Watching the CBS report on how documents are being stored on copier hard drives was confusing to me. I decided to investigate the state of security on these multi-function peripherals for myself.
I recently read an article by Bill Detwiler, Head Technology Editor for TechRepublic. It was an interesting piece about a CBS News report by chief investigative correspondent Armen Keteyian titled: “Digital Photocopiers Loaded with Secrets.” The CBS article also had the following tag line: “Your office copy machine might digitally store thousands of documents that get passed on at resale.” What immediately caught my eye was the word might. Well, do they store information or not?
According to the video and John Juntunen of Digital Copier Security:
“Nearly every digital copier built since 2002 contains one of these, a hard drive. Like the one in your personal computer; it stores an image of every document scanned, copied, or emailed by the machine.”
My multi-function peripherals (MFPs)
I am responsible for several networked Multi-Function Peripherals (MFP). So, I started doing my homework and, needless to say, it was harder than I thought to get to the bottom of this. It was time to bring in the experts. I called Marco, Inc., the company we lease our MFPs from, to see if I could learn anything. I talked to Dale Evens, Marco’s veteran DS service manager.
Evens explained that the brands of MFPs they sell or lease do not store images by default. He pointed me to a Konica Minolta document where Kevin Kern, Senior VP of Marketing for Konica Minolta Business Solutions USA, responds to the CBS News broadcast:
“A recent CBS News broadcast raised the issue of security of hard drive data in digital multifunction products. Konica Minolta would like to assure you that we are a leader in the area of MFP security. Our MFPs can ensure documents that are copied, scanned, faxed or otherwise transmitted do not remain stored on the hard drive or in DRAM memory as a standard feature.”
Data security kits
In my research, I noticed that several other MFP brands had similar statements. But, they still offer an optional data security kit that provides the following services:
- Encrypts all data prior to being stored in DRAM
- Encrypts all data stored on the hard drive
- DRAM is cleared after copy, scan, and print use
- Runs automatically without user initiation
- Provides overwriting routines to make deleted data irretrievable
Why would you need data security kits if no digitized data is retained?
I asked Mr. Evens about this. He mentioned that businesses typically enter sensitive information into the MFP’s address book. Names, email addresses, and fax numbers are some examples. Also, MFPs have the ability to create document servers where employees can save printed, scanned, or copied documents.
I asked Mr. Evens if there were any other concerns that we should be aware of. He provided some interesting insight that I would like to share:
- Physical access: Think about who has access to the copier; employees, customers, and service technicians (genuine and imposters). If sensitive information is stored, it needs to be protected.
- Network access: Mr. Evens mentioned that most MFPs use proprietary operating systems, which makes them fairly immune to exploitation. But, it is a good idea to check the National Vulnerability Database for any problems with your specific brand of MFP.
- Web-based configuration: Most MFPs have a web interface for configuration and access to the address book. It is usually pass-word protected. Make sure it’s not the default password.
- Public MFPs: Mr. Evens advises against using any public MFP or copy services like FedEx Office if the document to be printed or copied contains sensitive information. It is impossible to know how the MFP is configured and whether it is saving a copy of each digitized document.
Best practices for securing MFPs
One thing became clear as I looked at what the various MFP manufacturers considered appropriate security. MFP physical and digital security should be folded into the company’s IT security policy. To that end, let’s look at what manufacturers consider important:
- Meet industry certification: When deciding what brand and model to lease or buy, make sure the device meets industry security standards. Two prominent certifications are ISO 15408 Level 3 Certification and IEEE-2600-2008.
- Ease-of-use versus security: Company management must decide what access controls to use if any. Access controls typically consist of user authentication, account codes, and password protection.
- Data security kits: As mentioned in the CBS News video, MFP distributors need to inform customers about data security packages and their importance. If there are any security concerns, using a data security kit will address them.
- End-of-Life considerations: When buying or signing a lease for MFPs, determine what should happen to the hard drive at end-of-life. Typical options are; destroy the hard drive, keep it on-site, or have the MFP distributor scrub the hard drive using an approved process.
Whether a particular MFP saves every digitized document or not appears to depend on the brand and how it is configured. It took some effort, but I found out the MFPs I’m responsible for do not retain images by default. That’s good; now I am going to make sure management understands what information is readily available on the MFPs and how to protect it.
A special thanks to Marco’s Dave Evens for answering my questions.