What Secrets Can Your Printer Tell?
So my work life has started to find its rails again, and I’m going to start posting again. Albeit at a reduced rate for now. Today, we’ll start with an interesting topic that crossed my mind last night.
It was actually a combination of things really; first I got an email from the Sec urity Controller at one of my clients. Along with everyone else working in a certain building, I was reminded that I shouldn’t leave protectively marked documents on the printer tray. The email was quite helpful, and went on to include a how-to on setting a job not to print on the printer until you typed a 4-digit PIN into the printer. Great.
That got me thinking, that would imply that the printer stores your document, which, in this case, would be protectively marked. This is turn would mean that the printer would be in scope for the various regulations and measures; and as it would be stored on the printers internal hard-drive/memory, this too would need to be encrypted. This got me thinking; I wonder how many people/companies actually think about this when getting rid of a printer. As printers get smarter and smarter, they start including permanent internal memory, and in some cases even hard-drives. Do the companies we use to scrap our end-of-life kit bother wiping these with the same keenness as they wipe the computer’s drives?
With these questions still fresh on my mind, and the intention to do some research on the matter, I went home. Unfortunately, at home one of my older printers had run out of ink (or ribbon to be accurate). This is an interesting piece of kit, because it allows me to print straight onto CR80 cards (membership cards, ID cards, etc). This has come in handy a good few times when doing a social engineering type test as part of a larger pentest. Most employees are told time and time again not to let strangers tailgate into the building. Or that no-one can come in without displaying a card… some will even contest a tailgater, albeit rarely. Almost none will complain when the tailgater whips out a card, duly copied from an original (“group picture” anyone? Modern high resolution cameras can do wonders…) and says his ID doesn’t work.
Anyhow, pentesting aside; I decided to try an old trick with ribbon printers; rewind the ribbon! The quality suffers, and anywhere that you printed previously wont print, but as I just needed to print a few font-test cards, I didn’t mind. As I rewinded the ribbon, I realised that I had bought that ribbon with the printer, and that it had clearly been used by the company that owned the printer before me. As I scrolled, I saw my fair share (the ribbon does 440 prints) of membership cards for a large company in West London. Admittedly, the pictures were split into CMYK, but I’m sure that if I was inclined that way, I could scan them and recompose them quite easily. I would then have had pictures, names, a membership number and level. Nothing too serious in this case, but if I were a client of theirs I wouldn’t be too pleased. Also, as I got through the ribbon, I started seeing what looked like employee ID badges…
I was tempted to call the company and ask them how they scrapped their printer, and if the company they used actually offered any form of guarantee as to deletion of data… I decided against it, in part as it was late at night by then, and in part because it wouldn’t be right… though I did make a mental note… should I ever have them on my client list, that’s something that needs reviewing!
Oh, and in case you were wondering – I did manage to print what I needed… albeit the quality wasn’t as good as I had hoped… a new ribbbon is on it’s way, and the old one went through the shredder… just in case!
M.