Ever the humble business workhorses, fax machines don’t get a lot of love these days.
But with a new security exploit doing the rounds, they have become a reminder of just how vulnerable some of our ubiquitous devices are.
Designed and executed as a proof of concept hack by Check Point Software Technologies security researchers, ‘Faxploit’ is a method of breaking into a company network by leveraging a fax machine as an unsecured entry point.
By using a conventional landline phone connection to dial a fax machine, researchers transmitted a specially-formed fax file with purpose-built malware encoded.
The code contained instructions for the fax machine that allowed the attackers to sidestep the device’s access controls, then jump from the fax connection to the device’s Ethernet controller and onto the target network.
The vulnerability means that hackers could, theoretically, access a target network simply by dialling a fax number – which are frequently publicly available.
The risks of devices
HP, which worked with Check Point on the proof-of-concept and this month issued a priority patch for the exploit, warns that “a maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.”
It’s an ingenious attack that has, with the assistance of HP, been patched on that company’s fax machines and all-in-one printers.
But the fact that it could be done at all reflects the pervasive insecurity of both old and new devices.
Ty Miller, director of security company Threat Intelligence, told Information Age this presents a clear and present danger for any business.
“These devices tend to have really terrible security controls,” he explained. “They’re relatively low-powered devices, and when it comes down to devices that operate on firmware, you tend to find that a large number of security controls – even those that are 15 years old – still haven’t been implemented in things like printers.”
Printer attacks “are the low-hanging fruit,” Miller said. “If you put your printers on the Internet with default passwords and vulnerable software, you’re going to get hacked.”
Threat Intelligence performs services, including penetration testing, that utilise known weaknesses in business software to breach target networks.
And while Faxploit presents a vulnerability that will be surprising to many, he noted, “the actual usefulness of this is a bit questionable. To be honest, we have never really needed to use a fax machine to gain access” because conventional techniques are more than effective enough.
This isn’t the first time that output devices have been targeted by cybersecurity researchers: earlier this year, for example, HP warned about exposure to the KRACK WiFi attack while researchers have previously warned about remote manipulation of printer settings and default passwords granting network access to outsiders.
Last year, a hacker wrote a script that automatically searched for unsecured Internet-connected printers and printed random messages on more than 150,000 devices.
Printers as network soft spot
Fax machines regularly attract more than their fair share of derision from always-connected millennials who can’t imagine needing to send printed documents.
Medical, legal, industrial and other companies use fax machines every day, even as an entire generation asks why companies could conceivably want to do something so seemingly archaic – and plots how to get rid of them.
The devices, however, continue to sell and fax capability is a core pillar of all-in-one printers from the likes of market giant HP – whose local division turned a profit in 2017 after years of loss making.
The worldwide hardcopy peripherals market actually grew 1.2 percent in 2017, according to IDC, with more than 28 million devices shipping in the last quarter of last year and HP selling 39 million devices alone. This growth accelerated into 2018, with 1.7 percent first-quarter growth marking six consecutive quarters of market volume increases.
Some 446,000 units were sold in Australia in the first quarter of this year, with sales of fax-based lasers plummeting 72.1 percent compared with the year prior.