Faxploiting: Hackers Taking Advantage of the Forgotten Fax Function on Your Printer

[steven36]

“Oh, where’s that?”
“2018. I live in 2018.”

 

 

There are similar memes and jokes out there about fax machines because, outside of certain documents that are too time-sensitive for overnight delivery and require signatures, who sends faxes anymore?

We might not be sending them, but if you have an all-in-one printer system, you probably have the fax option built in. You may have forgotten about it, but hackers haven’t. To them, your printer’s unused fax option is a new attack vector.

The Forgotten Workstation

Printers have long been an afterthought for security. Even as we spend more time focusing on IoT security, or securing mobile devices, or worry about what else might be connected to the network, the printer sits in a dark corner, forgotten about until we need to make copies or it runs out of paper in the middle of a printing. And that’s a mistake.

 

“The absence of printer security configuration management stems from a lack of awareness and recognition of the risks, a lack of visibility and a lack of control over large print fleets and the unavailability of a cost-effective, vendor-agnostic cybersecurity solution that works for the whole fleet,” said Jim LaRoe, CEO of Symphion, whose company released a white paper, “Securing the Forgotten Workstation.”

 

“Large print fleets are too diverse (both in brand and geography) and dynamic (constantly changing) to rely on current print-industry approaches to print fleet management for printer security configuration management,” he noted. Another problem is that common print stream security software products, common enterprise security and data loss prevention (DLP) software don’t address printer security configuration management.

 

Or, if the manufacturer does build security features into the printer system, they aren’t always activated, especially for functions that aren’t used. Such as the fax. This leaves printer devices vulnerable for attacks.

The Faxploit

While you may not use the fax function anymore, there still are millions of fax numbers still in use. According to CSO, researchers from Check Point found “an attacker could send a malware-coded image file to the target. The fax machine portion of an all-in-one printer would then decode the image file and upload it to memory.” All they needed to do this was a fax number and an all-in-one device to dump malware into the network.

 

One industry especially vulnerable is the healthcare industry, as it is one of the few industries that still uses faxing as a way to share documents quickly and efficiently. Often, information between doctors, insurance companies and patients or family members can’t wait for an overnight delivery and it can’t be sent via email.

 

“Hackers are always trying to find new ways to get into hospital networks and cause nearly $13 million in damages for every breach,” said LaRoe. “With the widespread adoption of electronic health records (EHRs), more and more patient information is at risk and it is the responsibility of the CISO to protect these records. Unfortunately, many CISOs are currently unaware of a massive security risk to their network.”

Can You Stop Faxploiting?

Organizations can take proactive steps to protect their printers and fax machines by applying software updates and adding security measures so that only authorized persons can use the machines, said Heather Paunet, vice president of product management at Untangle. “However,” she noted, “fax machines generally have no authentication capabilities to stop a remote attacker from sending a fax.”

 

If your organization must use fax machines, the best solution is to put the fax and printers on a separate network segment. “This mitigates any problems if a hacker does gain control of the printer or fax, as no other devices can be exploited,” Paunet said.

 

Beyond that, existing security efforts provide only partial security for the print stream and enterprise because they omit printer security configuration management—the missing piece that exposes the entire enterprise to risk.

 

Doing nothing puts the business at risk of a breach—and, in healthcare settings, at risk of HIPPA compliance issues. Replacing an entire printer fleet with new printers is expensive and won’t solve the problem of open ports.

 

“New solutions must be offered, and printer manufacturers need to partner with security solution providers to solve the issue from a combined effort,” said LaRoe. “But first, everyone from the CISO to the CEO needs to recognize the magnitude of the problem that printer security has for hospitals and take action before the next very costly breach.”

 

Source

[straycat19]

8 hours ago, steven36 said:

“However,” she noted, “fax machines generally have no authentication capabilities to stop a remote attacker from sending a fax.”

 

Personally I have never seen a fax machine that didn't have security as part of its setup.  The ones we still have require a user to login to send a fax and to receive a fax, the sender has to key in a code at the end of the phone number or the system will not connect.  I get 2-3 calls a day to my personal fax system that fail because the person trying to connect doesn't know the 8 digit code required to connect.  I always check the log to see who called and do a reverse phone lookup.  I haven't seen or heard of faxes being used by medical facilities in years since records can be transmitted over their private secure systems electronically.

[mp68terr]

Well...

Personally I have never seen a fax machine that has security as part of its setup. The sender just have to compose the receiver's fax number. No secret code, just fax number for people to send what they have to send, so that receivers do receive what they have to receive. I've seen faxes being used in research facilitieS, don't know about medical ones.

[steven36]

50 minutes ago, mp68terr said:

Well...

Personally I have never seen a fax machine that has security as part of its setup. The sender just have to compose the receiver's fax number. No secret code, just fax number for people to send what they have to send, so that receivers do receive what they have to receive. I've seen faxes being used in research facilitieS, don't know about medical ones.

 Hes just a nutbag  because this was a 0 day exploit  by  checkpoint researchers  were they use the NSA Virus External Blue that HP patched  ..
 

Quote

 

So, after a long and tedious research, we finally succeeded in this mission.

In fact, we found several critical vulnerabilities in all-in-one printers which allowed us to ‘faxploit’ the all-in-one printer and take complete control over it by sending a maliciously crafted fax.

 

From that point on, anything was possible. We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending…a fax.

 

 

 

Quote

 

Disclosure Timeline

The responsible disclosure process was coordinated with HP Inc, which were very helpful and responsive during the process.

• 1 May 2018 – Vulnerabilities were disclosed to HP Inc.
• 1 May 2018 – HP Inc acknowledged our submission and started working on a patch.
• May – June 2018 – Coordinated effort to recreate the PoC and patch the vulnerabilities.
• 2-3 July 2018 – Face to Face meeting with HP Inc:
  • The vulnerabilities were demonstrated and discussed.
  • The patches by HP Inc were tested and approved by both parties.
• 23 July 2018 – The vulnerabilities were flagged as Critical.
• 1 August 2018 – HP Inc published the patched firmware on their site [ref.1].
• 12 August 2018 – Official public disclosure during DEFCON 26.

 

 

Proof of concept

https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/

 

The problem  with Fax machines  is  there IOT devices and most of the time never get patched  even if a vendor updates the firmware.

 

There's a bunch of nutbags who dont do windows  updates who never patched there systems for External Blue and still a big problem in the wild  they use in all kinds of malware now.

https://www.zdnet.com/article/why-the-fixed-windows-eternalblue-exploit-wont-die/

 

Quote

"Until organizations patch and update their computers, they'll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns," Cybereason added. "There's no reason for security analysts to still be handling incidents that involve attackers leveraging EternalBlue. And there's no reason why these exploits should remain unpatched."