Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry.

While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access.

The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world.

To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using the NSA exploits Eternal Blue and Double Pulsar, spread malware to a vulnerable PC that was connected to the same network.

The malware was programmed to search for files of interest. When a file was located, it was sent back to the Check Point via fax.

Check Point’s research was mainly focused on HP’s OfficeJet Pro all-in-one fax printers, although the same flaws exist in many other manufacturers’ fax machines including those manufactured by Epson and Canon. Check Point alerted HP to the issue, which has now been patched, although other manufacturers’ devices remain vulnerable. In many cases, software on the all-in-one-printers cannot be updated. Correcting the flaw will only be possible by upgrading to newer devices.

Check Point suggests all businesses that still use fax machines, including healthcare organizations, should determine whether their fax machines are capable of being updated and ensure all software is kept up to date. If updates are not possible, upgrading the devices is recommended and the printer-fax machines should be located on secure networks separate from those on which protected health information is stored.

While the research was focused on all-in-one printers, the researchers note that attacks would not be limited to those devices. Potentially, stand-alone fax machines could also serve as an entry point into a business network as could fax-to-mail services.

At this stage there have been no reports of this method of attack being used in the wild, although the Check Point researchers note it will only be a matter of time before others determine how the attacks can be conducted.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.