Copier security woes: It’s the vendors’ fault
May 18, 2010 by Steve HannafordPosted in: Dealers & Channel, In this week's e-newsletter, Security
Stories about companies leaving confidential files on their used copier-multifunctionals (MFPs) have caused a big buzz lately, and we’ve followed suit on this site (see here and here). But are those security problems really the companies’ fault?
In many of these stories, the responsibility is placed squarely on the company that was dumb enough to leave critical data on the hard drive. Companies and government agencies are berated for not even knowing that there is a hard drive on their machines and for allowing it to leave their premises without being thoroughly “scrubbed.”
But the culprits, in our mind, are the companies who manufacture and sell the copier-MFPs. Hard disk drives are a relatively recent phenomenon in the copier market. They serve three functions:
- they can hold productivity software for features like accounting, workflow and data conversion
- they can increase scratch memory to temporarily store jobs that are being copied, printed, scanned or faxed, until they are output or sent elsewhere, and
- they can be used as a file server (what some companies call a mailbox system) for storing documents by group or user.
As far as productivity software, there is no major security issue, in most cases. Though we’ll discuss below whether a hard disk drive is needed for them.
But scratch memory is another issue entirely. Most copiers still have under a gigabyte (1GB) of RAM. In fact, many offer only 256 or 512 megabytes (and charge you plenty to upgrade). By contrast, even a budget laptop these days comes with 3 or 4GB of memory. Memory is cheap — you can get a 4GB flash drive for under $20, retail. So why don’t copiers have 4 or 8GB of RAM built-in? That would be more than enough memory for any but the most enormous jobs, something that a normal office would never be likely to use. Conclusion: There is absolutely no reason that a hard disk drive on the copier-multifunctional be used for scratch memory.
And as for using the hard disk for data storage (an add-on feature for many copier-multifunctionals), what a bad idea! First, if you have a real IT department in your company, they are already maintaining a real server in the office, and they have set up security, access control and backup systems that they are presumably on top of. Why would you want another data repository on your network that does not easily fit in with your standard tools? Second, what advantage do you get from having the data on the machine, when it can be sent there for printing from the server over your network just as fast? Third, that data is horribly exposed, since it is not likely to be given the same protection and management as the real server. Conclusion: Data storage on the copier-MFP’s hard disk is a bad idea.
Sure, copier companies will sell you packages for scrubbing your hard disk. But the price is usually hefty (around $500 on average), an option that many buyers avoid as a last-minute gotcha. By contrast, excellent commercial disk scrubbing software is available for $50, and there are decent tools available on the Internet for free. Our feeling is, if the hard disk is included, the scrubbing software should be too, and it should be set up to automatically scrub scratch data on a daily basis.
One area where you might want to have some localized storage is with secure print and secure fax features. In those cases, a job gets sent to the copier-MFP, only to be released when the user walks up and enters a password. After it prints out, the file should be zapped automatically (but we doubt that happens).
But the real issue is why have a hard disk drive at all? Even if added software is needed or a secure print function is used, why not just build in a solid disk drive, such as used on an iPhone or other portable devices? And yes, have data scrubbing software included and automatic.
Hard disks on copier-MFPs are dangerous and often unnecessary adjuncts, to our mind. And they are even worse when they are included in a sale with no warnings and no scrubbing software that comes standard. Yes, the companies who turn them in for resale without taking precautions are at fault, but the bigger fault is with the vendors who made and sold the devices.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Loading ...
May 18th, 2010 at 4:50 pm
The copier companies are trying to upsell a $500 bug fix. Arguably, most PCs would have this problem but it is more well defined and open source and free software is available to fix the problem. On a lark, you can delete the sensitive files and fill the drive with garbage data which will override deleted portions. With an MFP, 1) who the hell knows where the hard drive is 2) will its damage or removal violate your lease at expiration, 3) who sells software that will scrub it? It is not an open computing platfrom, AFAIK, the vendors ought to fix this problem of their creation. Koodos to the news organization for spreading the word.
May 19th, 2010 at 11:02 am
Blah – the idiots who were given the authority to drop big dime on an expensive copier didn’t take time to figure out what they bought and the additional responsibility that comes with owning it.
Do you really think these same people would figure out the scrubbing functionality is there and could be counted on to run it properly; remember these are the same people who didn’t know what they paid for in the first place.
May 19th, 2010 at 1:21 pm
Wow, the deflection of responsibility here is amazing.
Should all Laptop manufacturers include a “zap” program to eliminate data once your finished using the laptop? How about the Servers, or Desktop PC’s?
Lets face it, anything that you integrate into your enterprise should have a security plan attached to it. That includes solid state devices as well (like firewalls, WAP devices etc.). The data is the responsibility of the creator of the data or holder of the data (i.e. the company that uses the device). Neither the Vendor nor the Manufacturer can predict the type and sensitivity of the data. Why hold Printer and MFP manufacturers or vendors to a higher standard with their devices. The fact that they have an application or add on to solve the issue is commendable. The closest you can get with a leased Server is an additional cost item that will allow you to keep the hard drives after the lease. How is that any different than charging for an active data security measure? Sounds like too much CYA and not enough ownership of your data to me.
May 19th, 2010 at 1:31 pm
Toshiba’s newest MFPs has an encryption code built into the machine so that anything written to the HD is encrypted. Also, before the MFP leaves the premise there is another code built into the machine that will wipe clean the HD of everything, done by a service tech, and then the tech reinstalls the basic opsys to make the machine functional again. On older MFP’s the client can purchase a device to be put on the machine that will scramble everything written to it so that nothing can be read. The client has the final say on whether or not to enable these features.
May 19th, 2010 at 4:38 pm
Oh, I nearly forgot. since I am throwing my 2 cents around, here are 2 more…. “Hard disk drives are a relatively recent phenomenon in the copier market”. Really? What do you consider RECENT? we had one in 1995. They have been widely used in MFP’s and printers since 2002. 8 years is more than “a recent phenomenon”. 8 years to figure out how to manage that device? WOW, remind me to never seek your advice or expertise on anything in my enterprise. If it took me 8 years to figure out what I was dealing with I would be un-employed.
May 19th, 2010 at 5:07 pm
The key phrase is *relatively* recent. Copiers have been around for 60 years, so compared to that, 8 years is fairly recent.
I can’t blame general office personnel for not knowing that their copiers contain a hard drive. Heck, I still deal with people that point to the PC on their desk and call *that* the hard drive. They are smart people but remain baffled by technology. Expecting them to know that their copier contains a hard drive, much less that it needs to be scrubbed, is not reasonable. Yet they are often the ones responsible for the selection and installation of a copier, outside of an IT department. Sometimes there *isn’t* an IT department at all (the copier sold to a small business, for instance). In such cases, the responsibility needs to fall on the vendors, resellers, and consultants involved, since they are the ones being paid to be the experts.
Now, if a corporate IT department is in charge of these devices, then absolutely they bear the brunt of the responsibility of fully understanding the device and taking the necessary steps to scrub it.
I agree though… the deflection of responsibility is amazing! Bottom line, there is plenty of responsibility to go around, and *everyone* involved shares a piece of it.
May 20th, 2010 at 9:02 am
I am a network technician that installs and sets up these MFP’s. I always work either with the clients IT personell on this, if they are there. Either way, in explaing the operations – print, scan, fax, etc. – I always explain about the HD on the MFP and it’s use. I advise them not to use the HD as a depository for anything unless they back it up on a regular basis, just like a PC. I also let them know about the security issues and give them the opportunity to choose what they want to do.
Many don’t care and there are quite a few who will either purchase the HD when the MFP is taken off site or they will want it scrubbed clean, which we will do. I’ve done as many as 20 HD’s at a time and we provide a report on the scrubbing for the client to keep.
Basically, at least at my dealer, we have been talking about the HD issue with our clients even before the report on TV or before it became an issue here on the Internet. Either way the client has the last say on what they want done…
May 20th, 2010 at 9:30 am
Ok Dan, I will concede your point with regard to the use of “relatively”, and seat belts are “relatively” recent to Automobiles (first auto in 1770, seat belts just since the 1950′s) and people still don’t use them….
I guess I still don’t see how the use or disposition of Data could be the responsibility of the Manufacturer or Vendor. I will fully support your statement regarding the plight of decision makers and their inability to grasp technology. They often will not listen when told, or simply don’t understand what they are being told. That does not eliminate their responsibility. If you get pulled over by a cop and say “I didn’t know it was illegal to make a U turn” they don’t just smile and say “well my fault for not telling you first”, they give you a ticket or at best a warning.
Lets not stop with data, how about someone that uses a color device to duplicate currency? Does the vendor or manufacturer get prosecuted for counterfeiting? How about someone driving a car at 100 MPH in a 50 MPH zone, should we go after Ford for making a car that can break the law?
If *I* do these things, *I* could have a negative consequence.
Equally, a technology vendor has no responsibility for the data that may or may not reside on a device they sell. People need to take responsibility for their data. I do believe that a technology partner should make every attempt to educate the user of the technology so that they can be empowered. They should also (if they are smart) offer market solutions to the problem.
May 20th, 2010 at 10:02 am
My largest account 1000 units tested the MFP before putting it on there network. They had US lock down any storage on the hard drive and put overwrite feature on the unit. They were prepared for
the MFP. Many account paid no attention to the HD risk till its on TV. Sorry leaving rape documents
on the glass is not the vendors fault. Now we have clients upset about HD blaming the vendor when
they never read what they were buying and where is goes when that are done with it. PS they the clients are all just trying to get the lowwest cost. They beat it out of the vendors.
May 20th, 2010 at 1:57 pm
To me, it’s about education. *IF* the vendor has made reasonable efforts to educate the consumer about the risks, then that absolves them of responsibility. What I was trying to say in my original post was that you can’t expect the consumer to know enough to *ask*. They have to be *told*. Probably repeatedly. Possibly involving a stick.
So that’s really the question. Is education occurring? And is it “reasonable”? That’s where the traffic ticket analogy is different… you read the manual, passed the test, and can presumably read the big black and white signs that say “No U-Turn”, so I think it’s reasonble for the cop to conclude that you probably knew better than to make a U-Turn.
The CBS story is interesting, and sensational (“wow, *every* one of these copiers had data on it, that’s 100%!!!”), but it was not very scientific, and may or may not indicate the state of the industry as a whole. Go look at more vendors and more copiers. *Then* we can decide how the industry is doing. It may not be as bad as the story makes it sound.
May 21st, 2010 at 12:45 pm
I have two major issues with your angle on this important topic.
First, you probably also think that it’s McDonald’s fault if you get fat from eating Big Macs, fries and shakes.
Second, I hope that next time you will get some assistance from someone who understands the technology so you can get your facts straight.
– PStevens, MCSE, MCNE, CDIA+
May 26th, 2010 at 10:40 am
I do believe that the fault is shared. I have never had a copier vendor explain that the hard drive would be used for scratch memory. They do explain that we could save documents to the hard drive for multiple usage. We do not use that function. If I knew that documents would remain on the hard drive after just printing, faxing or, scanning (not saving) then I would have asked about how to scrub that information. Once a company finds out about this feature then it becomes that company’s responsibility to scrub the info before getting rid of the copier and the vendor/lessor should obtain a release of liability if the copmay chooses not to ahve it scrubbed. But if a company never knew about this function then it is the vendor’s responsibility to scrub it after it receives the machine back. If they did not obtain a release of liability for what remains then they are now responsible for it.