Researchers from Check Point Software have announced at DEF CON 26 that fax machines can be easily used by cyber attackers to breach an IT system. In this age of advanced cyber attack methodologies, it is ironic to be reminded of a wide-spread security vulnerability in a digital technology that’s been used in offices since 1980!
Yaniv Balmas, Group Manager, Security Research at Check Point, confirmed “Fax is an ancient technology and the protocols we use today haven’t been changed for the past 30 years. But everybody is still using fax and nobody really looks at it as a valid attack vector. So, we thought, what if we could exploit a printer just by sending a malicious fax? In an all-in-one printer, one side is connected to the phone line and the other side is connected to the network. If we could take over the device, we could then move into the internal network. Fax is perceived as a secure method of data transmission but that’s a huge misconception—it’s absolutely not secure.”
Over 45 million fax machines still in use
Check Point Software have confirmed that there are still over 45 million fax machines in use. They are heavily used in several Industry sectors that include healthcare, legal, financial services and real estate. In June 2018, the Labour Party claimed that the UK National Health Service had at least 11,620 fax machines in operation with over 9,000 machines used regularly to send confidential patient data. In many countries, emails are not considered as evidence in courts of law and the fax is widely used in professional services firms when handling certain business and legal processes. Nearly half of all laser printers currently sold in Europe are multi-function network-enabled devices which include fax capability.
Lack of encryption and stack overflow control
Vulnerable printers and fax machines with access to private networks have always been a target for hackers. The fax protocol not only lacks encryption but has a common security issue with its stack overflow control. Attackers can initiate stack overflows to gain more access or privileges on a network.
IT administrators typically add authentication checks to network printers so that only authorised users can initiate printing – a safeguard that cuts down on the potential that a remote attacker could send a malicious print job. But the Check Point researchers confirmed that the fax protocol doesn’t allow for such a mechanism. “There are absolutely no protections over fax,” Balmas says. “Even if you really wanted to do that there is no way. Fax is always sent unauthenticated, it’s a design thing, so no matter what you do, it will still be able to send you the fax.”
Eternal Blue fax exploit in less than a minute
The vulnerabilities were demonstrated on a popular HP Officejet Pro All-in-One fax printer. Balmas and his team showed that they had taken over the printer by displaying a sinister image on its screen. They used the infamous Eternal Blue Windows exploit as an example of a hacking tool that an attacker could deploy to gain deeper remote network access. The researchers say it currently takes less than one minute to transmit a fax with all of this code hidden inside it.
Patch Now Available for HP Printers
Check Point Software have shared this issue with HP who have now quickly released a patch that adds standard protection against fax protocol stack overflows. HP spokesperson, Luke Cuell, confirmed, “HP has updates available to mitigate risks and have published a security bulletin with more information. We encourage customers to keep their systems updated to protect against vulnerabilities.”
Minimise the risk of fax attack
To minimise the security risk, we advise that all organisations check for available firmware ‘patch’ updates for their fax devices and apply them as soon as possible. Check Point also advise that fax devices are placed on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of any malware to spread across networks in the event of an attack.