Breach Likely Poses No Danger, But Ricoh Notifies Customers
Ricoh’s Australia office has notified banks, government agencies, universities and many large businesses about a curious data breach that, in some cases, exposed login credentials for its multi-function devices.
See Also: How the New World of Digital Banking is Transforming Fraud Detection
It’s unclear how the documents – called run-up guides – were exposed to the internet and indexed by Google’s search engine. Ricoh says the leak remains under investigation.
“We are in contact with all impacted customers and are actively working with them to rectify the situation this week,” Ricoh says in a statement. “We apologize for exposing customer information in this way.”
Organizations that purchase Ricoh devices are supplied with a run-up guide that describes in technical detail how a device has been configured, as well as how to update firmware and encrypt the hard drive, amongst many other details.
Most of the documents, which range in date from several years old to earlier this year, contain no usernames or passwords. But a “small number” exposed Lightweight Directory Access Protocol and Active Directory credentials for print configurations, says Melanie Withers, communications manager for Ricoh Australia. Those credentials are used to manage who can use a multi-function device and level of access.
At least two dozens organizations were affected, including the Australian Signals Directorate, the Civil Aviation Safety Authority, Australian Federal Police, Defence Science and Technology, Queensland Rail, ACT Government, NT Government, Deakin University, Charles Sturt University, Commonwealth Bank, NAB, IBM, and Arthur J. Gallagher, an insurer.
Withers says Ricoh has been transparent with its customers and is working with them on remediation based on what information was released. “Clients are aware of this,” she says.
But the leak also exposed a Ricoh practice that some security experts say is questionable, which relates to the management of encryption keys used to scramble data on multi-function device hard drives.
What’s the Risk?
Even so, the real-world risk seems slight. Even the most sensitive run-up guides don’t have enough information to overcome a larger obstacle: in order to access a multi-function device inside an organization, an attacker would already need to have network access, says Nick Ellsmore, co-founder of the security consultancy Hivint.
But multi-function devices are attractive targets, he says. For example, Ellsmore says he’s seen proof-of-concept attacks where a multi-function device was modified to have every document that is scanned sent to an external email address.
“Often those devices are not configured to restrict email within an organization,” Ellsmore says. “If you can get administrative control over a multi-function device, you can do some pretty dangerous things.”
But it would be of use to someone who, for example, already works for an organization.
Embarrassing for Ricoh
It’s easy to think of Ricoh as just a printer company. But its multi-function devices are complicated machines that are more along the lines of a server, with email functions, remote management features and in-built web browsers.
Ricoh has a robust government business worldwide, and some of its multi-function devices have advanced security features designed for high-security environments.
That includes only storing documents in RAM rather than on the hard drive, preventing a leak of data if someone steals a hard dive. Some models have NFC card scanners to authenticate users and log activity. The hard drives can store thousands of documents, and users can create passcode-protected folders to protect their files. PDFs can also be encrypted on the multi-function device.
One of the most sensitive documents exposed, dated January, belongs to Commonwealth Bank. It contains SMTP credentials for two models used by the banks, Ricoh’s MP C6503 and the MP 8003, as well as two sets of administrator credentials and one “supervisor” account.
A Commonwealth Bank spokesman says the bank immediately changed the passwords even through there was no risk to customer data. “None of our systems have been compromised in any way as a result of this disclosure,” he says.
Troy Hunt, a data breach expert who runs the Have I Been Pwned breach-notification service, says that the leak probably just more embarrassing for Ricoh than anything else. The information is “certainly not as immediately weaponizable as things like publicly exposed database backups,” he says.
Ricoh has since taken down the domain where the documents were stored. But as in many breaches, Google never forgets, or else must be forced to forget. Many of the documents still showed up in Google’s cache days later, showing the difficulty in reeling back information once it’s been exposed to search engine crawlers.
“Deleting anything off the internet is a little bit like trying to take piss out of a pool,” Hunt says.
Send the Key Here
As mentioned before, some of Ricoh’s MFD models can encrypt their hard drives – using AES-256. If a hard drive gets stolen, that level of encryption would prevent an attacker from recovering it, according to
For example, it advises administrators to scan a printout of the encryption key and send it to a customized email address that belongs to Ricoh. In some examples, that address was “firstname.lastname@example.org.” Users are also advised to enter the serial number of the multi-function device in the subject of the email.
Encryption keys typically remain closely guarded secrets, for obvious information security reasons. And sending a key to another party – via email, no less – would generally be regarded as a very bad idea.
“I’m lost for words,” Hunt says.
He speculates the procedure might be related to remote diagnostic support, such as if Ricoh needed access to the hard drive for maintenance. But even still, Hunt says such a practice would be “ridiculous,” because it suggests Ricoh could still access content that had been encrypted by a client.
Ellsmore also suspects that the procedure might relate to support services, but says it’s a “horrible security practice.”
As with the run-up guide passwords, however, using the key would already require an attacker to have a high level of access on the network, and to have accessed a multi-function device.
Ricoh declined to comment on its encryption-related procedures.