August 21st, 2018
What's the issue?
Check Point Software has discovered and now alerted printer and fax manufacturers that they have successfully attacked and taken control of a multifunction printer (MFP) through the fax's telephone connection. This can lead to stolen data from the MFP's hard drive, or penetration and data theft from a connected device, like a PC or a network.
By calling the fax number through the phone line and sending a remote code execution script, an attacker can take control of a printer, scour its hard drive for previously faxed documents, or, more problematically, use the fax's connection to any other device attached or server to steal information or plant other exploits.
Unlike most attacks that come through the Internet, all the attacker requires is the company's fax number. This form of attack, unprecedented in recent computing history, is particularly concerning as the MFP is connected to the company network but often sits outside of the corporate firewall and other security barriers.
While many companies rarely use fax, they often still publish a fax number and the fax has a phone line still connected. Fax usage in healthcare, legal, and financial services, however, is still significant.
HP, whose device was the test subject, was alerted prior to publication and have issued firmware patches for dozens of their printers. The researchers believe this vulnerability exists in other brands of MFP's, as well as standalone fax machines and fax-to-mail services.
What should I do?
Disconnect the phone line to your multifunction printer or fax machine until you have time to check with the manufacturer of the device to confirm if the vulnerability is present in your device, and you can complete a firmware update.
Maintaining a program of security vulnerability review of all connected devices and ensuring the most recent firmware updates are applied is critical to computing securely. Also, for larger networks, segmenting network infrastructure on a need-to-compute or access basis is critical.
Note to NPC Clients: If you are concerned about this threat, you can email the support centre for advice on your particular device at firstname.lastname@example.org.
Check Point Research - Faxploit: Sending Fax Back to the Dark Ages
HP Customer Support - HPSBHF03589 rev. 4 - HP Ink Printers Remote Code Execution