Fax machines, a staple of business in the past still in heavy use today, pose a potential risk for cybersecurity, according to research from Check Point Software
These newly discovered vulnerabilities affect the communication protocol in use in fax machines, and, using only a fax number, malicious actors can gain access to home or business networks.
Using the popular HP Officejet Pro All-in-One fax machine, Check Point showed how these new vulnerabilities can affect a broad number of devices, including devices from a number of popular manufacturers. Also potentially at risk are online fax services, such as fax2email, which open up the attacks to a much broader range of potential vectors. Fortunately, the vulnerability can be patched in software. After Check Point shared its findings with HP, they were able to release patches available on their website.
The vulnerability works by sending carefully crafted image files able to deliver a malicious payload, including spyware, crypto-miners, ransomware, or other malware. These files appear to be typical image files used on websites or sent through email. Once the image is uploaded, it’s stored in RAM, where it can be used to access private data or disrupt operations; any breach of this sort can be used to upload further malware, potentially giving intruders free rein across networks. This problem is exacerbated by the open nature of fax numbers, as it’s trivial to look up corporate fax lines through websites. Furthermore, malicious faxes are relatively cheap to send, and it’s simple for malicious actors to scrape the web for fax numbers and run attacks automatically. When thinking about security, companies often overlook fax machines, as their analogue design means few consider them to be potential threats. In fact, security auditors might not even know a network has fax capabilities.
Fax machines, despite their age, are still a mainstay of business on a global scale. Including virtual fax machines, there are 45 million devices in use today, and businesses send 17 billion faxes every year. Some sectors see more use than others, with bank, real estate, healthcare, and legal organizations still relying on the technology as a standard means for sending certain types of documents. In many business and legal areas, faxes can be used for official documents, while emails and other newer technologies cannot. Government organizations make use of fax machines often as well; the UK’s National Health Service, for example, has more than 9,000 fax machines in regular use. Printers with fax capabilities remain popular as well, with close to half of all laser printers sold in Europe having fax capabilities.
Yaniv Balmas, Group Manager of Security Research at Check Point, states: “Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers.
This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations.
“It’s critical that organizations protect themselves against these possible attacks by updating their fax machines with the latest patches and separating them from other devices on their networks. It’s a powerful reminder that in the current, complex fifth-generation attack landscape, organizations cannot overlook the security of any part of their corporate networks.”