THAT SEEMINGLY BENIGN, old-school office device—the fax machine—has a security vulnerability that cybercriminals may look to exploit with a simple phone number. Channel pros need to ensure that their customers’ fax machines, which are typically part of their multifunction printers today, do not become a new conduit for attack.
Yaniv Balmas and Eyal Itkin, researchers at cybersecurity company Check Point Software Technologies, discovered the vulnerability, which they dubbed “Faxploit,” this past August. The pair became curious about fax machine security and chose an HP OfficeJet all-in-one printer as their test subject. “HP was a market leader and the model was cheap,” Itkin says, explaining the selection.
After some dogged reverse engineering, the researchers discovered a vulnerability in the fax communications protocol that a hacker could exploit to create and send a malicious fax in the form of an image file, and thereby take over the device.
“As soon as we started the research,” Itkin says, “we learned that the old standard protocol is very complicated.”
“If there’s not a reason to have a fax machine, just eliminate the attack vector.”—CHAD KNUTSON,PARTNER, SBS CYBERSECURITY
If a multifunction machine is connected to computers on a corporate network (which is why a dedicated fax machine doesn’t pose as serious a risk), those other endpoints are also vulnerable. A malicious fax could be used to spread malware, steal proprietary documents, or create and distribute fake documents. And most notable, a fax machine doesn’t need to be connected to the internet—all that’s required is a phone line and fax number.
Check Point’s research attracted serious attention among cybersecurity pros, according to Blake Coe, senior vice president of network security at consulting firm SBS CyberSecurity. “No one to my knowledge has used the phone lines to get at the internal network in the manner which they [the researchers] did,” he says. While there are no known vulnerabilities in other office devices, Coe says he wouldn’t be surprised if some existed, should anyone look hard enough.
When it comes to mitigating the Faxploit risk, channel partners whose clients use HP multifunction devices have an advantage—HP has issued patches for many of its models in response to Check Point’s research.
As for other vendors’ devices, Chad Knutson, a partner at SBS CyberSecurity, says the Faxploit offers an object lesson. “Understand how things come and go from your environment and apply basic principles of information security,” he says. The three he recommends for Faxploit are: Update all firmware, segregate fax machines from a corporate network to limit exposure, and disconnect the phone line if fax is not used.
“If there’s not a reason to have a fax machine, just eliminate the attack vector,” he says.