back to article Faxploit: Retro hacking of fax machines can spread malware

Corporations are open to hacking via a booby-trapped image data sent by fax, a hacker demo at DEF CON suggests. The hack - discovered by security researchers at Check Point - relies on exploiting flaws in the communication protocols used in tens of millions of fax-capable devices globally, such as all-in-one fax-enabled …

  1. Mage Silver badge

    Denial of Service

    Over 20 years ago. People ringing a Fax number and sending page feeds. Then the fax machine couldn't receive till reloaded with roll or sheets.

    Spam from travel companies was expensive for people using either thermal ribbons or thermal paper and moderately expensive for inkjet.

    1. Oengus

      Re: Denial of Service

      or looping the paper and sending a continuous page...

      1. DailyLlama

        Re: Denial of Service

        Looping the black paper so it used all their toner/ink/ribbon too :-)

        1. Scroticus Canis

          Re: Denial of Service -Looping the black paper...

          Supposedly five black pages was enough to fuse the thermal print heads on the older models. Never tried it myself, much.

  2. TRT Silver badge

    Details of the mechanism...

    are sketchy in reports. It's rather "ooh! look, I can fax this picture to you and pwn all your secrets!" rather than "Using a dial-up fax modem, I can cause a buffer overrun on your machine, which is a potential foothold into an exploit of variable effectiveness."

    And over-run the buffer into what, exactly? Just because you can cause a particular category of fault or error condition doesn't mean that the error is exploitable. It take a huge leap of the imagination to go from over-running a buffer in image memory to executing very specific coded instructions which will compromise an entire network.

    I call this out as 99.999% bullshit attention seeking. Unless it's just the media portraying this as yet another thing to panic about. I expected better from the Reg, though, in terms of technical details.

    1. Christian Berger

      Ways it could work, in theory

      Page data could be a vector, however any receiving fax is required to count lines of wrong lengths as "errors" and discard them. The number of lines per page is of course not limited, but faxes have been used for long pages in the past.

      What's actually more likely is the negotiation phase, there Fax machines talk HDLC over v.21 with eachother. It could be that the software only allocates a 256 octet space, but the HDLC frame is much larger. Since HDLC frames have no "length" indication you don't know how long they are. I have actually seen one particular modem (ELSA Microlink 56k) crash when it receives bad negotiation in that phase.

    2. Robert Carnegie Silver badge

      Sure, here's how I did it yesterday (not really).

      As bad guys know already: there are historic bugs in widely used versions of JPEG image data handling library. JPEG is basically Zip file for pictures. Fax machines can handle JPEG data, and due to either a new bug or an unpatched old one, you can send binary data and code in the format of JPEG - maliciously malformed data - to a fax machine, and it will hit the bug and START EXECUTING THE PROGRAM CODE IN YOUR JPEG STREAM INSIDE THE FAX MACHINE. Well... there is some more work to do to get there from "buffer overflow" or "chair stacking", but it's not -difficult- work.

      And since the fax machine these days is networked, once it's pwned, you have an enemy inside your camp - or your network.

      So, no, please don't publish details, such as a QR code of the data file needed to hack any fax machine.

      1. Christian Berger

        Re: Sure, here's how I did it yesterday (not really).

        Ohh, but Fax machines interpreting JPEG are actually very rare. Yes, it's in the standard, but so far I've only seen a Samsung one actually doing it.

        BTW you can find out if your fax has such features by looking at the capabilities it announces diring the negotiation phase. Most laser fax machines have some "T30-Trace" feature to print out a commented debug trace of your session.

    3. AndrueC Silver badge

      Re: Details of the mechanism...

      Maybe you can fax the source code for the malware.

    4. Anonymous Coward
      Anonymous Coward

      Re: Details of the mechanism...

      Try reading the blog post about this before calling anything bullshit.

      These bugs were 100% exploited, all technical details are included in the post.

      1. TRT Silver badge

        Re: Details of the mechanism...

        Fair enough! It's not bullshit then. But it's not working the way the media are reporting it. Poison pictures indeed.

  3. Cuddles Silver badge

    Probably not that common

    "tens of millions of fax-capable devices globally, such as all-in-one fax-enabled printers... The NHS in the UK alone has over 9,000 fax machines in regular use"

    In my experience, fax machines in the NHS are literally just fax machines. They're used for sending copies of medical records to other hospitals faster than a folder full of bits of paper can be posted. Not only are they not clever all-in-one devices, but even if they were they'd never be plugged into a network because there's simply no point - there's no use for making local copies or scanning them in for email or anything, so it would just be more work setting them up than it would be worth.

    On the other hand, I suspect the vast majority of those tens of millions of devices have exactly the opposite problem that also keeps them safe - they're bought only as scanner/printer/copiers and are never plugged into a phone line to use them as fax machines. That's certainly the case for the printers at my current workplace.

    So overall I'm not seeing a lot of risk. The vast majority of the time someone is actually using fax machines it's because their system is set up in a way that prevents them using email and the device won't ever be plugged into a network, while the vast majority of the time someone is using a multifunction device on a network it's not set up in a way it could ever be used for faxes. The number of people using such a device for both faxes and networked functions is probably rather tiny.

    1. Anonymous Coward
      Anonymous Coward

      Re: Probably not that common

      I fear from the numbers of these “all-in-one” machines that have evidently been sold, dual use as fax / printer may not be as rare as you suspect.

      Thankfully everyone religiously checks for security updates to their fax machines and keeps them suitably firewalled from accessing unnecessary network resources...

      1. Yet Another Anonymous coward Silver badge

        Re: Probably not that common

        >are never plugged into a phone line to use them as fax machines

        Or when you do, because some government dept insists on a fax, you discover that no modern phone system can handle faxes

  4. }{amis}{

    Why still a phone line on it??

    All the fax stuff I deal with these days are virtual even the multifunction printers don't actually have a fax they just email the file to a virtual fax provider outside the network.

    It doesn't really make economic sense to have a fax machine physically they days just based on the line rental costs.

    1. Christian Berger

      In civilized countries...

      "It doesn't really make economic sense to have a fax machine physically they days just based on the line rental costs."

      In civilized countries, companies have a trunk telephone line anyhow, so a fax machine only uses one port of your PBX which you usually buy on boards containing 8 of them.

      Using external FAX-providers is not only bad security wise (an additional company handling your data creates additional possibilities for malevolent actors), but also a huge problem with reliability. You have more components in the way, each one could fail, and once you leave the fax protocol domain, failure will not be reported to the sender. If you have a full "fax-to-fax" connection, your sending fax will only say it's OK when the receiving fax acknowledged its reception. For some faxes that even means that the fax was printed out already.

    2. Joe Drunk

      Re: Why still a phone line on it??

      Fax machines are ubiquitous because even the most technically illiterate punter knows how to use one. A single function fax machine's minimalist requirements (POTS line, mains line, paper, ink) means no boffin required for setup/maintenance. They are the def acto method for sending copies of documents for legal and medical as stated in the article so until that changes this dinosaur technology isn't going anywhere.

      1. cream wobbly

        Re: Why still a phone line on it??

        If fax is "dinosaur" technology, what the math are ballpoint pens? or pencils? Or heck, (electronic versions of) the slates my grandma used to write on at school?

        1. John Brown (no body) Silver badge

          Re: Why still a phone line on it??

          "If fax is "dinosaur" technology, what the math are ballpoint pens? or pencils? Or heck, (electronic versions of) the slates my grandma used to write on at school?"

          As recently as 5 years ago I was called out to fix a PC. It was urgent because it was the only remaining one in the company with a working telex card in it!

      2. Barry Rueger

        Re: Why still a phone line on it??

        Fax machines are ubiquitous because even the most technically illiterate punter knows how to use one.

        Every year our accountant emails us a fancy Adobe e-signature thingy. Every year it fails to actually work, or seems to involve way, way too many steps to bother.

        So every year we print, sign, and fax back the signature page.

        In an average year we likely send 20 pages by fax, and maybe receive a quarter of that amount, but when we do need it it is still perfect for the job.

        Even though I now default to gscan2PDF for almost everything, there are still a handful of times when fax is what's needed.

  5. Mike 16 Silver badge

    Fax still with us

    As several commenters have noted, an organization that uses a simple Fax machine, or that does not hook up their All-In-One to their network (and why have such a machine?), is relatively safe from this. At least as safe as they are from the scum that spam any known fax machine. Well, as long as that all-in-one honors the user option to _not_ enable WiFi. But again, if you need Fax, get a fax machine, not an all-signing-all-dancing-all-compromised thing that incidentally does Fax.

    As for popularity.. My proposal (in 1982) to my then employer to include (at least as an option) a Fax modem in our laptop product was shot down. My argument "for" was simply that pretty much any hotel had a fax machine, and would usually allow customers to use it, so rather than having to pack a printer along with the laptop, small amounts of printing could be done by fax. The argument against was from an in house "expert" on two grounds:

    1) He printed a document on a cheap dot-matrix printer and then faxed it. This of course was under sampled in away that looked truly horrible, but that was his goal, and manglement had never heard of Nyquist.

    2) "Fax is a niche technology and will never be common"

  6. GIRZiM

    And before you know it

    There's a new kind of social engineering hack: miscreants will threaten to upload an image of an arse with the the same date and time stamp as the last time you used the fax machine - if you don't want your employer to think you've been misusing company facilities (or that your arse is that huge/you wear grandma-knickers), give us backdoor access to your systems.

  7. Christian Berger

    What I've just noticed is...

    ... that this apparently only affects HPs Inkjet Fax machines. In a way that makes sense as laser faxes have little reason to interpret JPEG, as they are not good at printing "continuous tone images" as the standard calls them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022