Digital copiers

Re: Digital copiers

I can speak with a little authority on this as I have a dozen copier hard drives on my desk right now going through recovery.

The building our local hackerspace is in had a tenant below that was a copier repair place. They moved out in a huff and left dozens of copiers which the landlord turned us loose on the, for parts. As part of that, all the units with hard drives were stripped and saved for me.

Most of them are around 2007 and certainly not the fanciest units but they had 2-10 gig drives.

So far some of them are blank (not sure why, yet), but those with data seem to be mostly buffer rather than full on storage. My experience has been that you can stick a stack of documents into the feeder, it will scan and buffer the documents until you decide to copy, fax, send to server, whatever.

Most of the docs are damaged, but readable as jpgs or gifs. Print jobs sent to it usually are spooled as postscript files.

Different units have different features, but on the predominantly canon units I've got drives for, the data gets overwritten so often, the retention is fairly low so you won't have thousands of docs, but hundreds is a distinct possibility.

Oh, and in case your wondering, I'm doing the forensics for practice but also to get real world data for a talk next month which will involve a sledgehammer on stage with predictable ends.

Re: Digital copiers

So are there any OS/program files worth worrying about, or does it seem to be embedded on the motherboard as g3k_ believes?
Renderman, the Gallagher of Hacker Talks.

Re: Digital copiers

That was my suspicion. I got most of my info from bullshitting with the copier tech when he came, but I never asked about the buffeting. The machines in my office did allow you to save documents on the copier itself, and it was a web server. The brass made us save printed documents in case of abuse, so I'm sure there is all sorts of goodies to be found. (at least at my old job)

Re: Digital copiers

Yaay!! More Defcon talks need sledgehammers.

xor

Re: Digital copiers

These ones seemed to have the OS on the board however they appear to have had an embedded web server as well, with the resource files (html, images, etc) on the hard drive.

Each copier is going to see different uses and most people dont use all the features. Most of these seem to have few if any images stored to the hard drive intentionally, but I'm sure others are full.

At any rate, the point the article and I are trying to make is that any storage medium in an office should be treated appropriately at the end of it's life and wiped properly. This presents an interesting problem when it's a lease unit and as people noted, you have to return it in working order. Considering some of my clients, I'm already wondering if they can negotiate some sort of verifiable wipe at the end of life into the contract.

Re: Digital copiers

I am definitely going to be checking with that on our new copier on tuesday. It something I really hadn't thought about much when we got rid of our last one, I know we didn't keep anything on it intentionally, but it may have had files cached to it and then deleted during the normal course of operation.

Re: Digital copiers

http://www.scribd.com/doc/31140095/D...gpql07ocqqif4s

So for Canon MFDs you can initialize the hard drive with a single pass of all zeros unless you purchase the "Data Erase and Data Encryption" module.

Digital MFDs have always been tons of fun on penetration tests. I've found everything from password spreadsheets to insurance claim forms on them. A lot of times they are capable of hosting SMB shares and FTP for document sharing.

Re: Digital copiers

A lot of them also have snmp on them :3 They are pretty robust devices, but so insecure D:

Re: Digital copiers

A few of the drives I have appear to have had that done. No partition, no nothing. Still digging, but from initial hex dumps it's more than I can easily retrieve. That said, how many people know about these things and how many would actually use it before sending it back at the end of the lease?

Re: Digital copiers

After the CBS story aired, the Desktop Support Manager out here came by and asked me about this. She's directing her techs to run this for any MFDs they return (leased). If nothing else, I'm very happy it's raising awareness of the risks.

Re: Digital copiers

I don't know if I should be the person saying this (Being new and insecure to forum posting as of now), but this was a pretty legit Pen test\ Corp Esp tactic, I am pretty sure trying to get a "Rogue Copier" into an adversaries bastion was one of the things we (More credit to my friend, for both being the owner of the firm and tight enough to hand me a summer job) would try and do. No one really checked those things, it was kinda ridiculous, 3 factor authentication to enter the room ousted by a couple of benjamins to the janitor and well... it is even returned in ready for documentation format (Sucks for the janitor if they figure out who it was, or just mass fire the entire crew). I honestly thought this was like 2003.... guess I manage to fail in my own way. Prints we obtained were exact shadow copies, internal memos, FYEO, it was a sweet summer gig. Now back to realizing I have less than 10 total posts.

Re: Digital copiers

Its too bad I just saw this post, or else I would have chimed in earlier. You could say "I work with copiers." As a contractor, we get into many places. And I am not surprised that the copiers or MFPs keep copies of everything... but I am surprised that it made it to the news. 1/2 of me says "way to go, now you've let a lot of people who would want to take advantage of this know about it." The other half says "good job, but now lets see if companies who use MFPs and companies who make them do anything about it, BY DEFAULT.

At some of our locations, there are special configurations - such as after a print, the file is destroyed on the HDD. One place that does this sort of thing is a aero-xxxxx industry company. Working in places such as that one, you have to get a BG check and subsequent clearance. Many people have not been able to get that position because they don't clear the BG check OR they aren't satisfactory to the client.

But it is really an issue that should be dealt with. I've learned to write a program for my needs to query all devices on the network and have been taken aback with how little or no security the copiers have. A lot of them don't even have their default passwords changed! How's that for an attack? Like the talk at almost last years DC on getting into routers using the default username and pass. So it's only a matter of time until something REALLY happens...

But I honestly think, for the moment, only companies will really take advantage of this little problem (corp esp as someone else brought up). But as the intertubes get more and more locked down, and its "somewhat harder" for people to steal peoples info, this is a really great attack avenue to take. ESPECIALLY if you start loading your own firmware... oh yeah that's where the good stuff comes in

Re: Digital copiers

So, to update things. The story of my data recovery has been provided at a stupid large number of privacy conferences over the last few months and its been interesting.

Up here in Canada it seems that the privacy community is aware (at least recently) that this is an issue. The issue seems to be with legacy (machines decommissioned before the issue was known), apathy (no one cares until it's to late) and general disconnect. The last one is where the privacy personnel know the situation when a device is installed, but are not in the loop when a device is decommissioned and those (generally IT) who are responsible, don't know or think about it until it's too late.

I recommend to my audience that they put stickers on things to warn the future to be responsible with the device. This should also extend to smartphones and anything else with more than a 2nd grade science fair electrical circuit.

One of the drives was from a school and I finally got a call from them in October, however the timing sucked and I asked them to call back. They have yet to do so. Shows how much people care doesn't it.

Re: Digital copiers

Yeah, not surprised they don't care... until they have a lawsuit in their hands. But that is how it generally happens. Look at toyota's refusal to act on 'well known issues.' Now they are sending out all the recalls they can!

Re: Digital copiers

hmmm... wonder if we can rootkit it