pixel_dreams - Fotolia

Millions of businesses vulnerable to fax-based cyber attack

Hackers could exploit security vulnerabilities in fax machines to launch cyber attacks in millions of organisations around the world, researchers warn, underlining the need for cyber resilience

There are more than 45 million fax machines in use in businesses and homes globally and every one of them could be used to launch a cyber attack, Check Point researchers have warned, urging action.

Detailing the discovery of vulnerabilities in the communication protocols of fax machines at the Defcon security conference is Las Vegas, the researchers said a fax number is all an attacker needs to exploit the vulnerabilities to send ransomware, spyware, cryptominers and data stealers or even seize control of a company or home network. 

The vulnerabilities in protocols that were set in the 1980s and have not been updated since allow a hacker to create a specially coded colour jpeg fax image that can have any type of malware coded into the image file. This image is then sent down the phone line to the target fax device. 

When received, the image is automatically decoded and uploaded into the fax-printer’s memory, ready for printing. The embedded malware then takes over the device – and can spread to any network to which the fax-printer is connected.

The research demonstrated the vulnerabilities in HP Officejet Pro All-in-One fax printers, which use the same protocols as many other brands of faxes, multifunction printers and in online fax services. Nearly half of all laser printers sold in Europe are multifunction devices with fax capability.

After discovering the vulnerabilities, Check Point shared the findings with HP, which was quick to respond and to develop a software security update for its printers, which is available on HP.com.

Although widely considered to be “old” technology, fax machines are still widely used and their use is even mandated by US health sector legislation because they are considered a trustworthy method of delivering information. Faxes are estimated to make up 75% of all communications in the US healthcare sector.

Globally, an estimated 17 billion faxes are still sent every year. In addition to healthcare, faxes are still widely used in business, particularly in the legal, banking and real estate sectors, where organisations store and process vast amounts of highly sensitive personal data.

The UK’s National Health Service alone has more than 9,000 fax machines in regular use for sending patient data, and in many countries, emails are not considered as evidence in courts of law, so faxes are used when handling certain business and legal processes.

According to IDC research, 82% of companies report increasing their fax usage in 2017, proving that fax remains at the heart of some of the biggest industries in the world.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers,” said Yaniv Balmas, group manager, security research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations. 

Read more about resilience

“It is critical that organisations protect themselves against these possible attacks by updating their fax machines with the latest patches and separating them from other devices on their networks. It is a powerful reminder that in the current, complex fifth-generation attack landscape, organisations cannot overlook the security of any part of their corporate networks.”

To minimise the security risk, Check Point advises organisations to check for available firmware updates for their fax devices and apply them.

Businesses are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.    

Ray Rothrock, chairman and CEO of security analytics firm RedSeal, said the Check Point research underlines the need for organisations to focus on resilience.

“We recommend that companies validate their segmentation policies and make sure there’s very limited access to their most valuable assets,” he said. “This isn’t a one-and-done exercise. Companies must remain vigilant, constantly monitoring all possible pathways within and between their network environments so they can quickly isolate a compromised device.

“As Check Point’s news shows, we can’t predict new, exploitable vulnerabilities. However, we can – and we must – be resilient.”

Read more on Hackers and cybercrime prevention