New vulnerabilities discovered in fax machines, printers

Johannesburg, 17 Aug 2018
Read time 4min 00sec
A fax number is all an attacker needs to exploit printer flaws.

Newly discovered vulnerabilities in millions of fax machines and printers worldwide could allow criminals to hack networks by sending malicious faxes.

This is according to new Check Point research, which reveals that cyber criminals are targeting company and private fax machines to take over networks and spread malware via the communication protocols.

"A fax number is all an attacker needs to exploit the flaws, and potentially seize control of a company or home network. [A fax number is] is often publicly available on any employee's business card or company Web site," the report points out.

Check Point researchers say they discovered the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers, and shared the findings with HP. Following the discovery, the printer company has developed a software patch.

The same protocols used in HP Officejet Pro All-in-One fax printers are used by many other vendors' fax machines and multifunction printers, and by online fax services such as fax2email, so it is likely these are also vulnerable to attacks by the same method, reveals the report.

"Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers. These overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations," says Yaniv Balmas, group manager, security research, at Check Point.

While this research was conducted on all-in-one multifunctional printers, (which perform functions like printing, faxing, scanning and photocopying), Check Point says similar vulnerabilities are likely to be found in other fax implementations, such as fax-to-mail services and standalone fax machines.

Enterprise risk

Muyowa Mutemwa, cyber security specialist and researcher at the CSIR's cyber defence research group, says multifunction printers, particularly those with hard drives, present a risk to enterprise security.

"Researchers have been able to retrieve deleted documents and ones that had been previously printed, despite them being encrypted. Information that you print actually gets retained on the hard drive itself. Because printers are connected to the network, you can access the administrative consoles that are connected to these printers and test passwords to see if you can get onto the printer," he explains.

Most organisations set up their IT infrastructure based on business and operational needs rather than security considerations and requirements. If the telephone lines are connected to the printer-fax machine, then an attacker need only penetrate one access point in order to enter the entire corporation's network, warns Check Point.

"Once an attacker obtains an organisation's fax number, he sends a specially created image file containing malware by fax to the target. The malware can then potentially breach sensitive data or cause disruption by spreading across any network to which the fax machine is connected," explains Eyal Itkin, researcher at Check Point.

According to printing and imaging solutions firm Lexmark, smart multifunction printers offer the same potential for harm as a determined hacker with unrestricted access to the office's local area network. Unlike older printers, multifunction printers make a digital copy of each document before it's printed or sent over e-mail, and, if left unprotected, this information is vulnerable to cyber theft.

Still relevant

According to a report by Allied Market Research, the portable printer market is projected to reach $1.6 million by 2023, with nearly half of all printers sold being multifunctional devices.

While fax machines declined with the massive spread of computers and smartphones, there are still over 45 million fax machines in use by businesses globally, with 17 billion faxes sent every year, notes Check Point.

Unlike many other traditional technologies, faxing keeps surviving partly because today's fax machines have evolved into multifunctional machines that are often connected to the computer network.

"Multifunctional fax machines are still widely used in several industry sectors, such as healthcare, legal, banking and real estate, where organisations store and process vast amounts of highly sensitive personal data. The UK's National Health Service alone has over 9 000 fax machines in regular use for sending patient data. Furthermore, in many countries, e-mails are not considered as evidence in courts of law, so fax is used when handling certain business and legal processes," says Check Point.

Sibahle Malinga
ITWeb journalist.

Sibahle Malinga, ITWeb journalist.

Companies in the news