Vulnerabilities in fax machines could let hackers infiltrate a network

All-in-one devices should now be considered a possible infiltration vector into the corporate network, researchers warn

fax machine with send button pressed

Researchers have discovered several critical vulnerabilities in the fax functionalities of all-in-one printers that can allow an attacker to seize complete control of a machine.

Seeking to establish what an attacker could accomplish armed with just a phone line and a target fax number, Check Point Research found that by sending a maliciously-crafted fax it was possible to infiltrate an organisation's network.

Disclosing the vulnerabilities at DEFCON 26, hosted in Las Vegas, yesterday, they showcased how an attacker could then maximise this opportunity via EternalBlue, a leaked NSA-developed hacking tool, to exploit any PC connected to the same network.

The infiltrated computers can be used to send data back to the attacker by sending another fax.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer," said Check Point Research's Eyal Itkin and Yaniv Balmas.

"We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines.

"From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."

The team of researchers tested their exploit on HP Officejet Pro 6830 all-in-one printers, but said they "strongly believe that similar vulnerabilities apply to other fax vendors too as this research concerns the fax communication protocols in general".

Despite being considered a technological relic in the age of instant messaging, text and video calls, fax machines are still widely-used in businesses and organisations across the world.

For instance, Check Point Research estimated there are more than 300 million fax numbers in use, while they say financial reports from Wall Street reveal tens of millions of all-in-one printers are sold worldwide each year.

Advertisement - Article continues below

Meanwhile, a poll conducted by the Royal College of Surgeons (RCS) last month revealed that almost 9,000 fax machines are in use across the NHS - highlighting the widespread use of fax technology in the UK public sector, and the accompanying security risks.

Check Point Research said it worked closely with HP to fix the vulnerability after alerting them to the issues in May, culminating in a patch that was released on 1 August. But the research team said the vulnerability is not exclusive to all-in-one printers and that similar flaws may be found in fax-to-mail services and standalone fax machines.

Although they haven't spotted this exploit being executed in a real-world context, the researchers nonetheless recommended that HP Officejet all-in-one users follow the vendor's instructions on patching their printers.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020