Ricoh Australia Scrambles to Fix Document LeakBreach Likely Poses No Danger, But Ricoh Notifies Customers
Ricoh's Australia office has notified banks, government agencies, universities and many large businesses about a curious data breach that, in some cases, exposed login credentials for its multifunction devices.
It's unclear how the documents - called run-up guides - were exposed on the internet and indexed by Google's search engine. Ricoh says the leak remains under investigation.
"We are in contact with all impacted customers and are actively working with them to rectify the situation this week," Ricoh says in a statement. "We apologize for exposing customer information in this way."
Run-up guides are internal documents used by Ricoh technicians to set up new MFDs. The guides describe in technical detail how a device has been configured as well as how to update firmware and encrypt the hard drive, among many other details.
Most of the documents, which range in date from several years old to earlier this year, contained no usernames or passwords. But a "small number" exposed Lightweight Directory Access Protocol and Active Directory credentials for print configurations, says Melanie Withers, communications manager for Ricoh Australia. Those credentials are used to manage who can use a multifunction device and level of access.
At least two dozen organizations were affected, including the Australian Signals Directorate, the Civil Aviation Safety Authority, Australian Federal Police, Defence Science and Technology, Queensland Rail, ACT Government, NT Government, Deakin University, Charles Sturt University, Commonwealth Bank, NAB, IBM and Arthur J. Gallagher, an insurer.
Withers says Ricoh has been transparent with its customers and is working with them on remediation based on what information was released. "Clients are aware of this," she says.
But the leak also exposed a Ricoh practice that some security experts say is questionable, which relates to the management of encryption keys used to scramble data on multifunction device hard drives.
What's the Risk?
Even so, the real-world risk seems slight. Even the most sensitive run-up guides don't have enough information to overcome a larger obstacle: To access a multifunction device inside an organization, an attacker would already need to have network access, says Nick Ellsmore, co-founder of the security consultancy Hivint.
Nevertheless, multifunction devices are attractive targets, he says. For example, Ellsmore says he's seen proof-of-concept attacks where such a device was modified to have every document that is scanned sent to an external email address.
"Often those devices are not configured to restrict email within an organization," Ellsmore says. "If you can get administrative control over a multifunction device, you can do some pretty dangerous things."
But it would be of use to someone who, for example, already works for an organization.
Embarrassing for Ricoh
It's easy to think of Ricoh as just a printer company. But its multifunction devices are complicated machines that are more along the lines of a server, with email functions, remote management features and built-in web browsers.
Ricoh has a robust government business worldwide, and some of its multifunction devices have advanced security features designed for high-security environments.
That includes only storing documents in RAM rather than on the hard drive, preventing a leak of data if someone steals a hard drive. Some models have NFC card scanners to authenticate users and log activity. The hard drives can store thousands of documents, and users can create passcode-protected folders to protect their files. PDFs can also be encrypted on the multifunction device.
One of the most sensitive documents exposed, dated January, belong to Commonwealth Bank. They contain SMTP credentials for two models used by the banks, Ricoh's MP C6503 and the MP 8003, as well as two sets of administrator credentials and one "supervisor" account.
A Commonwealth Bank spokesman says the bank immediately changed the passwords even through there was no risk to customer data. "None of our systems have been compromised in any way as a result of this disclosure," he says.
Troy Hunt, a data breach expert who runs the Have I Been Pwned breach-notification service, says that the leak is probably more embarrassing for Ricoh than anything else. The information is "certainly not as immediately weaponizable as things like publicly exposed database backups," he says.
Ricoh has since taken down the domain where the documents were stored. But as in many breaches, Google never forgets, or else must be forced to forget. Many of the documents still showed up in Google's cache days later, showing the difficulty in reeling back information once it's been exposed to search engine crawlers.
"Deleting anything off the internet is a little bit like trying to take piss out of a pool," Hunt says.
Send the Key Here
As mentioned before, some of Ricoh's MFD models can encrypt their hard drives - using AES-256. If a hard drive gets stolen, that level of encryption would prevent an attacker from recovering it, according to Ricoh documentation.
But some of the run-up guides contain what appears to be an unorthodox instructions relating to encrypting a hard drive.
For example, those guides advise Ricoh technicians to scan a printout of the encryption key and send it to a customized email address that belongs to Ricoh. In some examples, that address was "firstname.lastname@example.org." The guides recommend entering the serial number of the multifunction device in the subject of the email.
Encryption keys typically remain closely guarded secrets, for obvious information security reasons. And sending a key to another party - via email, no less - would generally be regarded as a very bad idea.
"I'm lost for words," Hunt says.
He speculates the procedure might be related to remote diagnostic support, such as if Ricoh needed access to the hard drive for maintenance. But even still, Hunt says such a practice would be "ridiculous," because it suggests Ricoh could still access content that had been encrypted by a client.
Ellsmore also suspects that the procedure might relate to support services, but says it's a "horrible security practice."
As with the run-up guide passwords, however, using the key would already require an attacker to have a high level of access on the network, and to have accessed a multifunction device.
Ricoh declined to comment on its encryption-related procedures.