Using Your Photocopier to Share Data…

Via Charles Arthur’s Overspill, an interesting story about Digital Photocopiers Loaded With Secrets, telling a tale of how you can buy scrapped photocopiers for their hard drives and then trawl them for data, as you might do with old office computers, or phones…

A quick skim of the Xerox website turns up a photocopier product line listing that includes details of whether a photocopier includes a hard drive, along with some general guidance information:

Security Features

Jobs may be written to nonvolatile memory (e.g. to a hard drive) during processing. Generally, when a job finishes, this data is deleted, but may still be recoverable using forensic tools. Image overwrite is effective at eliminating this job data from the hard drive once the data is no longer needed. Xerox also scrambles the data with the user data encryption feature.

This further protects data at rest from unauthorized access. Xerox recommends that the following features be enabled.

Fortunately, countermeasures are built into products to reduce this risk.

• Immediate Job Overwrite or Immediate Image Overwrite is a feature that deletes and overwrites (with a specific data pattern) disk sectors that temporarily contained electronic image data. Products that use hard disk drives to store job data initiate this process at the completion of each job. … This should be enabled (and is by default on many products).
• On Demand Image Overwrite is a manually initiated (can also be scheduled) feature that deletes and overwrites (with a specific data pattern) every sector of any partitions of the hard drive that may contain customer job data. The device will be offline for a period of 20 minutes to one hour while this completes. [Makes me think of coffee machine self-clean cycles, –Ed.]
• Disk or User Data Encryption is a feature which encrypts all partitions of the hard drive that may contain customer job data with AES encryption. This should be enabled (and is by default on many products). Encryption can be used in combination with either overwrite feature.

Hard Disk Drive Retention Offering

If the security features built into Xerox products do not meet your security requirements, Xerox offers another alternative.
Hard Drive Retention Offering is a service that can be requested by a customer who wants to retain a hard drive for security reasons. A Xerox technician will remove the hard drive and leave it with the customer.

Things to Remember
• Not all products have hard disk drives.
• Some products have hard disk drives, but do not use the hard disk drive to save document images.
• If a Xerox product is powered off before an Overwrite operation completes, there may be remnants of data left on the drive. A persistent message will appear on the device indicating the incomplete overwrite operation. In this event, it is recommended that an On Demand Image Overwrite be performed.
• Image overwrite features are available for hard drive equipped devices only. Currently it is not possible to overwrite images on solid-state nonvolatile memory.

• NOTE: Xerox strongly recommends the default Administrator password be changed on all devices to prevent unauthorized access to configuration settings.

Xerox does not offer sanitization or cleansing services for returned disk drives.

Many photocopiers nowadays are intended to be accessed over a network (they double up as network printers), and may incorporate a webserver to facilitate that. Which means they may also be a network security hazard. Which is why photocopiers should be regarded as part of the IT estate so that IT can be responsible for regularly checking a vendor’s photocopier security bulletin. (As computers, photocopiers are also susceptible to hardware/processor vulnerabilities.)

PS think also connected vending machines ?!

Author: Tony Hirst

I'm a Senior Lecturer at The Open University, with an interest in #opendata policy and practice, as well as general web tinkering...

%d bloggers like this: