Hacker News new | past | comments | ask | show | jobs | submit login
Digital Photocopiers Loaded with Secrets (2010) (cbsnews.com)
166 points by artsandsci on May 10, 2018 | hide | past | web | favorite | 56 comments

I've seem a similar mistake nearly been made.

There was a printer (the big, one cubic meter, enterprise type) in a sensitive air-gaped network that was not used anymore, and there was a plan to reuse it on the main network.

It was nearly installed when I saw it and mentioned that these things have hard drives in them to my Security Officer over a coffee.

It was promptly removed after that.

This organization was quite conscientious about this kind of stuff, every disks was labeled, regularly inventoried and crushed in presence of the Security Officer when not used anymore.

But these printers can easily be mismanaged as people don't realize they are basically computers that see tons of information.

That seems like a highly unusual organization in terms of how well it manages it's security and how seriously does it take it. Does it specialize in it?

If you are touching sensitive systems, like military infrastructure, nuclear power plant, law enforcement, banks, it's not uncommon at all.

In some cases, mostly governmental stuff, you can be personally liable if you misplace accidentally documents or other sensitive pieces of information (like a spending a few years in prison).

> from Affinity Health Plan, a New York insurance company, ... we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

> As for Affinity Health Plan, they issued a statement that said, in part, "we are taking the necessary steps to ensure that none of our customers' personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future."

For comparison, per https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf - "As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals."

Of course, any single breach of a copier would be limited to the individuals whose documents touched that copier, and might come under this threshold. Affinity is not on the list at the moment - this may be because the news only just broke.

But do the regulatory bodies say "Affinity, you were found to not have a procedure for properly disposing of copiers, so we need to assume that you've leaked health information from EVERY disposed copier historically?" Only then would it be treated with the same seriousness that e.g. HIPAA-compliant SaaS services are expected to treat security. Just because copier hard drives aren't networked software doesn't mean that they don't have network-scale security problems.


"Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives."

Only just broke eight years ago. Curious...

"One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division."

No comment.

What about personal (home versions) Photocopiers, Scanners and Printers? Did they store similar information too?

Well, probably not, at least for document storage. Although you could take the thing apart and use a bus pirate and interrogate the flash chips onboard, to see what goodies are there. My guess is its just firmeware. Storage is still too expensive for a junk consumer model, to dump TBs of storage.

Now on an office copier, of course they do that. But that's what the target here is.

If you have a printer, it likely puts the yellow dots on it.

Anyone could provide an answer but barring that do you have one of those magic 8 balls around? It might be more accurate.

> One product from Sharp automatically erases an image from the hard drive. It costs $500.

Storing the images isn't a bug, it's a feature.

This has been known for a long time now. Articles like this pop up from time to time. Competent IT departments pull hard drives before copiers are gotten rid of.

And most of them have the option to secure erase either after every scan, or on a schedule. But it's amazing how few people outside of IT know that most devices have embedded websites, let alone the security implications.

Secure erase of a metal/spinny drive is really not enough. There are data recovery companies who can pull data on metal hard drives from hundreds of writes in the past.

These hard drives should be pulled and re-purposed internally for sensitive information in data centers (to reduce waste), and if they can't be, they should be physically destroyed. (US government agencies shred or melt drives).

Ideally, copier companies should (if they insist on not removing the drives) encrypt them by default. That way when you "wipe" the copier for sale, it just deletes the encryption key from flash memory. Then the bar for data recovery becomes incredibly difficult and you don't have to waste the drive.

That only works on a disk using a format from the 90s. On a modern disk once you overwrite a sector the contents are no longer retrievable. There are no companies that can read a sector that has been overwritten. They can only recover damaged drives and files that have been deleted by the operating system and not been overwritten.

On the other hand, deleting flash memory is very difficult because the controller doesn’t really do what you ask it to do.

These days controllers have secure delete / wipe commands too

> There are data recovery companies who can pull data on metal hard drives from hundreds of writes in the past.

That's great, that means we can store 100's of times more data on the drives than we do!

> There are data recovery companies who can pull data on metal hard drives from hundreds of writes in the past.

This isn't true - if it was, hard drive companies would use that space to store primary data, increasing the capacity of their drives by hundreds of times compared to the competition.

Source for 'hundreds of writes in the past'?

For what it's worth I gave you an upvote because even though your unsourced assertion in the first paragraph is clearly absurd, I liked your message about recycling and agree that an encrypted ring buffer that loses the key on "factory reset" would be an elegant solution to this problem that would not impact other functionality.

The "you can recover overwritten data" thing is a myth. There was a paper that showed a theory behind it (for old drives using a different technology than is used today), but there's no proof anyone has ever actually done it. http://www.infosecisland.com/blogview/16130-The-Urban-Legend...

Yep, and printers should be on their network, with a firewall in between them and end users -- print jobs must go through a print server. An end user device should not be able to communicate directly with a network printer.

Last I knew, most HP network printers still have SNMP enabled by default (with the default "public" and "private" community strings as well) and many (most?) also have exposed web interfaces and the default credentials often are not changed.

Even relatively competent tech people don't realize they can get "pwned" via their printers.

Hey now. Putting strategically-located campus printers in my own /etc/printcap was how I JIT-printed my college assignments back in the day.

This is definitely one of those things that's worth repeating, though. I got to be one of today's Lucky 10,000 (https://xkcd.com/1053/) with regards to this old news.

Why do they store everything?

Not everything, but think of the workflows they are used for:

Printing: They spool print jobs to their hard drive before printing.

Scanning: They create temporary image files for ocr and pdf conversion. These files then need to be emailed to a user or sent via a file server.

Photocopying: Temporary image files are also created. Photocopying on a digital copier is effectively a scan then print operation.

A more apt question would be "why are these files being stored after the device has finished doing whatever it needed to do with them"

Because they weren't overwritten with zeroes.

then another question: why even bother building in a hard drive large enough to store hundreds of documents? certainly a circular buffer 1/1000th the capacity would be cheaper?

this makes no sense no matter how many one line hand-waves you make

1. Cost. It is (presumably) much cheaper to use the same COTS SATA HDDs that are used in desktop PCs.

2. Since now your copier/printer/scanner/fax/coffee machine has a 500 GB in it, what are other ways we can take advantage of that space? Save a copy of every printed document ("for compliance"), e-mail documents straight to the end user, dump scanned documents (PDFs) straight into a network share (or run such a share on the device itself), cost accounting (by user or department or ...), "hold" printed documents in the queue until the user actually shows up at the printer to retrieve their print job (they can quickly/easily "release" it -- prevents other users from inadvertantly seeing documents they shouldn't), and ...


Off-topic edit: Right after I wrote this comment, I remembered how years ago it was possible to "bounce" TCP connections off of HP JetDirect devices. I had a cow-orker that was overly paranoid and always had a terminal window open tailing the logs on his workstation. The look on his face and his bewilderment as be watched his PC slowly being port scanned by a 10-year-old printer in a building 60 miles away (but still within our network) was absolutely hilarious.

Yea. Overly paranoid. You guys were surely messing with him all the time. The paranoia was probably justified.

Edit: At one of my jobs I had a coworker that put a program he wrote himself on my computer that slowly ate up cpu cycles until the machine seized up and froze. I always carefully locked my machine and out of "paranoia" I had usb autoplay disabled. That was long before this became standard practice in the workplace. He got it onto my computer remotely by exploiting a zero day flaw he had read about in the vmware driver at the time. Which I was using to get actual work done while he was sitting idly by. He thought it was hilarious. I was let go about a month later when I completed all of my tasks ahead of the delivery date. He ended up getting promoted to a senior position by accomplishing nothing and playing pranks.

At another job, some coworkers impersonated my boss by signing up for a google account with his real name and using that to register to the internal business chat system which apparently allowed that. And, then used it to yell at me with profanity that I wasn't working hard. It led to me writing a polite email to my actual boss stating that I was working hard and the profanity wasn't professional or appreciated. I ended up getting terminated over it. They're still there.

> I had a cow-orker that

I'm sorry if my English isn't that great, but what does it mean to "ork"?

cow orker: n. alternatively: cow-orker

[Usenet] n. fortuitous typo for co-worker, widely used in Usenet, with perhaps a hint that orking cows is illegal. This term was popularized by Scott Adams (the creator of Dilbert) but seems to have originated earlier in a 1997 ScaryDevilMonastery.

-- http://wiki.c2.com/?CowOrker

I'm fairly certain they meant "co-worker"

Some copiers have "mailbox" functionality - I can send a document to "Mailbox 57" via fax or scanning or other method; and then someone from the department that Mailbox 57 references can walk up, type in their PIN code, and get all the documents in their mailbox printed out.

They can usually choose to store the documents unless their allocated space is full; sometimes after 15 or 30 days the old documents are deleted. Of course, if you just unplugged a system and got rid of it, the "delete after 30 days" code would never be run.

Storage density has gone up so much that its cheaper to get a consumer drive with ~100GB than a specialty drive with 5GB. Even then a full harddrive seems excessive.

I have the feeling that these aren't true harddrives and more likely some type of flash memory. The flaw is that the copiers are probably programmed to managed the memory like a massive ring buffer in order to make things like managing page order easier.

Because it's a Linux machine like the one you have at home, because it's cheaper to use off the shelf everything, including the OS configuration.

1. Because building from commodity hardware is faster and cheaper.

2. It's not hand-waving, that's how file systems work.

Why not only use volatile memory then? That even allows you to have a redial feature.

Maybe because HDDs are much cheaper than RAM. Or if it loses power, it can continue printing where it left off.

they may not, the guy extracting this may be recovering deleted files from the hard drive

The real question should be "why do all photocopiers not come with a command that will erase all data on the internal hard drive? along with instructions telling the purchaser to execute it when they sell or trash the device"

The real question is, why do they have hard drives in the first place?!

I find this concept quite disturbing. Imagine how many times in your life you hand over your passport or driver's license for identity validation, someone copies it 'for their records' and you assume the paper copy is destroyed after a while (last time I hired some expensive tools, this happened, but the company gave me the photocopy back when I returned them). Now your private data is sitting on that company's photocopier, probably without anyone having a clue it's made a digital copy as well as a hard copy, and nobody has a hope of controlling it.

I struggle to see a legitimate reason for the existence of such a 'feature'.

I’m still wondering why they have a hard drive and not just RAM.

This is the important question, why is this feature even on by default? Why is it an option to NOT have that feature?

For the same reason most, if not all, copiers and printers embed hidden markings into output - so 3-letter agencies and law enforcement can track documents:


I have to agree. Storing thousands of old documents does not seem like an accident.

The code running the copier likely did an unlink(filename) when done with the job. And once deleted, it looked like it was gone from the point of view of looking at a directory listing of the drive.

Of course the programmer writing the code did not consider all those "undelete" utilities that exist to "undo an unlink(filename) operation" and how they might just be used to recover the files.

Probably they have a "redial" feature, which let's you reprint something again.

It's a software problem. The data should to be wiped out after certain time period in my opinion from the hard drive.

A better solution (which could be used in addition to periodic erasure) would be to store the data encrypted, and hold the key in volatile memory. Reliably erasing data from hard disks (particularly if they're SSDs with their own controller) is a tricky business. There's little to stop someone just removing the disk from the machine and getting hold of whatever was stored on it at the time, or improperly disposing of it if the machine breaks.

fax machines used to leave copies of everything on the roll/ribbon/drum/whatever too. Especially the ones in sealed plastic were often just a giant roll of carbon paper with everything you've ever sent/received on it.

Wouldn't the carbon paper only have everything you've received?

good catch.

Worth noting that NIST has published a brief report[1] providing risk management guidance on this security concern.

[1] http://dx.doi.org/10.6028/NIST.IR.8023

Given this is from 2010 perhaps people should look at current practices before freaking out.

Almost all modern copiers employ some kind of Disk Encryption so this issue has largely been resolved.


Its from 2010

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact