August 13, 2018 at 08:24PM WIRED Fax Machines Are Still Everywhere, and Wildly Insecure
In fact, the surprising ubiquity of fax machines is what inspired Check Point researchers Yaniv Balmas and Eyal Itkin to analyze the tech's present-day security posture. Vulnerable network printers are a classic target, and the researchers found that they could similarly exploit bugs in faxes to get inside private networks.
'There are absolutely no protections over fax.'
Yaniv Balmas, Check Point
"Fax is an ancient technology, the protocols we use today haven’t been changed for the past 30 years," Balmas says. "But everybody is still using fax and nobody really looks at it as a valid attack vector. So we thought, what if we could exploit a printer just by sending a malicious fax? In an all-in-one printer, one side is connected to the phone line and the other side is connected to the network. So if we could take over the device, we could then move into the internal network."
Hackers have targeted fax machines for decades, and the technology is still insecure in basic ways. For example, fax data is sent with no cryptographic protections; anyone who can tap a phone line can instantly intercept all data transmitted across it. "Fax is perceived as a secure method of data transmission," says Balmas. "That’s a huge misconception—it’s absolutely not secure."
In addition to the lack of encryption, researchers say that the fax protocol—the industry standard description of how the technology should be incorporated into products—is documented in a very confusing way. As a result, they suspected that it was likely implemented improperly in many devices. When the researchers analyzed the Officejet line of fax-capable all-in-one printers from industry giant Hewlett-Packard, the found exactly the type of issue they had suspected.
The problem they discovered was a common issue known as a "stack overflow," in which the structure that stores information about a running software program overloads, causing it to crash. Attackers can initiate stack overflows strategically to gain more access or privileges on a system. So the researchers crafted a malicious fax with data in it that would exploit the bug when sent to a vulnerable machine.
"The attack scenario is actually pretty simple," Check Point's Itkin says. "A malicious attacker wants to infiltrate a covert network, let’s say a bank. And the fax number for this bank is public, so he can get that number. On the bank side, if the printer that receives the fax is also connected to the internal network, then all the attacker needs to do is send a malicious fax to this phone number and automatically he will be inside the internal network of this bank. It’s crazily dangerous."
An attacker could also embed an additional exploit into the malicious fax, so once the first phase of taking over the all-in-one printer is complete they can bore deeper into a company's network from there. In a demo, the researchers show that they've taken over an HP Officejet printer by displaying a sinister image on its screen. Then they use the infamous Eternal Blue Windows exploit as an example of a hacking tool an attacker could deploy from there to gain deeper remote network access. The researchers say it currently takes less than one minute to transmit a fax with all of this code hidden inside it, and that they could potentially reduce the transmission time even more.
Balmas and Itkin disclosed the issue, which affects all Officejet printers regardless of model or version, to HP. And the company has released a patch that adds standard protections against stack overflows. "HP was made aware of a vulnerability in certain printers by a third party researcher," HP spokesperson Luke Cuell told WIRED. "HP has updates available to mitigate risks and have published a security bulletin with more information. ... We encourage customers to keep their systems updated to protect against vulnerabilities." Many HP printers automatically download updates, but printer update adoption rates are often slow.
IT administrators have increasingly added authentication checks to network printers so that only authorized users can initiate printing—a safeguard that cuts down on the potential that a remote attacker could send a malicious print job. But the researchers say that the fax protocol doesn't allow for such a mechanism. "There are absolutely no protections over fax," Balmas says. "Even if you really wanted to do that there is no way. Fax is always sent unauthenticated, it’s a design thing, so no matter what you do I will still be able to send you this fax."
For institutions and individuals the researchers say that the crucial safeguard comes from a conceptual understanding that plugging a printer into a phone line opens up an additional avenue for potential attack.
"The real solution would be to stop using fax," Itkin says. "But if you can’t do that then probably the solution for organizations or home users would be to segregate the printers, put them in a separate network, so even if someone takes over the printer they won’t easily be able to propagate into the main network."
You probably haven't thought about fax machines—or used one—in forever. But some tech never dies; it just gets less and less secure.