If you're still using a fax machine, you're not only old fashioned, you're probably vulnerable to cyber attacks.
Researchers at Check Point, a cyber security firm, have uncovered vulnerabilities in the communication protocols used in tens of millions of fax devices. If the attacker has the fax number, that’s all they need to exploit the flaws and potentially seize control of a computer network.
Specifically, the Check Point researchers focused on the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers. Its protocols are also used by other manufacturers' faxes and multi-function printers.
Check Point says the protocols are also employed in online fax services such as fax2email, and researchers say it is likely that these are also vulnerable to attack by the same method.
HP has already issued a patch
Once informed of the findings, Check Point says HP quickly developed a software patch for its printers, which is available here.
There are a reported 45 million fax machines still in use, both in homes and offices. The '80s technology is especially prevalent in healthcare, law offices, banking, and real estate, and these networks often contain vast amounts of sensitive data.
“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Yaniv Balmas, Group Manager, Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations."
Here's how it works
It's a fairly simple hack. Once the attacker obtains a fax number, they send an image file to the machine. Embedded within the image is a code that the machine recognizes, decodes, and uploads into its memory.
Check Point says this process gives the attacker the ability to break into any device that is connected to the fax's computer network.
Dom Chorafakis, founder of the cyber security consultancy Akouto, says the simplicity of the attack is what makes it so dangerous.
"The malware is embedded within a specially crafted [message] and delivered over the phone line via standard fax, so there are no defensive measures like firewalls or antivirus that can be put into place to prevent this attack," Chorafakis told ConsumerAffairs. "End users have to rely on equipment vendors to check their firmware and provide updates.
While these attacks can be hard to stop, there are a couple of ways to protect yourself before being targeted. First, check your machine's manufacturer for available firmware updates and apply them.
For businesses and organizations, the fax machine should be on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.