If you think about your fax machine at all, then it's likely only when someone places a fax on your desk or if you need to sign something that requires a legal signature—though, with the advent of DocuSign, even that scenario is growing increasingly rare. If you're in information technology (IT), then you probably don't even know how many fax machines your business has, where they're located, or even who's responsible for their security. Bad news: It's probably you.
You'll be able to find a few of them fairly quickly; the human resources (HR) department will surely have one and likely the accounting department, too. But what you may not realize is that there are probably several more fax machines that your users only think of as printers or scanners. In fact, it's those all-in-one devices—the ones that can both print and scan—that have suddenly evolved into true Internet of Things (IoT) devices, quietly running amidst the background noise of your network with absolutely no security. As of now, that's a problem.
The question is, why would a fax machine impact network security? The answer is that it might not—if it's a dedicated fax machine that simply sits on a table and churns out faxes on thermal paper. Unfortunately, those have become a rarity since faxing became just another subfunction on a slew of low-cost printers. That trend has spawned so many "dormant" fax machines even in today's average small to midsize business (SMB) networks that they, along with a growing number of other IoT-connected devices, have become a significant IT threat. This fact was made clear when researchers at Check Point Software announced earlier this week that they had found a vulnerability affecting HP multifunction devices that probably also affected similar devices from other manufacturers, including fax servers and even online fax services.
HP OfficeJet Pro 8730 All-in-One Printer
Multifunction Devices Found Vulnerable
The discovered vulnerability lets hackers take over a fax device, and from there, send malware throughout the corporate network, much of it entirely new to today's endpoint protection services. Yaniv Balmas, Security Research Group Manager at Check Point Software, explained that what's required is to send the networked fax device an image that the device can't handle. He said that he suspected that such devices might have this vulnerability so he decided to take a look.
"We found the vulnerabilities exactly where we thought we would," Balmas said. "The specific vulnerability is that fax is an image and it's parsed as a image."
He explained that, originally, fax machines sent TIFF files that were rendered as grayscale. But he said that the vulnerability appeared with color faxes, which are supported by multifunction devices, such as the HP OfficeJet Pro.
"We found a vulnerability with color fax, which most printers support," said Balmas. "That's sent as a JPEG. The printer has some issues with parsing the JPEG."
Top Online Fax Services
How Was This Vulnerability Discovered?
Balmas sent his HP OfficeJet Pro a very large JPEG file coded as a color fax. When the fax machine part of the printer began processing the image, it experienced a buffer overflow, which left the machine as well as its 32-bit processor and memory, vulnerable to intruders. The Check Point Software team then found that they could insert the Eternal Blue malware, and from there, attack an entire network.
"You have an IoT device with no security. It bridges the network with the telephone line, disregarding the perimeter defenses," Balmas explained. Check Point Software has made a YouTube video that demonstrates the process, and it has published a detailed description of how it all works.
Unfortunately, knowing the problem exists is only half the battle. Now you have to do something about it. First, because Check Point Software initially found the vulnerability in HP printers, they contacted HP, which investigated the problem. HP then created a patch and issued a security bulletin.
An HP spokesperson explained, "HP was made aware of a vulnerability in certain printers by a third party researcher. HP has updates available to mitigate risks, and [has] published a security bulletin with more information. HP takes security seriously, and we encourage customers to keep their systems updated to protect against vulnerabilities."
How to Protect Your Network
The company's security bulletin reveals that the vulnerability exists in a wide range of fax-capable printers and multifunction devices, such as the aforementioned HP OfficeJet Pro. HP's self-installing patch for those devices is available for download from the support pages for each device.
So the next question is, what can you do to protect your network against this sort of an attack, since HP is apparenlty not the only vendor whose products are vulnerable? Here's a quick list to get you started:
First, find out how many networked fax devices, as well as similar networked IoT devices, are currently running in your production environment. You can do this by using a network monitoring package, such as Editors' Choice LogicMonitor, which we reviewed last year.
Next, locate the devices, and determine which of them are connected to phone lines. If they're connected but the fax feature isn't being used, then disconnect the phone line.
Then, locate the fax device that's connected to the fax number on your website. If possible, connect that to a standalone fax machine. If your fax volume is too high for that, then you'll need to separate the fax machines from the rest of the corporate network or employ a cloud-based fax service with its own protections.
Use network segmentation to prevent traffic from the fax machine or fax servers from reaching the general network. This may mean internal firewalls or it may mean routers configured to deny access from the fax device's IP address.
- The Best Online Fax Services of 2018 The Best Online Fax Services of 2018
- The Best Network Monitoring Software of 2018 The Best Network Monitoring Software of 2018
- Hackers Can Exploit Fax Machines to Compromise Entire Networks Hackers Can Exploit Fax Machines to Compromise Entire Networks
Configure any devices that must exist on your network to turn off auto-answer. Unless there's a compelling reason for departments to receive their own faxes, it's more secure to disable this function in the machine's configuration menu.
Consider using an online fax service instead of internal fax devices regardless of your fax volume. PCMag has recently reviewed several online fax services and many of them have plans for corporate users, including Editors' Choice HelloFax. Using these services gets the vulnerability and the insecure phone line out of your network completely.
And, finally, of course, you can take Balmas' advice and stop using faxes completely. As he points out, it's ancient tech anyway.