Does Your Copier Leak?

March 19, 2010

Most of us are pretty well on board for the digital revolution at this point.  We have digital cameras, instead of our old 35mm film cameras.  We have our iPods, rather than our clunky old Walkman tape players, and digital broadcast television.  All of this has brought us undoubted gains in convenience and flexibility, but we rarely consider that the move to make everything digital might have a dark side.

Yesterday, the Toronto Star had an excellent article about a new security threat introduced by, of all things, photocopy machines.  In their original incarnations by Xerox and others, photocopiers basically had an optical system, like a camera, that focused an image of the document to be copied on a special photo-sensitive drum, from which the image was in turn transferred to paper.   Later, the basic process was used again to create laser printers; in this case, the optical imaging system was replaced with a laser that “wrote” the image directly on the drum.  This led to a way of explaining these devices to the technically uninitiated: a copier was just a printer plus a camera, for example.

Modern digital copiers have added many features to the traditional machines.  They can produce copies very rapidly, because they typically scan the image once, store it digitally, and print copies using the same sort of technology used in laser printers.  They also, often, are able to function as computer printers, and some have built-in network connections so that they can be easily shared.  All of this has implications for what’s inside the box, of course: the images have to be stored somewhere, often on a hard disk inside the device.  Network access means, obviously, a network card, and some kind of basic operating system running on a processor inside the copier.

Data thieves have now discovered that discarded or second-hand copiers can be a very fruitful source of confidential information.  Even firms that are reasonably careful about the disposition of old computer equipment often have a blind spot when it comes to what most people mentally classify as office machines:

Even though high-volume photocopy machines with hard drives have been around for more than five years – most large offices today would have them, the kind that photocopy 35 to 60 pages a minute – people rarely think of them as computers, said University of Toronto computer science professor Graeme Hirst.

“Modern, large, office-type photocopiers are computers. The whole system is controlled by a computer, it has a hard disk. It scans images and they are stored on the disc,” said Hirst. “They are also networked computers, and they have all the same security issues that a computer does, so all the same security issues arise,” he said.

Someone with a laptop and physical access to the machine can, in most cases, easily connect to the copier and retrieve copies of documents from the disk.  More elaborate hacking is also possible, especially if the machine is connected to a publicly-accessible network, even from a physically remote location.

The activity of photocopiers linked to an unsecure network can be seen and tracked online. With a few clicks of a mouse, and no knowledge of how to hack, we could see the latest activity of a photocopier in Korea, which included copies of invoices and employee expenses.

It really makes no sense to have a strict security policy for your office computers, if the photocopier is down the hall passing out information to anyone who asks.  These machines, like PBX equipment, need to be secured with the same care that the computers get.

%d bloggers like this: