New research shows that one office machine can cause serious security issues — and it’s not the computer. Believe it or not, the fax machine could potentially allow an attacker to steal sensitive files through a company’s network, using just a phone line and a fax number.
According to a CNBC report, researchers at Check Point Software Technologies “showed how they were able to exploit security flaws in a Hewlett Packard all-in-one printer.” While stand-alone fax machines might be a rarity these days, the fax function is still common in all-in-one printers. In fact, the researchers pointed out that there are over 300 million fax numbers in use today.
“Check Point Research has uncovered critical vulnerabilities in popular implementation of the fax protocol,” wrote researchers Eyal Itkin and Yaniv Balmas. “These vulnerabilities [allow] an attacker, with mere access to a phone line and a fax number, to attack [their] victim’s all-in-one printer – allowing him full control over the all-in-one printer, and possibly the entire network it’s connected to.”
The researchers explained that they faxed lines of malicious code, disguised as an image file to the printer, with the assumption that no one usually checks the contents received via fax. The file was decoded and stored in the machine’s memory, allowing the researchers to take over the printer. They were then able to infiltrate the whole computer network to which the printer was connected.
“From that point on, anything was possible. We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax,” the researchers added.
According to CNBC, HP fixed the vulnerability before the report was published, but the researchers said all-in-one printers from other companies could still have similar security flaws.