Cyber criminals now have a new target: Fax machines
13 August 2018
Do you still have fax machines lurking somewhere in your office? If you do, this is probably the best time to get rid of them.
Fax machines have survived the churn of time, have outlived pagers, CD-ROMs, DVDs, and dial-up Internet. While many businesses no longer use fax machines are there are quicker and more convenient alternatives for transmitting data, such machines still find a place in their attics, and for good reason.
Fax machines have so far been considered as somewhat hack-proof and more secure than e-mail even though these do not feature much security tech to begin with. A representative of Bournemouth-based AMS, a firm that offers fax solutions such as central fax servers, Cloud Fax, and Fax over IP, told Financial Times last year that not only is faxing a piece of paper very easy and convenient, a fax server also provides a full audit trail of everything coming in and going out. As such, it can’t be hacked as easily as e-mail.
Then there is the convenience factor. We have often covered how many businesses prefer convenience and efficiency over other matters such as cyber security, and such is also the case with fax machines. A survey carried out by business communications provider Fuzz in 2016 revealed that 30% British, 39% German, and 42% of French workers considered fax machines as “essential” for their productivity.
Fuze observed that it was dangerous for businesses to rely on outdated technologies like fax machines in the digital age but expressed hope that new recruits and younger employees will supplant fax machines with modern devices that are much more secure in due time.
Vulnerabilities in fax machines
A new report from security firm Check Point now offers a ‘real security reason’ for businesses to migrate from age-old fax machines to newer technologies that encrypt communications and offer secure transfer of files. Researchers at the firm revealed that if a cyber criminal obtains an organisation’s fax number, it’ll be all the criminal needs to infiltrate and exploit vulnerabilities in fax machine communication protocols.
Considering that fax machines are connected to an organisation’s IT network and to other devices such as printers and photocopiers, it is clear that if a fax machine is compromised, it could clear the way for hackers to gain access to the entire IT network, and this is exactly what researchers at Check Point did using HP fax machines.
“While this research focused on all-in-one printer fax machines, the same communication protocols apply to all fax machines from all vendors, and the same vulnerabilities likely lie in these devices too. In addition, as popular online fax services, such as fax2email, are using the same protocol the same vulnerability may well also apply there too,” the firm noted.
Using an Eternal Blue NSA exploit, the researchers first faxed a malicious file to a targeted fax machine, took over the fax machine, and then penetrated the IT network “through a route that until now was considered to be secure and need not have protection layers applied”. The following video demonstrates how the attack was carried out:
According to Check Point, fax machines may be considered as outdated and irrelevant by many but there are still 46.3 million fax machines in use across the world, with 17 million of them being operated in the US alone. In fact, the NHS is the world’s biggest buyer of fax machines and uses them frequently to transmit documents between documents, labs, and insurers.
Even in the legal industry, which is considered as among the most preferred targets of cyber criminals, fax is the preferred communication method as fax machines offer convenience for lawyers to send documents to clients and receive confirmation that such documents have been received.
“While the use of fax machines has in general radically subsided over the last 15 years, due to the rise of email and other electronic communication applications, it is still very much the norm for many industries who consider it a more secure or legally binding form of doing business. In addition, the presence of fax machines in both the home and work place is still very much prevalent, regardless of how often they are actually used.” the firm added.
Can organisations still use fax machines?
Check Point says that if an organisation intends to use fax machines in future, it must implement network segmentation to minimize the level of access to sensitive information for such machines and to restrict access only to those who need it. Even if a fax machine gets compromised, network segmentation will prevent hackers from intruding a network.
“The segmentation of where critical data is stored, whether by firewalls or configuring VLANs, requires planning, measured deployment and constant adjustments. Although this demands discipline and regular attention, and can become an unwieldy task as your organization’s network grows, it is not so overwhelmingly challenging, however, that it should be ignored altogether.
“Furthermore, having endpoint protections deployed across users’ devices goes a long way to mitigate the risks of unauthorized access. By installing endpoint protections, security administrators and home users can feel safe in the knowledge that their endpoints are provided with an extra layer of protection both inside and out of the network. So, whether an organization’s users are exposed to various types of attacks while working remotely or are targeted through phone lines via fax machines, the user’s endpoint itself is protected from known and unknown threats,” it adds.