The fax ma­chine is wide­ly con­sid­ered to be a di­no­saur of in­ter­of­fice com­mu­ni­ca­tions, but it may also pres­ent a vul­nera­ble point where hack­ers can in­fil­trate an or­gan­i­za­tion’s net­work, ac­cord­ing to a new re­port from Israel-based soft­ware com­pany Check Point. The com­pany said that the vul­ner­a­bil­i­ty was iden­ti­fied as a re­sult of re­search in­tend­ed to dis­cover po­ten­tial se­curi­ty risks, and not as the re­sult of any attack.

Hack­ers can gain ac­cess to a net­work using the phone line con­nected to a fax ma­chine, which is of­ten con­nected to the rest of an or­gan­i­za­tion’s net­work. By send­ing an image file that con­tains ma­li­cious soft­ware over the phone line, hack­ers can take con­trol of the de­vice and ac­cess the rest of the net­work. The re­search­ers were able to do this using only a fax num­ber, which is of­ten wide­ly dis­tri­but­ed by or­gan­i­za­tions on busi­ness cards and websites.

The re­port es­ti­mates that there are more that 17 million fax ma­chines in use in the United States alone. The legal and med­i­cal fields both con­tin­ue to rely heav­i­ly on fax ma­chines to con­duct busi­ness be­cause they are wide­ly con­sid­ered to be a more se­cure form of trans­mit­ting sensi­tive in­for­ma­tion and sig­na­tures com­pared with email. Bank­ing and real es­tate firms also fre­quent­ly trans­fer docu­ments con­tain­ing sig­na­tures via fax.

With the ad­vent of all-in-one de­vices that can fax, print and scan docu­ments, fax ma­chines may be more prev­a­lent in homes and of­fices than people re­al­ize. This par­tic­u­lar vul­ner­a­bil­i­ty ap­plies only if such a de­vice is con­nected to a tele­phone line, how­ever.

The only ma­chines test­ed were from HP’s line of all-in-one print­ers, but ac­cord­ing to the re­port, these vulnerabilities are likely to be found in ma­chines from any man­u­fac­tur­er that uses sim­i­lar tech­nol­o­gy. HP is­sued a patch for its pro­ducts be­fore the re­port was pub­lished; it is avail­able for down­load from HP’s sup­port website.

The re­port ad­vis­es that if a fax ma­chine is too old to sup­port a soft­ware up­date, or if the man­u­fac­tur­er has yet to issue a patch to fix the vul­ner­a­bil­i­ty, fax ca­pa­bil­i­ties should be used only on a seg­men­ted part of the net­work with­out ac­cess to criti­cal data. The re­port also ad­vis­es that the phone line con­nected to an all-in-one ma­chine should be dis­con­nect­ed if a user or or­gan­i­za­tion does not use the fax func­tions.