Fax Machines ‘Give Attackers Foothold On Corporate Networks’

Researchers demonstrate how attackers can take over multi-purpose printers and gain access to internal systems

Bugs in the protocols that drive fax machines can be used to gain access to sensitive networks in millions of organisations, researchers have said.

Fax protocols were standardised in the 1980s and have not been changed since that time, warned Israeli security firm Check Point.

Meanwhile, units that combine fax, printing and copying functions have become widespread on corporate data networks, with 9,000 in use by the NHS alone, according to the BBC.

There are about 46.3 million fax machines in operation worldwide, including 17 million in the US. They’re particularly popular in Japan, where nearly all businesses and 45 percent of homes use them, Check Point said.

A malicious image is displayed on a fax-printer. Credit: Check Point

Image-based attack

The firm found that a malicious image could be sent to such systems that triggers a type of vulnerability called a stack overflow, crashing the system and giving the attacker control over it.

Because such systems are typically connected to an internal network, the attackers then have access to the organisation’s internal systems.

And because the attack operates over a phone line, even networks that are completely disconnected from the public internet could be targeted.

Check Point presented its research at the DefCon security conference  in Las Vegas, where the firm demonstrated a malicious image that takes control of an all-in-one fax-printer and launches the notorious EternalBlue exploit.

The attack then displays an image on the printer’s screen to indicate that it’s under the control of the attackers.

Researchers Yaniv Balmas and Eyal Itkin said they were surprised by the extent to which fax machines are still used, and began to explore attack methods as a result.

They examined HP’s popular OfficeJet line of all-in-one printers as a test case, and HP has now issued a patch for the bug. The issue affects all OfficeJet systems, Check Point said.

Widespread issue

But Balmas and Itkin said similar exploits are likely to work on models from other firms.

“Similar attacks could apply to other vendors as the vulnerability lies in the fax protocol itself,” Check Point said in an advisory.

Online fax services are also likely to be affected, the firm said.

The issue stems in part from poor wording in the fax protocol, leading manufacturers to implement it in different ways, with vulnerabilities creeping in as a result.

Unlike networked printers, the fax protocol has no way of requiring authorisation for sending a fax, meaning there is no way to block the malicious fax messages.

“HP was made aware of a vulnerability in certain printers by a third party researcher,” HP said in a statement. “HP has updates available to mitigate risks and have published a security bulletin with more information.”