Check Point researchers have announced newly discovered vulnerabilities that affect tens of millions of fax devices in businesses and homes worldwide. These breaches, dubbed Faxploit, leave the door open for criminals to hack networks by sending malicious faxes.
The researchers demonstrated the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers, but the same vulnerable protocols are also used by many other vendors’ faxes and multi-function printers, and in online fax services such as fax2email. Check Point shared its findings with HP, which quickly developed a software patch for its printers (available on HP.com).
Perhaps hard to believe in the growing age of email, there are more than 45 million fax machines in use in businesses globally, with 17 billion faxes sent every year. Fax is still widely used in healthcare, legal, banking and real estate. In many countries, emails are not accepted as evidence in courts of law, thus faxes are relied upon in certain business and legal issues. About half of the laser printers sold in Europe are multi-function devices that include fax capability.
“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Yaniv Balmas, group manager for Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations.
“It’s critical that organizations protect themselves against these possible attacks by updating their fax machines with the latest patches and separating them from other devices on their networks,” Balmas continued. “It’s a powerful reminder that in the current, complex fifth-generation attack landscape, organizations cannot overlook the security of any part of their corporate networks.”
Once an attacker obtains an organization’s fax number, the vulnerabilities enable malware to be coded into the fax image file, which the fax machine uploads to its memory. The malware can then breach sensitive data or cause disruption by spreading across any networks to which the fax machine is connected.
To minimize the security risk, Check Point advises that organizations check for available firmware updates for their fax devices and apply them. Businesses are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.
The vulnerabilities were presented by Check Point researchers Balmas and Eyal Itkin at the recent DEF CON 26, the leading security and hacking conference.
“There are absolutely no protections over fax,” said Balmas. “Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers.”
Researchers focused on the most popular fax machine brand, Hewlett Packard’s OfficeJet Pro all-in-one fax printers, but found that even those manufactured by Canon and Epson contain similar vulnerabilities.
Some 45 million fax machines containing highly sensitive data are in use worldwide, especially in the healthcare, banking and law industries. In the United States alone, 75 percent of all communication in the medical sector are sent by fax, the AP said.
Because many of these machines are too old to update, it is difficult for companies to stop hackers from entering their system. Check Point recommends that organizations check whether their fax machines can be updated, and should place them on a secure network separate from those carrying sensitive information.
“Fax is an ancient technology; the protocols we use today haven’t been changed for the past 30 years,” Balmas says. “But everybody is still using fax and nobody really looks at it as a valid attack vector.” This complacency persists despite the fact that hackers have targeted fax machines for decades, and the technology is still insecure in basic ways.
For example, fax data are sent with no cryptographic protections; anyone can tap a phone line and instantly intercept all data transmitted across it. “Fax is perceived as a secure method of data transmission,” says Balmas. “That’s a huge misconception—it’s absolutely not secure.”
“The attack scenario is actually pretty simple,” Check Point’s Itkin says. “A malicious attacker wants to infiltrate a covert network, let’s say a bank. And the fax number for this bank is public, so he can get that number. On the bank side, if the printer that receives the fax is also connected to the internal network, then all the attacker needs to do is send a malicious fax to this phone number and automatically he will be inside the internal network of this bank. It’s crazily dangerous.”
While fax machines were once standalone devices, the machines of today are typically connected devices that combine fax, printer, and photocopier. And almost every company has them. By exploiting vulnerabilities inherent in the fax protocol, the researchers were able to gain access to an entire IT network. Popular online fax services, such as fax2email, use the same vulnerable protocol.
The researchers said that if you penetrate a single access point on a network you can compromise everything connected to it via “lateral movement.” This means that even networks that are not connected to the Internet are also vulnerable, such as by stealing a customer’s account number from a document.
Check Point said there are some 46 million fax machines in use, with 17 million of them in the US. In Japan, an estimated 100 percent of businesses and 45 percent of private homes own a fax machine. The health care industry is the mainstay of worldwide fax sales, while the legal industry’s fax machines offer the convenience of sending documents to clients and receiving confirmation they were received.
To protect against attacks, Check Point recommends segmenting your network and regularly patching your fax devices.