Faxploit: Retro hacking of fax machines can spread malware

20th Century tech causing problems in the 21st

Video Corporations are open to hacking via a booby-trapped image data sent by fax, a hacker demo at DEF CON suggests.

The hack - discovered by security researchers at Check Point - relies on exploiting flaws in the communication protocols used in tens of millions of fax-capable devices globally, such as all-in-one fax-enabled printers.

Vulnerabilities in the protocols that faxes and all-in-one printers use to send & receive faxes create a mechanism for miscreants to create an image file that bundles malware. This booby-trapped image can be sent to a targeted fax device.

The team demonstrated the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers during a presentation at DEF CON hacker event in Las Vegas on Sunday.

Youtube Video

Prior to the presentation, Check Point shared its findings with HP, which responded by developing a software patch for its printers. HP's advisory admits that, if left unaddressed, the security flaws created a means for hackers to push malware onto vulnerable Inkjet printers (many models are affected).

Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.

The same protocols are also used by many other vendors’ faxes and multifunction printers, and in online fax services such as fax2email, so it is likely that these are also vulnerable to attack using the same method, according to security researchers.

Hanging on the telephone

Fax may seem like an obsolete technology that only comes into its own on football's transfer deadline day. However there are still over 45 million fax machines in use in businesses globally, with 17 billion faxes sent every year.

The NHS in the UK alone has over 9,000 fax machines in regular use, according to figures cited by Check Point. Fax machines are also widely used in sectors such as healthcare, legal, banking and real estate.

In many jurisdictions, emails are not considered as evidence in courts of law, so fax is used when handling certain business and legal processes. Nearly half of all laser printers sold in Europe are multifunction devices with fax capability.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers,” said Yaniv Balmas, group manager security research at Check Point.

Tom B, red team leader at security consultancy ThinkMarble, said that even though hacking a combined fax machine and printer is possible, other attacks are more likely in practice; at least outside the arena of targeted assaults where money is no object.

Facepalm, photo via Shutterstock

Fax machines' custom Linux allows dial-up hack


"Receiving a fax is essentially like receiving a telephone call – they are generally traceable," he argued. "Furthermore, phone calls also cost money. Phoning millions of fax machines to find a vulnerable model is expensive, and this will dissuade the common cybercriminal."

“While the exploitation of fax machines will be seldom seen in the wild, it is highly recommended that fax machines/printers/all in one devices are periodically updated and patched in-line with common cyber security best practices. It is our experience that network peripherals are often installed and forgotten about, leaving them vulnerable,” he concluded.

The area of security research is not entirely new - a bug in Epson multifunction printer firmware that posed a backdoor risk was discovered back in 2016, for example. Other examples are thin on the ground. The new research does however serve as a reminder that networked devices as well as PCs and servers, need patching.

To minimise the security risk, Check Point advises that organisations check for available firmware updates for their fax devices and apply them. Organisation are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information. Segmentation will limit the ability of malware to spread across networks. ®

Similar topics

Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021