Skip to main content

Resources

Faxploit: What Is It and Why Should I Be Worried?

Faxploit: What Is It and Why Should I Be Worried?

At the recent DEF CON 26 conference, two researchers from the security firm Check Point demonstrated an exploit on an HP Officejet all-in-one printer device. This exploit focused on a vulnerability in the fax communication protocols that allows an attacker to send a malicious image file to the fax device, which is then decoded and uploaded into the device’s memory.


Once the device has been “owned,” the potential attacker can use that device as an access point into the network, pivoting to other PCs and gaining access to confidential information, installing ransomware, or performing other nefarious activities. In the DEF CON demo, the attackers utilize the EternalBlue exploit (from WannaCry infamy) to access a document on another PC and fax it back to themselves, effectively “stealing” confidential information.


An important note is that while most exploits of this nature stem from the internet, this attack exploits a vulnerability in the fax protocols themselves. Faxploit can be carried out against fax devices on networks that aren’t even internet-connected.



Am I Affected?

Check Point notes that this exploit has not yet been seen in the wild, but before you think to yourself “no one sends faxes anymore; it’s 2018!”, keep a few statistics in mind. Check Point notes 46.3 million fax machines are in use around the world, with 17 million of those in the United States. However, this number is counting only standalone fax machines. Including all-in-one devices (print/copy/scan/fax), researchers estimate hundreds of millions of devices are affected. In addition, it’s estimated that the fax accounts for around 75% of all communications in the US Healthcare sector.


Although the Check Point DEF CON demonstration specifically utilized HP all-in-one devices, the researchers specifically state that “the same fax communication protocols are used by other fax machine vendors, and our team of analysts has every reason to believe the same exploit can be applied to fax machines of other vendors.” HP has released patches for their devices, accessible here, but other manufacturer’s devices are likely still vulnerable.



What Should I Do to Mitigate Risk?

Patch Your Stuff
First, make sure you’re keeping your devices patched. If you have an HP device, you can access the list of affected devices and respective patches on the HP support site. For other devices, stay tuned to your respective manufacturer websites for potential updates.


Disconnect or Segment
Regarding the exploitation risk, a very simple solution is to disconnect any phone lines from your fax/all-in-one devices where fax functionality is not required. The biggest risk is your phone line, as sending information (the malicious fax) through the phone link bypasses your traditional network security controls (such as the firewall). If the phone line isn’t connected to the fax machine, all potential traffic to the fax machine will be received via the internet through your firewall, where you can control and monitor that traffic.

Faxploit Diagram


For those fax devices where persistent phone or internet connectivity is necessary, network segmentation becomes a top priority for controlling risk. Whether utilizing firewalls or VLAN controls, ensuring that these vulnerable devices are completely segmented from any potential confidential information is vital. A guiding principle when it comes to your network should always be “if it doesn’t need to talk to everything else on the network, segment those devices.” It is unknown exactly how fax cards in servers are affected at this point, but as discussed above, if your fax card has a phone line attached, there is potential risk to your server.


Know How to Detect
Consider reviewing your detective controls as well, such as endpoint protection and internal network monitoring processes, to ensure you can identify a potential intrusion should one occur. If you’re not sure about what you should be looking for on your network, check out our 50+ Incident Response Preparedness Checklist Items



A Journey, Not a Destination

Fax machines potentially leading to the compromise of entire networks in 2018 reinforces the fact that the world of information security will never have an end-result. There is no such thing as completely secure. New vulnerabilities will always be found, and the technology we rely on will betray us if we’re not proactive about protecting our networks, our clients, and our information. Build out an Information Security Program and process that allow you to practice proactive security, rather than reactive security, and you’ll find yourself less stressed. Getting ahead of issues and working towards good security rather than reacting to audit and exam findings will pay off when new, major vulnerabilities appear that cause you to stop what you’re doing and put out that fire.

 


Written by: Dan Klosterman
Information Security Consultant
SBS CyberSecurity, LLC


SBS Resources:

  • {Special Report Hacker Hour} Lessons Learned From DEF CON 2018: Every year SBS send its finest to Las Vegas to the annual DEF CON convention, which is one of the oldest and largest hacker conventions around. These annual conferences feature presentations by leading ethical hackers, FBI, and NSA agents. Join this special edition hacker hour as we discuss what we experienced at 2018 DEF CON, and what could impact you in the near future.
  • 50+ Incident Response Preparedness Checklist ItemsIf you are uncertain how to go about preparing for and detecting an incident on your network, you are certainly not alone, this checklist will get you started. This list contains over 50 items in the following areas that should be prepared ahead of time: Configurations, Logging, Vendor Information, Key Personnel, and Detection Monitoring

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Technology Professional      


Sources


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, August 16, 2018
Categories: Blog