Hacking a Network Using a Malicious Fax

If you have a combination printer/fax machine, your network is probably vulnerable to a single, malicious fax. A security research company named Check Point released a report last week that detailed how HP printers with built-in fax capability could be hacked by sending it a specially formatted fax. While the study focused on HP printers, Check Point said that this vulnerability is likely to be found in most fax machines.

Just the Fax

Fax machine technology has been around since the 1970s but is still in wide use today, despite the ability to share files via email, web download, messenger apps, cloud storage and any number of other mechanisms. Check Point found that the basic fax protocol could be compromised with a carefully formulated image. That would mean that all an attacker needs to hack your printer/fax machine is your fax number.

If they were only hacking the fax machine, that wouldn’t be such a big deal. How would a hacker profit from that? But the problem is that modern printer/fax machines are connected to the computer network as well as the phone line. These devices (and all our “smart” devices) have a computer inside. So once this device is compromised, it could then be used as a beachhead to hack other, more-valuable devices.

What Do I Do?

If you have an all-in-one printer/fax machine in your home or office, you should do the following things right away. While at the time of the report there were no known active exploits for this vulnerability, it’s just a matter of time.

  • The simplest response is to just unplug the phone line. If you don’t use the fax capability often, you can plug it back in only when you need it. But until you can actually get a software fix, you should just unplug the phone line.
  • Find your make and model number from the device. Then search the manufacturer’s website for the most recent software/firmware. Install the latest version using the instructions they give you.
  • Some of these devices are finally coming with the ability to self-update. Check your device’s settings and enable this feature if available.
  • Register your device with the manufacturer. Yes, you’ll probably get some junk emails. Look at the communications preferences and disable marketing emails where you can. But when you register, you should get timely emails when bugs like this are found, hopefully with instructions on fixes or mitigations.

These “smart” devices fall under the heading “Internet of Things”. If you have other such devices, you might want to check out this article.

Liked it? Take a second to support Carey Parker on Patreon!