Fax Vulnerability May Have Lasting Effects for Small Businesses

When was the last time you patched your fax machine?  When was the last time you even thought about your fax machine?  (Annoyance due to a PC LOAD LETTER error doesn't count.)

Research presented at last week's DEF CON security conference demonstrated some dead simple attacks on the fax machine protocol in many popular printers.  Here's a video the researchers prepared that demonstrates the flaw:

Despite the fax protocol being ancient (in technology terms) it's still widely used today, and may even be growing in usage. It's my prediction that this attack will rear its ugly head for some time, especially for small-to-mid sized businesses; and especially for those that handle sensitive data (e.g. accounting firms, doctor offices, legal professionals, supply chain partners, etc.).

The standard set up I typically see in many small offices, is a flat unsegmented network, where all devices like printers are plugged in and configured using default settings.  All-in-one printers and fax machines, even if unpatched, have had slim protection in the past via the network firewall.  This new technique opens a front door right into the network via that vulnerable machine, and all that's required is the fax number sitting in the footer of your website, making it an attractive vector for ransomware and data theft.  I'm not saying this as a scare tactic; it's reality.

If your organization is using a 3rd party IT firm, it's imperative to understand their patching methodology.  While desktop machines may be updated regularly, often it's the case that embedded devices are not.  Hold them accountable.  Of course, this presupposes that firmware updates will be made available for your fax's make/model.  In some cases that decade old machine that still works great will never see another update.

What's the solution?

If you don't need your fax connected to your network, unplug the ethernet cable and disconnect it from WiFi.  If you do; network segmentation is the solution.  Employees should be able to access the device on the network, but the device should not be able to communicate outside its subnet.  Even if patched, segmentation is important as it guards against future flaws.

Posted: Aug 17, 2018