Attackers could ‘faxploit’ all-in-one printer to penetrate network and steal data

At Def Con 26, researchers revealed pwnage via fax. Hackers need only a fax number to infiltrate networks and exfiltrate data.

That all-in-one printer of yours may have fax capabilities that attackers could exploit by sending maliciously crafted image data via fax in order to take control of the printer, penetrate your network, and exfiltrate files. That’s what Check Point researchers Yaniv Balmas and Eyal Itkin warned attendees at Def Con 26.

Fax? Who still uses fax? The researchers said they Googled to find 300 million fax numbers still in use. And a fax number is all that an attacker needs to potentially take complete control of an all-in-one printer and “possibly infiltrate the rest of the network connected to this printer.”

The researchers were able to “faxploit” an HP Officejet Pro 6830 all-in-one printer. As you may recall, HP recently released firmware updates and advised users to patch ASAP. If you haven’t patched yet, you might want to get on that, as no one wants to admit to being pwned via antiquated fax.

As for that pwnage, the researchers “strongly believe that similar vulnerabilities apply to other fax vendors, too, as this research concerns the fax communication protocols in general.” Even the popular online fax service fax2email uses the same protocol and may be vulnerable.

Balmas admitted, “Nobody owns just a fax machine. Instead they own all-in-one printers. Many are connected to vulnerable networks.” He added, “We are able to take complete control over the printer just by sending a malicious fax. There is no prerequisite for this attack. All you need to do is send a malicious fax to the printer and you have control.”

How an attack via fax works

Armed with a fax number, an attacker could send a malware-coded image file to the target. The fax machine portion of an all-in-one printer would then decode the image file and upload it to memory. An attacker could then spread their malicious payload to the network, which is accessible to the printer.

They added, “Once an all-in-one printer has been compromised, anything is possible. It could be used to infiltrate the internal network, steal printed documents, mine Bitcoin, or practically anything.”

In this case, after faxploiting the all-in-one printer, the researchers opted “to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax.”

To our knowledge, we now had the first (publicly documented) printer capable of using Eternal Blue and Double Pulsar to autonomously spread an attacker’s payload over a computer network.

Here's the attack in action:

The researchers hope their hack acts as the “canary in the coal mine.” They exploited the implementation of fax protocols defined in the 1980s and 1990s. “We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.”

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.