Malicious Faxes Leave Firms 'Open' To Cyber-Attack

Booby-trapped image data sent by fax can let malicious hackers sneak into corporate networks, security researchers have found. From a report: Since many companies use fax machines that are also printers and photocopiers, they often have a connection to the internal network. The malicious images exploit protocols established in the 1980s that define the format of fax messages. The research was presented at the Def Con hacker conference in Las Vegas. The two researchers said millions of companies could be at risk because they currently did little to secure fax lines. "Fax has no security measures built in -- absolutely nothing," security researcher Yaniv Balmas, from Check Point software, told the BBC. Mr Balmas uncovered the security holes in the fax protocols with the help of colleague Eyal Itkin and said they were "surprised" by the extent to which fax was still used.

How exactly does this work?

[Oswald McWeany]

How exactly does this work, is this some sort of injection attack- where a badly formatted image file somehow includes code to take over the fax machine's operating system instead?

If so this is really poorly designed- an incoming fax should be isolated from everything except printing off the incoming fax.

Re:

[Anonymous Coward]

It's mentioned in the article. Because faxes are now commonly received on networked copiers.

Re:

[Darinbob]

But it still involves badly designed software. FAX isn't the big deal here, it's the blind obedience to the meta data in the FAX that is the problem.

I used to think that viruses in PDF files were bizarre myself because what self respecting PDF reader would actually write. Or what self respecting email viewer would decide to automatically run executable attachments? What self respecting web browser would rely upon third party scripts? Etc.

Security is the last concern of many products because it slow down

Re:

[thesupraman]

No, its not.

At present its the equivalent of saying 'letting a client whistle in your offices opens you to malicious attack because your Pc/smartphones microphones are digitising that data' without shoing ANY EVIDENCE AT ALL that there is actually a workable volnerability via such a path.
The mere fact that your microphones may not (ignoring the wonders of siri/google/etc/etc) actually be being used by any software that could have such a vulnerability seems irrelevant to there 'researchers'.

Their message is

Re: How exactly does this work?

[peragrin]

Except for us all faxes go to a targeted email address. Usually a general inbox.

While not hooked up, our old fax machine is a copier, scanner printer. All scans automatically do into a folder. Faxes used to do the same thing but we moved the fax number to a digital service.

Ideally ditching faxes all together would be great, just can't be done yet. To many still use them to send data.

Scanning is not always tech illerate friendly. Where sending a face is a phone number and press send

Re:

[bferrell]

>> Ideally ditching faxes all together would be great, just can't be done yet. To many still use them to send data.

And the legal system, at least in the US, officially recognizes faxes as legal documents

Re:

[Anonymous Coward]

It's an attack over the phone line, so no network communication is involved in the exploit stage. That particular fax machine implements a protocol extension which allows the transmission of color faxes. This is achieved by sending a JPEG file instead of the typical black and white data. The attack exploits a bug in the JPEG decoder. With remote code execution achieved, the attack then proceeds with a payload that attacks the network to which the fax machine is connected.

The technical paper is at: https://r [checkpoint.com]

Re:

[sakono]

Looking at the link..I am a bit over my head but does this effect digital fax or just the old analog lines? Company i work at just went to digital fax so the faxes come over the network and not the old phone cords. lest on the mfp side. No idea how the server side is set up, as they wont say.

Re:

[planux]

L(should have)GT: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/ [checkpoint.com]

I attended this talk yesterday, and it was by far the best talk I attended at defcon26. The researchers did some amazing work to get this exploit. You can get the full tail of hackery at the link above, but here's my (probably/mostly correct) summary:

• At some point, the fax standard was amended to include support for JPGs, in order to allow full-color faxes
• As the researchers wrote in the above-linked blog article, "F

just the faxes, ma'am

[guygo]

Maybe we can finally get rid of one of the klugiest pieces of technology ever invented. Email anybody?

Re:

[SemperOSS]

Well, if you're out in the woods with no internet connection, no mobile coverage but have two copper wires connected to a telephone exchange, fax can be your saviour.

The real reason for the fax predominance, I believe, is that it is 1) "known" technology, which means that technophobes like my previous solicitor could understand it and use it, and 2) it is easier to use than most scan-to-E-mail solutions (even for tech-savvy people).

Have you tried to enter the E-mail address on the small, resistive touch-scr

Re:

[guygo]

yeah.... and 30 miles per hour! How can a person breathe at that speed!

Re:

[AvitarX]

Also, people don't want to e-mail sensitive information, but have no concerns faxing it.

Re:

[AvitarX]

Sure,

but would you really say fax is safer because it's harder to legally snoop on?

Also, there's a decent chance if I fax something, it's going to be converted to e-mail anyway (I'd bet well over 50%).

knowledge

[DrYak]

The kind of people who would be reassured with the legallity surrounding FAX wiretaping, is typically the type of user who has no clue that e-mail encryption *is* a thing, or what the words S/MIME and GPG are.

Re:

[omnichad]

The real reason it's still in use is that a faxed copy of a signed legal document counts as a legal original in most cases in the US. This loophole really needs closed in today's age because it enables fraud but nobody has taken the time to challenge it.

Copper wires = modem

[DrYak]

Well, if you're out in the woods with no internet connection, no mobile coverage but have two copper wires connected to a telephone exchange, fax can be your saviour.

From a purely technical point of view, if you can manage to connect a fax to those pair of copper wires, that means you can connect to an analog Modem (somewhere between 33 and 56k bits) or an ISDN digital signal (64k), because Fax machines ARE basically modems (pouring data into a printer with only a simple picture compression in the middle).

You could as well wire your copper wire to the appropriate type of modem and do way much more, including PPP to get IP packets.
Maybe not use the modern Web (where ever

Re:

[SemperOSS]

If you or I lived there, we would probably find a modem somehow and also an internet provider that had dial-in lines. Living in the UK, the latter is not the easiest (OK, there are a few "free" services that offer dial-up but on 0844 or 0845 numbers where you pay a small premium on the call) but none of the big suppliers offer that service now, to the best of my knowledge. Luckily, modems are still to be had and at a fairly low price. (About GBP6/$10 for a USB 2.0 56K + fax modem.) Fax machines are sold by

Old school

[DrYak]

If you or I lived there, we would probably find a modem somehow and also an internet provider that had dial-in lines. Living in the UK, the latter is not the easiest

An actual ISP with dial-in lines would be one possibility.

Another would be remotely connecting to a machine you own somewhere is another possibility, (using this time some normal local number, so get either very low cost or free connection, depending on your phone line plan).
i.e.: be your own ISP.

The E-mail-enabled printers I have worked with were not configured for network setup of scanning to mail* and while many E-mail addresses were stored in memory, subject lines and attachment naming still required the use of the unpleasant touch-screen keyboard.

The idea is to leave the stupid default (e.g.: "SCAN_yyyymmdd.PDF") and mail *yourself* a copy of the document using the 1-button fast-dial.
Then, using your laptop and your favorite e-mail client, forward that e-ma

Re:

[tehcyder]

Well, if you're out in the woods with no internet connection, no mobile coverage but have two copper wires connected to a telephone exchange, fax can be your saviour.

You can fax for an Uber to come and save you?

Re:just the faxes, ma'am

[kelemvor4]

Maybe we can finally get rid of one of the klugiest pieces of technology ever invented. Email anybody?

Others might describe it as one of the most solid and useful pieces of tech ever invented. As evidenced by the fact that it's widely popular after so many years and even those with no technical skills at all can send and receive faxes.

Personally, I prefer email. However if someone with no tech skills needs to send me a document image it's often far easier to just send a fax rather than spend an hour trying to teach the person to scan, then save in whatever format, and then send via email or other method (if the file is too large for email, often a problem). You get the idea.

Re:

[pnutjam]

There are machines that make emails as simple as faxes, it's mostly regulatory issues that keep faxes around. They are exempt from many security considerations.

Teach

[DrYak]

However if someone with no tech skills needs to send me a document image it's often far easier to just send a fax rather than spend an hour trying to teach the person to scan, then save in whatever format, and then send via email or other method (if the file is too large for email, often a problem).

Though you can teach them to use an MFP to mail a scan to themselves (basically the same button presses as a sending a fax with a fast-dial number, except that the fast dial-preset point to their own e-mail box instead of another FAX phone number) and then teach them how to forward e-mails with their favorite e-mail client.

The "file too large for e-mail" won't happen that easily, because most MFP will do compression-to-PDF auto-magically usually with better than FAX codecs (though apparently FAX that can h

Re:

[ArchieBunker]

You've obviously never worked with any government agencies.

Re:

[guygo]

Right, 65 years old and I have never once had a chance to work with a government agency, is that your contention? Sure. You obviously never make assumptions about others nor overstate anything, huh?

Re:

[bferrell]

Nope. Not until courts recognize email as a legal immutable document

Why faxes are used

[Anonymous Coward]

Faxes are still used, whether digitized or old-fashioned, because of the court system. A signed and faxed form carries the weight of a physical contract. A signed and emailed form does not.

College tuition

[DrYak]

Hundreds of dollars just to pay for your semester.

In other saner parts of the world, hundreds of dollars *is* what you pay for the semester.

Re:

[Darinbob]

What else would you use?

Re:

[Oswald McWeany]

Faxes are still used, whether digitized or old-fashioned, because of the court system. A signed and faxed form carries the weight of a physical contract. A signed and emailed form does not.

Which itself is a bit odd, because you can print out an e-mail and then fax it. So it's not like Faxes prevent some sort of image editing fraud that could happen with an e-mail.

Re:

[omnichad]

Fighting established precedent is just as hard as establishing new precedent in case law. It's always been trivially easy to commit fraud over fax with regard to signatures. Technology only makes it easier. The same thing but on a computer was sanely rejected because of security concerns. It takes a lot more to challenge the established precedent on faxes.

Re:

[Attila Dimedici]

This is no longer true...and has not been for over 10 years.

Re:

[Tony Isaac]

No.

My company specializes in serving subpoenas for documents related to car accident cases, and collecting documents to deliver to the court. There is absolutely no legal advantage of fax over email, when it comes to contract enforcement or other court purposes. Legally, a simple email (signed or not) carries the weight of a signed contract.

Where fax DOES have an advantage is in HIPAA compliance. Fax is considered "secure" because it is (or was) so seldom hacked. This allows physicians and lawyers to transm

Re:

[antdude]

Faxing is still popular in Japan even though that country is very high tech. https://www.bbc.com/news/busin... [bbc.com] says even casette tapes are still popular!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Fax machines aren't replaced by emailing scans. They are being replaced by holding documents up in front of a smart phone camera.

Re:

[Anonymous Coward]

Scanning and emailing a document - where it can be FWD: FWD: FWD: ... - is unacceptable.

If the recipient uses a fax-to-email service as their fax number, how is that any different?

Re:

[xvan]

If only there was a technology that could validate the authenticity of a digital document. You know, like a signature at the bottom of paper document. We could call it digital signature.

Re:

[Attila Dimedici]

This has not been true in the U.S. for well over 10 years. I know that I used to believe that it was true, but I am not sure that it was.

Re:

[Big Bipper]

I've been retired for a couple of years, but we always had to keep a POTS line around for the fax ( burglar alarm too ) as fax wasn't reliable over VOIP. If faxing over VOIP can't be / hasn't been fixed then the migration to VOIP should kill off fax sooner than later.

Re:

[omnichad]

T.38 protocol will encode/decode fax data for transit over an IP network.

Re:

[tlhIngan]

It's been around so long and it's survived this long. Too many people aren't capable of scanning something, then emailing it. Any bets on when the last fax machine will be taken out of service? 20 years? 30?

That's because fax is simple. It's a technology that's really boiled down what it does to the ultimate in simplicity.

To set it up, you connect it to a phone line and power. You can set it up further if you want, but as far as its basic needs, they've been met.

To send a fax, you stick the paper into the d

Re:

[Oswald McWeany]

To send a fax, you stick the paper into the document reader, dial the number and press start. The machine will figure out what to do and your pages are magically sent off to the recipient. Hope you got your number right.

A previous company I worked for had the fax number incorrect on a lot of their documentation that was handed out to clients, including fliers and business cards. The number listed as a fax number for the company was actually an "adult services" phone number. We never found out if that was done intentionally as a joke by someone or just a simple error. (the number was two digits off the correct fax number).

No client ever reported a problem and to my knowledge the mistake was never discovered... we almost

Mr. Robot: It's not just Cyber-Attack

[mykepredko]

I can't believe that nobody's noted that Elliot in Mr. Robot used a faked Fax to get access to Police data: https://www.theverge.com/2016/... [theverge.com]

Re:

[Scarletdown]

My paper supply in my main printer is getting low. Could you fax me a few blank sheets? :D

Re:

[nuckfuts]

My paper supply in my main printer is getting low. Could you fax me a few blank sheets? :D

I could fax you a few black sheets. Then your toner will also be low.

Re:

[Scarletdown]

Just send it to my IP address: 127.0.0.1

What I'd like to see, or hear about

[bferrell]

Is how something like Hylafax or regular old fax machine reacts to these "malformed" fax images.

What this sounds like, is that the printer makers got sloppy in the image rendering end of things and this is some kind of buffer overflow.

No... They wouldn't do THAT.

What kind of fax? Software or Hardware

[p51d007]

I've been in the copier, printer, fax business since the early 80's. Most MFP's, for the sake of price, use a software based fax modem. (remember the problems of the old Win modems?) IF that is what they are talking about, I could see where there could be a problem. Most of the higher end machines we sell & service, use a HARDWARE based modem for faxing. The board contains the CML hardware relay, and they even continue to use the dual neon light bulbs, that were there to help drain off any excess AC t

Old School Fax Attack

[IonOtter]

1. Take something black, preferably large, and place it on the copier. A t-shirt will work well, but no designs: just solid black.

2. Make four copies of the black.

3. Trim the sheets so they have no white edges or borders.

4. Assemble the 4 sheets together with Scotch tape. Trim off any excess.

5. Apply a strip of Scotch tape to the BACK of the topmost sheet, so it's half on, half off.

6. Dial the target fax machine, then feed the bottom-most sheet into the device.

7. When enough comes out of the bottom, bring it up and apply the bottom to the topmost strip of Scotch tape to create a loop out of the four sheets.

8. Go get some coffee, talk to some co-workers, maybe go to lunch.

Target fax will keep spitting out page after page of black nothing until it either runs out of paper, toner or the fuser burns out.

governments

[sad_]

governments still use it a lot.

got pulled over by police, my insurance was not valid, the valid paper was at home, i just got it in the mail and didn't put it in my car yet. so the officer asks me - is there somebody at home who can fax it to us.
come again, what? a fax? no, but i can have a picture taken and email it. that wasn't any good, so i ended up having to show the paper at the police station the next day.

other stories are that the fire department needs to get a fax from the mayor to declare certain