The fax cyber hack scare and our need for advanced security solutions

It has been widely reported that there are around 45 million fax machines globally in use in businesses today. Fax machines are easily forgotten in the corner of an office, which is exactly why they are vulnerable to the risk of being hacked. Unfortunately, while fax machines might seem like an outdated communications device, they’re still widely used and connected to networks in industries where highly sensitive data is stored, such as healthcare, banking and law. The NHS, for example, uses over 9,000 fax machines regularly. And although some fax machines can be “fixed” in order to avoid hacks, most of them are too old to even update. 

It’s hardly surprising, therefore, that a major vulnerability was recently discovered by Check Point Research after identifying a bug in HP Officejet all-in-one fax, as well as other machines and printers. Check Point Research discovered that if these devices are linked to a company’s network, it might then allow hackers to break into an organisation’s IT network and server and have access to sensitive files and documents.

With this in mind, companies still using fax machines need to be aware of the potential risks, consequences, and methods they can introduce to protect their machines. Here’s everything you need to know.

How does hacking a fax machine work?

Most fax machines are today integrated into all-in-one printers, connected to the organization's internal WIFI network and to PSTN phone line. A hacker can just send a specially crafted image, which is coded to contain a malicious software to the fax machine. The fax machine will then do its job and read the image. The image, however, is intentionally malformed so that it will cause the image decoding function (part of the fax machine firmware) to break in such a way that forces it to execute the code of the attacker instead of the code of the firmware. This, in turn will allow the attacker to gain full control over the fax machine.

This is very serious, since now the attacker has access to the same internal network where the device is connected through its WiFi or Ethernet connection and there will be no firewalls (and probably no IDS either) protecting the network segment. And that will make it so much easier for the attacker to spread his attacking tools and malicious code to the computers and devices on the network or to just listen in to the internal traffic in the hopes of gaining juicy hints and clues about other interesting targets in the organization network.

And who knows what kind of confidential documents will be sent to that particular printer in the meanwhile...

How big is the risk?

The risk of being hacked is somewhat amplified because most firmwares (a specific class of computer software) on these devices were written, as you might imagine, many years ago, when people were still ignorant of possible malware and cyber-attacks, often thinking “why would anybody send me a malformed fax or attack my fax machine?”

Advanced testing methods such as source code analysers and protocol fuzzers were either not available or in general use by vendors at the time, and probably still aren’t by some vendors. It is also very challenging detecting the first phase of an attack if the PSTN phone line is used as the attack vector as there are no firewalls, IDSs, etc., which can protect your PSTN line. Detecting the remaining phases could also prove difficult since the compromised device will now be targeting other devices on the same network, becoming an internal threat. Although endpoint security solutions and IDS might solve at least part of the problem.

How do you protect your fax machine?

That’s easy, dump ‘em. jump into your DeLorean (the car from Back To The Future for those who don’t know) and head back to the present time!  If you’re aren’t willing to do that then you should separate fax machines from the network and/or boost your detection capabilities. While a PSTN line might still be a challenge, it’s worth using an endpoint security solution or IDS. These, of course, will only work against known vulnerabilities and signatures and are not in any way sufficient alone. A more advanced approach would be, for example, to look into deception-based security solutions – by using decoys, whether by using fax machines or other interesting targets in your network. For example, you could lure in the attackers and get immediately notified when you’re being hacked.

Secondly, perimeter security is not enough! These are just additional devices and softwares which are just as vulnerable as anything else. And it won't cover the PSTN lines. More advanced solutions are needed, for example, make sure your vendor uses proactive methods in their product testing (fuzzing, code analysers, binary analysers etc.). Check when the last time was you got the BOM (bill of materials) from your software or product vendor (let me guess - never!). Furthermore, look into new areas of security: deception and decoys, as stated above. These would really take the detection capabilities to the next level, covering also insider threat scenarios.

Despite the vulnerability and risk of hacking, the reality is there are a plethora of other ways of exploiting a company, e.g. insider attacks, malicious USB (memory) devices and new malwares with encrypted payload (with novel approaches like DeepLocker) that may enable attackers to target intranet directly bypassing perimeter security. Additionally, the Check Point Research discovery concerned only one specific old all-in-one printer firmware, and reproducibility was uncertain.

Focusing too much of specific threat vectors runs the risk of narrowing focus too much, rendering the defender blind to the bigger picture. A mature risk-centered security organization will have the right tools to render such attacks ineffective.  

Juha Korju, CTO of Aves Netsec 

Juha Korju
Juha is the CTO of Aves Netsec, a deception-based security company based at Plexal. Juha has 25+ years of industry experience in software and security engineering from many aspects.