Tales from the copy room

It wasn’t long ago when the biggest security issue in the photocopier industry was how to keep randy employees from scanning body parts. But times have changed. A new generation of jazzed-up office copiers can scan documents, send faxes or e-mail, and store reams of document images. The new networked machines are akin to modern desktop computers and servers, which makes them more vulnerable to predatory hackers.

Security vulnerabilities in advanced copiers (known within the industry either as multi-function printers or multi-function devices) are as old as the systems themselves, says Larry Kovnat, a systems security program manager at Xerox. Among other things, malicious hackers or company insiders have found ways to manipulate technology such as the PostScript scripting language (used by many multifunction devices) and have written exploits that let them take control of the devices, he says.

The increased use of embedded operating systems in these machines – including versions of Microsoft Windows – also means that copiers can be infected by vulnerabilities more commonly associated with computers. For example, last year Xerox had to issue a patch for some of its DocuColor office printers that were vulnerable to the MS Blaster worm.

While organizations are eager to take advantage of the advanced features in high-tech copiers, most IT personnel have yet to wake up to the complexity of these devices, says Vince Jannelli, senior product manager at Sharp Document Solutions of America.

A 2001 survey of IT professionals conducted by Sharp found that while 55% of respondents claimed to have a role in network security, more than 75% were unaware that office copiers are now digital multifunction devices with hard drives that can store images of anything copied, printed or faxed.

Copier companies have begun adding features to the machines to protect sensitive data that’s exposed on hard drives, RAM or flash memory within copiers.

Both Sharp and Xerox offer functions to electronically “shred” data stored on copier hard disks after copy jobs are complete. Other features that are available are firewalls and security options between fax and networking functions, improved auditing of user access to copy machines, and secure network interface cards that limit access to a copy machine’s configuration settings from the network and disable support for unneeded protocols such as Telnet and FTP.

In the end, securing copy machines is the same as securing other network devices such as servers and desktops. The best approach is to use layers of security including built-in features, and supplemental products and technologies to provide higher levels of security, Jannelli says.