FAXPLOITForgotten about that fax in the corner of the office? Once the ‘must have’ communications device in every office, it has since be usurped by email, text and instant messaging. But not everywhere. Football transfers, for example, are still dependent on faxed contracts. In some countries faxes are still a requirement for legal matters. Banking and healthcare are both big users of fax machines.

Fax is an old technology and one that has escaped the attentions of hackers and security researchers alike. That was until last night when Eyal Itkin and Yaniv Balmas from Check Point Software presented at DefCon in Las Vegas. They have revealed several vulnerabilities that would allow a hacker to send a ‘faxploit’ and infect computer networks.

What fax machines are affected and how?

The fax machines in question are the multifunction printers from HP. These devices are setup in offices around the world. They are connected both to the telephone line and the internal network using wired and wireless links. Printers are trusted devices and there is often no way to install anti-malware software on them. This means that a hacker compromising the fax can then attack the network with little chance of being detected. It will allow them to install malware onto computers and then exfiltrate data across the fax link.

The core of the vulnerability is the International Telephone Union (ITU) T.30 protocol. This is the international standard for sending fax data. It uses several other standards to deal with the data sent to the fax. This is what Itkin and Balmas exploited. The T.81 (JPEG) format allows colour images to be sent to a fax. The researchers discovered that in doing so they could take control of the whole file and how it is handled by the fax machine.

The result was that the researchers were able to use known exploits including buffer and stack overflows. These allow an attacker to overwrite areas of memory on a device. The two exploits are:

  • CVE-2018-5925 – Buffer-Overflow While Parsing COM Markers
  • CVE-2018-5924 – Stack-Based Buffer-Overflow while Parsing DHT Markers

With no security software inside the printer the researchers were able to send all their code in a single fax. This takes time. However, by doing this at night when there is nobody in the office, it is unlikely it would be noticed. It could also be done during the day by printing an image leaving most offices thinking they had received it by mistake.

Proving the attack

Itkin and Balmas wrote their own attack to take over the printer and then attack the network. They wrote an attack that took advantage of two of the NSA tools leaked to the Internet. The payload in their attack:

  • Took over the printer’s LCD screen – demonstrating full control over the printer itself
  • Checked if the printer was connected to the network
  • Used Eternal Blue and Double Pulsar to attack a victim computer in the network, taking full control over it.

All of this was done using an HP Officejet Pro 6830 all-in-one printer. HP has now issued a patch for this printer which can be obtained here.

Itkin and Balmas point out that they only tested HP devices. However, as this is a standards based attack, the software inside multifunction computers from other vendors is also likely to be vulnerable.

What does this mean

This is not the first vulnerability that has allowed hackers to use a printer to attack networks. Last year HP ran a video campaign called “The Wolf”. It featured Christian Slater explaining how an unsecured printer in the mailroom allowed an attack to gain access to a network. This is an exploit that has been used in the wild by attackers and one that is still possible today. Walk into any office complex and look at the publicly available wireless options. There will be a number of printers showing. It takes very little effort to connect to one of them and begin an attack.

This latest attack takes advantage of the fact nobody is watching the fax. It shows how old standards and approaches need to be revisited. While HP has produced a fix it is not able to force customers to install it. It means that there is now a new and dangerous attack vector out there which is likely to go unpatched inside many organisations for years.

So far, Itkin and Balmas point out that nobody has seen this attack used in the wild. But why would they. It is an attack below the radar. Now that the details on how the attack works are out there, hackers will already be crafting their own attacks.

As said, this is not just about HP. Other all-in-one printers with faxes connected to phone lines are just as vulnerable. Finding them takes very little effort. Most companies print their fax numbers on their business cards.


Please enter your comment!
Please enter your name here