Organisations and individuals could be hacked via their fax machines, using newly discovered vulnerabilities in the communication protocols used in tens of millions of fax devices globally, according to research from cyber security solutions provider Check Point.
Fax number is all that’s needed
A fax number, easily obtainable from websites, is all an attacker needs to exploit the flaws, and potentially seize control of a company or home network, said the Israel-based company, which demonstrated the vulnerabilities in the widely-used HP Officejet Pro All-in-One fax printers.
With the fax number, the attacker sends a specially created image file by fax to the target. The vulnerabilities enable malware (such as ransomware, crypto-miners or spyware) to be coded into the image file, which the fax machine decodes and uploads to its memory.
The malware can then potentially breach sensitive data or cause disruption by spreading across any networks to which the fax machine is connected.
The same protocols are also used by many other vendors’ faxes and multi-function printers, and in online fax services such as fax2email, so the vulnerabilities to attack likely extend to these as well, said Check Point.
Solutions to the vulnerabilities
To minimise the security risk, Check Point advises that organisations check for available firmware updates for their fax devices and apply them. Businesses are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.
The company has since shared findings with HP, which has since responded with developing a software patch for its printers available for download.
Fax machines still widely in use
While not quite perceived as modern-day technology, there are still some 45m fax machines in use in businesses globally, with 17bn faxes sent every year. Fax is still widely used in several industry sectors such as healthcare, legal, banking and real estate, where organisations store and process vast amounts of highly sensitive personal data. In many countries, emails are not considered as evidence in courts of law, so fax is used when handling certain business and legal processes.
“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Check Point group manager, security research Yaniv Balmas. “These overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations.
“It’s critical that organisations protect themselves against these possible attacks by updating their fax machines with the latest patches and separating them from other devices on their networks,” Mr Balmas continued.
“It’s a powerful reminder that in the current, complex fifth-generation attack landscape, organisations cannot overlook the security of any part of their corporate networks.”