The fax machine might seem like a relic of the past in this age of instant communication, but fax systems are still in millions of offices as part of connected all-in-one printers, and that connectivity makes these systems another pathway for hackers to get into corporate and consumer networks. Researchers at Check Point put that threat into focus when they took advantage of vulnerabilities in the fax functions of an HP Inc. OfficeJet inkjet printer to gain entrance into other systems on the network.
By sending what the researchers called a "maliciously crafted fax," they were able to exploit several vulnerabilities in the widely-used ITU T.30 fax protocol found in HP's implementation in all of its inkjet printers -- including the Officejet Pro 6830 used in the research -- and take complete control of the machine.
"From that point on, anything was possible," Check Point security researchers Eyal Itkin and Yaniv Balmas wrote in a blog post. "We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax."
The researchers talked about their work at the Def Con 2018 conference. In addition, Check Point notified HP officials about the two vulnerabilities (CVE-2018-5925 and CVE-2018-5924) before announcing the results of the research, enabling the vendor to release patches for both.
At a time when everything from email and text to mobile applications and cloud services dominate our communications methods, it shouldn't be lost on companies that fax machines are not only still around as part of larger systems, but that they're connected both to the corporate network and the outside world.
Itkin and Balmas noted that a Google Search found that there are still more than 300 million fax numbers in use and that all-in-one printers "are then connected both to the internal home or corporate networks through their Ethernet, WiFi, Bluetooth, etc., interfaces. However, in addition they are also connected to a PSTN phone line in order to support the fax functionality that they include."
Particularly in the era of the Internet of Things, companies should be careful not to overlook such machines as printers and other connected devices as they plan out their security environment, according to Joseph Kucic, chief security officer at cybersecurity provider Cavirin. (See DNS Rebinding Attack Could Affect Half a Billion IoT Devices.)
"War-dialing was a very common method to find PSTN connections years ago, but it is still an effective method for hackers, as the Check Point Faxploit shows," Kucic told Security Now in an email. "Today, many printers/scannners/multi-use devices also establish Internet outbound connections to be able to receive transmissions. A good cyber posture includes having a holistic view of the entire environment. Many enterprises find that the building/facility security and/or CCTV networks are vulnerable points of entry as they traditionally have not been managed by cybersecurity teams."
The Check Point analysts agreed, saying "this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."
All-in-one printers with fax functions support protocols that conform to the ITU T.30 standard, which details the capabilities required from both the sender and receiver. It also outlines the various phases of the protocol. Usually, but not always, the Officejet printer uses the .TIFF image format when sending a fax.
When the researchers saw they could send a color fax, they learned that the data is received and stored to a .jpg file, giving the researchers control of the entire file. They did this by sending malicious code through the fax, where it eventually was stored in memory.
The next step was getting the color fax printed. Here the researchers found a custom JPEG parser being used instead of the libjpeg standard. It was in the JPEG parser that Itkin and Balmas found the two vulnerabilities.
"From an attacker's point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising," they wrote.
Going from exploiting the vulnerabilities to spreading into the computer network meant using the Eternal Blue and Double Pulsar tools, both of which were developed by the National Security Agency (NSA) and used on the researchers' file-based Turing Machine. With the tools, they were able to infiltrate the systems on the entire network, a move that would give hackers access to sensitive data and files.
"Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol," Itkin and Balmas wrote. "Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer."
— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.