«
»

A while back, CBS News ran an “exposĂ©” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

  • Digital copiers contain hard-drives – True.
  • The hard-drive keeps a copy of the documents being copied – True.
  • The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
  • The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

  1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
  2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

This entry was posted by Mike Rossander on 2010 July 22 at 09:59 under Cybercrime Trends, privacy. You can leave a response, or trackback from your own site. Follow any responses to this entry through the RSS 2.0 feed.

One Comment

  1. John Juntunen says:

    Wow, did you miss this one. “Poor man’s disk wipe”. In case you didn’t know copiers store images of copies, prints, scans, emails and fax jobs. New copiers have 40 -80gb hard drives and we routinly recover thousands of documents and most are not from the last few days of the copiers life. These can not be easily cleared by overwriting with other copies or prints and you can’t just pull the hard drive and wipe it clean either. The hard drive contains the firmware and code required to run the machine. Since 90% of copiers are leased and the machine must be returned in working order any attempt to clean the hard drive could be costly.

    You were right that not ever copy is stored and there is a finite area but they can hold tens of thousands of documents. Simply running copies of your cat or the phone book isn’t going to clear this information. You would also have to print and scan pictures of your cat.

    Your recommendation to put the copier under the IT department and make policies that contol the return of the copier is very important, thanks for mentioning it.

    What about this statment “Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers”. One page of persons medical record left on a copier could cost a company $1.5 million, or in the case of the insurance company in the CBS story the cost of sending out 406,000 breach notifications. This company had 17 machines and only one of them ended up on TV. There are many laws that cover release of employee and customer confidentional information. There are currently 46 states that have breach notification laws on the books and most have very stiff penalties.

    The new copiers have capabilities, that are either standard or available as an opiton, that will clear the hard drive but these features were not available on earlier machines (2002-2007) and these are the machines that are being traded in today.

    If you need more information call me.

    2010 July 30, 12:13

Leave a Reply