The fax machine is widely considered to be a dinosaur of interoffice communications, but it lives on as part of all-in-one printers and may present a vulnerable point where hackers can infiltrate an organization’s network, according to a new report from Israeli software company Check Point. The company said the vulnerability was identified as a result of research intended to discover potential security risks, not as the result of any attack.
Hackers can gain access to a network using the phone line connected to a fax machine, which is often connected to the rest of an organization’s network. By sending an image file that contains malicious software over the phone line, hackers are able to take control of the device and access the rest of the network. The researchers were able to do this using only a fax number, which is often widely distributed by organizations on business cards and websites.
The report estimates that there are more that 17 million fax machines in use in the United States. The legal and medical fields rely heavily on fax machines to conduct business, because compared with email, fax is widely considered to be a more secure form of transmitting sensitive information and signatures. The banking and real estate sectors also frequently transfer documents containing signatures via fax.
With the advent of all-in-one products that include fax functions as well as printing and scanning, fax machines may be more prevalent in homes and offices than people realize. This particular vulnerability applies only if such a machine is connected to a telephone line, however.
The only machines tested were from HP’s line of all-in-one printers, but, according to the report, these vulnerabilities are likely to be found in machines from any manufacturer that use similar technology. HP issued a patch for its products before the report was published; it is available for download from the company’s support website.
The report advises that if a fax machine is too old to support a software update, or if the manufacturer has yet to issue a patch to fix the vulnerability, fax capabilities should be used only on a segmented part of the network without access to critical data. The report also advises that the phone line connected to an all-in-one type machine should be disconnected if a user or organization does not use the fax functions.
Moore writes for the Washington Post.