Fax Capable-Printers, an Attack Prospect for Malware Payload

The fax machine in the eyes of the millennial generation is what is the Walkman, cd player and cassette tapes are today, a relic of the forgettable past. However, some firms still find a space for it in their offices due to legacy requirements, there are still contacts, customers, and suppliers that cannot move-on on using communication devices that use the RJ11 telephone cable. There is still an existing and visible segment of the printer market that still requires fax capability with multipurpose printers. Besides, Fax capability adds an additional bullet to the list of the features a multipurpose printer manufacturer can compete against its rivals.

At the Defcon, touted as the world’s oldest and still running the annual hacking conference, demonstrated the insecurity of the multipurpose printers, due to a vulnerability in their Fax feature. At the backdrop of 46.3 million fax machines still operating worldwide, the vulnerability created a backdoor for tens of millions of organizations to be victimized sooner or later by a data breach.

“Fax has no security measures built in – absolutely nothing. There seems to be a lot of organizations, government agencies, banks and others that are still using fax. Fax is still considered visual evidence in court but an email is not. That’s why some government agencies require you to send a fax. The protocols we use for fax were standardized in the 1980s and have not been changed since” said Yaniv Balmas, Security Research Group Manager of Checkpoint, a cybersecurity consulting firm. An all-in-one printer is a device that normally comes function as a scanner, copier, a fax machine and a printer. It is normally connected to a corporate network 24/7/365, mostly a device that is installed to the office once almost maintenance free except for changing of the ink cartridge and cleaning of print heads.

The exploit is not trivial but it is not hard to use, as it requires the attacker to only know the fax number associated with the machine, even without the knowledge of the network where it is connected. The malicious fax message takes advantage of the flaw as detailed in the CVE 2017-976. The fax message is in an image file, which can carry any payload against the network, be it remote monitoring tools, ransomware and etc.. Once the malicious payload is loaded into the all-in-one printer’s memory, it can crawl its way into the network like a worm, compromising the unpatched computers in the process.

As of this writing, only HP Officejet Pro 8720 and HP Officejet Pro 6830 are the named affected devices from the DefCon conference. Checkpoint has already confirmed that HP has released an updated firmware that will address the concern, however, it is still unknown if HP can push the update to the affected machines automatically, or if it will require manual installation by the system administrators.

“The same protocols are also used by many other vendors’ faxes and multifunction printers, and in online fax services such as fax2email, so it is likely that these are also vulnerable to attack by the same method. This new vector poses a serious threat to organizations who may well not be aware of how accessible their entire network is, and how all their most sensitive information may be exposed, via a piece of equipment that is still sitting on the shelf collecting dust,” Checkpoint representative concluded.