a label like car mirrors and i'm not excusing one behavior for the other.

Either way, the majority of those who own the insecure photocopiers probably don't know that data is being stored-or if they do that its not temporary term storage like RAM.

[Bsmith]

3 hours ago, matrix07012 said:

whoops! looks like I forgot to check dates after this popped up on my twitter timeline

3 hours ago, wkdpaul said:

Thread moved to the General section.

 

This is old news, nothing new here.

thanks for moving it!

[Scheer]

Starting around 2010 or so, most all Sharp models started including a basic data security kit (for free) that simply had to be enabled, even with it being there it is rarely ever used. The models around that time used Intel Atom D525's and there was a few second delay after every copy job while it scrubbed the data that was quite annoying so few people used it. You still have the option of the $500-$1000 add-on data security kit that is much more thorough at scrubbing, but has the same delay and hence is rarely used. The newer models use Atom E3845s and do the data clear much faster so it is becoming more common for our customers to use it.

 

All of the recent models also have an "End of Lease" feature that overwrites the hard drive a few times, clears all settings and the address book, and basically turns it back into a brand new machine. Prior to that, every model has had a way of clearing out all the data, just not quite as easy to use and an end user would never know how to do it as it was a dozen different commands in a service mode. We've only recently started servicing Ricoh and the current models have the End of Lease as well, but I don't know about older ones.

 

Now, the most likely case here is that the end users have a copier service company handling all of this and that company is doing a terrible job securing their customer's data.

 

Its not like the copiers are purposely keeping your documents (unless you tell it to save to the HDD, which is a feature used for documents that you'd print often). This is the exact same thing as when you delete a file on your laptop, it just removes the pointers to that file, the file is still there and easily recoverable until the drive is filled up to the point it is overwritten. I'll bet the same 60% of people, if not more, don't realize deleting something from your computer doesn't permanently remove it either.

[Guest The Viking]

first time I hear about this 

 

but this is only the bulky machines in offices/schools, right? so your home printer doesn't store anything?

[WkdPaul]

2 hours ago, The Viking said:

first time I hear about this 

 

but this is only the bulky machines in offices/schools, right? so your home printer doesn't store anything?

 

non commercial printers and photocopiers shouldn't have storage.

 

Some "prosumer" printers like some (not sure if it's all) HP LaserJet do have small flash storage, but that's usually easy to confirm by opening the side where the board is located.

[Hiitchy]

Well I think hackers are going to be disappointed when some people are using scanners for their derrière.

[Beef Boss]

I'm pretty sure you're able to disable the feature that the printer actually saves documents to the drive, last time I checked anyway. What, you think a printer just prints out documents without temp/perm saving it somewhere?? Most electrical devices nowadays have some sort of computer, crude or very low power, but still a computer. And all computers have some storage device, RAM and a processor. Usually printers, personal ones, just save the document in the RAM. Not print it out as the signal gets received, sometimes I guess.

 

TL;DR Disable the feature that actually saves documents to the printers drive...

 

 

Edit: it honestly pisses me off, people not being trained or knowing about these things. Okay, sure,theyre assistants and doctors but they took training on how to help people and diagnose problems too. Businesses that deal with the personal information of their customers or patients should be informed just as much about the equipment they use and how it works as they should know about their job. 

 

 

It's not like "oh, its not their job to know how these computers work" that's a load of, ahem, shit. If you're using equipment you should have a full understanding of how it works. But no, even government agencies just give surface level training with computers. 

[Yoinkerman]

We like to take the platters out of the drives and use them as frisbees here at work

[Beef Boss]

12 minutes ago, Yoinkerman said:

We like to take the platters out of the drives and use them as frisbees here at work

I used to like bending them, but then I got one that was made of glass... (or some crystal that shattered in a million pieces...) 

[Yoinkerman]

3 hours ago, aki adaki said:

I used to like bending them, but then I got one that was made of glass... (or some crystal that shattered in a million pieces...) 

we've definitely done that on accident too lol

[TetraSky]

Why is this even a thing to begin with.

 

The only scenario I could possibly think of for documents to be retained in the printer's memory indefinitely, is if you print something, lose the original for whatever reason and months/years later need to print it again, somehow.
To be honest, such a feature should have an automatic clean up option after X amount of hours/days.

[Cole5]

Did people not know this? Hell they used this in an episode of Burn Notice in 2011