In August 2018, a critical vulnerability was discovered by researchers who were able to send an encoded fax document, placing malicious malware on the receiving fax machine. Yes, even fax machines are subject to security vulnerabilities. If these machines are connected to your network, that's where the risk lies in wait.
It's essential for business owners to understand that connecting any device to a phone line opens up a potential vulnerability to attack. In the past, fax machines were unconnected standalone devices. Today they're one of the components in all-in-one office equipment that combine fax, printers, and photocopiers altogether. Indeed, these multi-functional devices are part of almost every company’s internal IT network, and even if they are primarily used only as a printer, their fax functionality is still enabled.
A hacker exploits this connection by sending a fax image that contains malware coded into the image file. This image can then be sent along the phone line to the target fax device. The malicious embedded malware then takes over the device and can spread to any network to which it is connected. The only information required to do this is the organization’s fax number – something that is often publicly available on any employee’s business card or company website.
Segmentation of your network is one of the best ways to protect your organization from attacks that could come from fax machines. Work with your Information Technology group or consultants to address effective segmentation. The machines used in the research were Office Jet fax-capable multi-purpose printers made by Hewlett-Packard. As a result, Hewlett-Packard released a patch for these devices, which you can find here.
Additionally, the "Faxploit" vulnerability illustrates the importance for organizations to regularly update and patch the software installed on all devices. This offers protections provided by vendors when they become aware of security flaws in their products.
While this research focused on all-in-one printer fax machines, the same communication protocols apply to all fax machines from all vendors, and the same vulnerabilities likely lie in these devices too. Maintaining a frequent patching schedule and segmentation of your infrastructure, along with a high level of IT hygiene in general, is essential for protecting your data from potential attacks, from wherever they may come.
Learn more about Fax Machine Vulnerabilities by listening to a replay of our Q3 Compliance Webinar.