The fax machine is widely considered to be a dinosaur of interoffice communications, but it may also present a vulnerable point where hackers can infiltrate an organization’s network, according to a new report from Israel-based software company Check Point. The company said that the vulnerability was identified as a result of research intended to discover potential security risks, and not as the result of any attack.
Hackers can gain access to a network using the phone line connected to a fax machine, which is often connected to the rest of an organization’s network. By sending an image file that contains malicious software over the phone line, hackers can take control of the device and access the rest of the network. The researchers were able to do this using only a fax number, which is often widely distributed by organizations on business cards and websites.
The report estimates that there are more that 17 million fax machines in use in the United States alone. The legal and medical fields both continue to rely heavily on fax machines to conduct business because they are widely considered to be a more secure form of transmitting sensitive information and signatures compared with email. Banking and real estate firms also frequently transfer documents containing signatures via fax.
With the advent of all-in-one devices that can fax, print and scan documents, fax machines may be more prevalent in homes and offices than people realize. This particular vulnerability applies only if such a device is connected to a telephone line, however.
The only machines tested were from HP’s line of all-in-one printers, but according to the report, these vulnerabilities are likely to be found in machines from any manufacturer that uses similar technology. HP issued a patch for its products before the report was published; it is available for download from HP’s support website.
The report advises that if a fax machine is too old to support a software update, or if the manufacturer has yet to issue a patch to fix the vulnerability, fax capabilities should be used only on a segmented part of the network without access to critical data. The report also advises that the phone line connected to an all-in-one machine should be disconnected if a user or organization does not use the fax functions.