The fax machine, that ancient document-transmission tool, is still in use in many offices. You would think that technology that was invented in the 19th century, and popularized in offices in the 1980s, would be fairly safe when it comes to security issues, but recent research finds that nothing is safe, not even the venerable fax.
Check Point Research published a blog post last week outlining a vulnerability in some fax machines. A fair number of young people probably don’t even know how to use a fax, but Check Point searched Google and found more than 300,000 dedicated fax numbers in use. Granted a Google search for fax numbers in and of itself might not be indicative of the level of fax use, but it’s fair to say there are still a number of these machines still in use in the world.
While there are still stand-alone fax machines, Check Point points out that the more common use case today involves an all-in-one printer, which includes faxing capability, and that’s where they found the issue.
Nothing is safe
Surprisingly, Check Point didn’t find the vulnerability in the printer’s Internet, WiFi, or Bluetooth connections. Instead, the fax capability requires that you connect the printer to a phone line, and it was here the company found the vulnerability.
“In fact, we found several critical vulnerabilities in all-in-one printers which allowed us to ‘faxploit’ the all-in-one printer and take complete control over it by sending a maliciously crafted fax,” Check Point’s Eyal Itkin and Yaniv Balmas wrote in a blog post about the vulnerability.
Assuming a printer/fax is connected, a hacker could use the fax machine as a stepping stone into your wider computer network.
From there, assuming the printer/fax was connected to the network, the hacker could use the fax machine as a stepping stone into your wider computer network network. This brings to mind a story I heard at RSA a couple of years ago. A company was sure it had a completely secure data center, but a vendor found a vulnerability in a wireless keyboard being used by one of the IT admins working in the data center.
Finding the smallest cracks
Last week, at DefCon, a couple of security researchers gave a presentation on how to take over an Amazon Echo, a decidedly more modern device than the fax machine. The hack was complex, and involved modifying one Echo to act as a listening device for others, which they connected together on a local area network (LAN).
While these researchers clearly thought outside the box to find these vulnerabilities, there are people (and even nation states) out there working overtime to exploit similar issues to find openings into your networks.
As an MSP helping companies navigate this ever-changing threat landscape, you need to find tools and technologies that help you keep on top of the most relevant threats. These may sound scary, but in the end you have to figure out which vulnerabilities are most likely to affect you and your customers. From there, you need to put your resources into protecting your client’s key assets to the greatest extent possible.