Whenever you scan, copy, fax or print a document potentially that document could be released to the world. With internet connections built into multifunction photocopiers, the potential is there to remotely access the device often by unguarded internet connections. Penetration testing rarely includes faxes, copiers, scanners and printers and default manufacturers passwords provide a thin layer of security.
“It is becoming the rule, as opposed to the exception, to be Internet-connected. It’s seen as the differentiator,” said Michael Sutton, vice president at Zscaler Cloud Security, on Jan. 12 2012. “It’s seen as the ‘next-gen’ thing. And sometimes it’s great. It’s a really powerful capability, but very often there’s been no conversation about security before this is done.”
MFD’s can be the weak spot in many computer networks and face the same problems as any other computer in a network. The possibilities of breaching security go far beyond identity theft. Photocopiers on a company network are nearly always trusted so a hijacked copier could act as a beachhead to circumnavigate the companies firewall.
Researchers at Columbia University found a quick scan of the internet found 40,000 devices that they said could be infected within minutes.
The threat to sensitive information does not stop at unsecured internet connections. MFD’s store large volumes of data on integrated disk drives. Unless this information is securely wiped it can be accessed and allow sensitive information to fall into the wrong hands.
In 2010 Buffalo, N.Y. police department sold off some older photocopiers that that had reached the end of their life. CBS News as part of an investigation were able to purchase the machines from a reseller and hack into the hard drives. They were able to download identifying information related to ongoing police investigations.
Companies, agencies and organisations need to lock down their MFD’s to ensure data protection and include devices in penetration testing. The simplest way would be to choose MFD’s with security software integrated directly into the hardware. When the device is disposed of it should be professionally decommissioned and hard drives securely wiped.