
Faxploit: Sending Fax Back to the Dark Ages - blopeur
https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/
======
zaroth
> _Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were
> able to demonstrate the security risk that lies in a modern implementation
> of the fax protocol. Using nothing but a phone line, we were able to send a
> fax that could take full control over the printer, and later spread our
> payload inside the computer network accessible to the printer.

We believe that this security risk should be given special attention by the
community, changing the way that modern network architectures treat network
printers and fax machines. From now on, a fax machine should be treated as a
possible infiltration vector into the corporate network._

This is a great piece of research and a beautiful write up which is extremely
accessible to anyone interested in how these attacks are developed.

The twist at the end, of bundling NSA exploits for complete network takeover
all starting from a faxed JPEG file with a malformed header, is icing on the
cake.

------
mamurphy
If this starts showing up in the wild as a new attack vector, it would be
great if companies/governments decided to abandon faxes and embrace email
attachments as a response. If both are subject to vulnerabilities are there
any upsides to continuing to use fax?

~~~
peterwwillis
The only digital equivalent of a fax is:

1) Get a public IP address on the internet. 2) Put a server on the internet,
with an open port, running software that can receive arbitrary files. 3)
Connect to it from your computer and send it a file. 4) Receive confirmation
that the remote server correctly received your whole file.

Everything else, like e-mail, depends on a chain of service providers and
accounts to deliver and store content reliably over the network. Fax enables
any person with a phone number to send documents to any person with a phone
number. E-mail may seem similar (you need a phone service provider and a fax
machine), but I think faxing is a less technically complicated solution, more
reliable overall, and allows a lot more independence.

~~~
varenc
Doesn't calling a phone number rely on a chain of service providers as well?
Your fax probably needs to be bounced through several companies and some of
that infrastructure ends up shared with internet infra anyway.

Though I agree that for many end users sending a fax is easier and simpler,
but that seems mostly because of experience and familiarity.

~~~
peterwwillis
The big differences to me are that faxes don't need an "account" to
send/receive files, the machines are simpler and cheaper, they have far fewer
intermediary technical and user issues, and their network is way more
reliable. If you depend on sending and receiving documents, faxes are light-
years more reliable and less complicated than, say, e-mail.

Can you count the number of times an internet connection has gone down for a
business, compared to the number of times the PSTN has gone down? Unless a
truck takes out a utility pole, there's no contest. And the lack of
obstructions for user access removes a whole slew of other issues.

~~~
vageli
> The big differences to me are that faxes don't need an "account" to
> send/receive files, the machines are simpler and cheaper, they have far
> fewer intermediary technical and user issues, and their network is way more
> reliable. If you depend on sending and receiving documents, faxes are light-
> years more reliable and less complicated than, say, e-mail.

You most definitely need an "account" with your telephony provider in order to
receive anything.

~~~
peterwwillis
I meant regarding e-mail (or any other internet file transfer service). Your
e-mail account, and that of your recipient, are accounts used to authorize
access. If either you or your recipient lose account access, you can not send
and receive files. This happens all the time, like when your corporate ID gets
locked for no reason, or a user forgets their password, or some other problem
occurs.

Faxes require no such accounts. Just plug the machine in to a phone line and
send a document.

~~~
Hello71
More accurately, faxes _do not support_ accounts. Faxes assume that a single
phone line has a single user, like machines on computer networks in the bad
old days. The modern equivalent would be using a single email account for the
entire company and posting the password around the office.

------
Spare_account
Forgive me if this self evident or discussed in the article, my head was
reeling by the time I got to the end. I'd appreciate if it anyone could
confirm that I understand the situation correctly:

1\. The buffer overflow identified exists in a JPEG parser that was written by
HP from scratch. Therefore this exploit may only apply to the specific models
of HP fax that utilise this firmware (and HP have already patched it, so a fix
is available).

2\. Disabling colour faxes would mitigate the vulnerability. (I've just
scanned three years worth of fax logs from our fax server and we've never
received a colour fax).

3\. These mitigations aside, the principle remains that fax is often present
without any kind of security attached directly to the network and thought
should be given to isolating fax infrastructure to reduce exposure to
exploitation. (Additionally the constant and ongoing lobby to management to
permanently retire fax should be maintained).

~~~
edent
1\. That _someone_ wrote. Maybe HP got it from an OEM and it is in dozens of
manufacturers' machines.

2\. Would mitigate _this_ vulnerability. And, the nasty thing about this is
that it could potentially rewrite your logs. You can't trust a compromised
machine to tell the truth.

3\. Yup.

~~~
Spare_account
Sorry for the late reply. Thank you for taking the time to respond.

------
amaccuish
As some have pointed out, some countries put more legal weight on a fax.
That's just not a thing in Estonia, where everything is digitally signed with
your ID card, so you either email or upload official documents.

~~~
toomanybeersies
In New Zealand, you can send practically any legal documents via email. I
don't think you even need to have them signed, being sent from your email
address counts as signing them. It makes sense really, forging a signature is
actually trivial for most legal documents. Nobody ever looks very hard. It
would be harder to access my email account and send an email than it would be
to forge my signature.

~~~
etatoby
It's a common misconception that sending something "from your email address"
requires any degree of accessing your email account. It does not. The visible
"From" is transmitted as a regular header and you are free to modify it at
will, much like the Subject line.

Some low-level clients make this easier (say, Mutt) but most clients allow you
to do so. For instance, all desktop and mobile apps, such as Outlook,
Thunderbird and Apple Mail have an Accounts setting screen where you can
change your "sender" email address. You can write anything you want in that
field.

Online services, such as GMail, require you to have access to the addresses
you wish to use as "sender", but they are the exception. Anybody can still use
your GMail address as sender in their emails. (Anti-SPAM features such as SPF
notwithstanding.)

~~~
toomanybeersies
I'm aware of email spoofing, but there are measures to protect against this,
like SPF as you mentioned, as well as DKIM.

~~~
exikyut
Indeed, but putting sociopolitical (read: secretary-implemented) weight on
something so easily confused (View Original Message > manually decipher
headers, vs "From:") sounds... uninformed and underfunded, at the very least,
to me.

------
tehlike
The same researcher, Eyal Itkin, found a number of vulnerabilities in
cryptocurrencies (I am familiar with his Monero ones). Hats off!

------
tearns
So has anyone heard whether Dell or Xerox are also facing this vulnerability?
Or if either have made a statement?

I've checked Dell's sites for updated firmware but for the models I would
need, they haven't released a firmware upgrade since 2016.

------
ehsankia
I was watching a round table with Ridley Scott the other day where he admitted
he still uses fax because it's more secure than e-mail [0]. Does anyone know
how valid that claim is?

[0]
[https://www.youtube.com/watch?v=3_9bdVECQLo&t=20m37s](https://www.youtube.com/watch?v=3_9bdVECQLo&t=20m37s)

~~~
toomanybeersies
Fax isn't encrypted. If you wiretap the line, you can just read off any faxes.
Email can be sent over TLS, and the email itself can be encrypted with PGP.

However, superficially, fax is more secure because there are no stored copies
(maybe depending on the machine?). There's the original, and the copy that
gets printed out on the other end. If you were to fax over a script for a
movie, there wouldn't be a copy sitting on a disk on the receiving end, there
would only be a printout. That's what Ridley Scott is alluding to in that
video.

~~~
Zenst
There are secure fax machines that utilise encryption, require ISDN and used
by UK government since the 90's (unsure if still used but probable).

~~~
exikyut
Presumably one of each are needed at both ends?

How is the encryption done? Password?

I've never heard about anything like this; fax machines have always been the
POTS analog kind over in Australia.

~~~
Zenst
Used ISDN and had the fax machine plugged into the encryption box and that
into the ISDN wall socket.

Though no reason why such an approach could be utilised for pots based FAX
machines.

As for the encryption - was pre-shared key type affair and unable to elaborate
further.

