> Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol. Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer.
We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.
This is a great piece of research and a beautiful write up which is extremely accessible to anyone interested in how these attacks are developed.
The twist at the end, of bundling NSA exploits for complete network takeover all starting from a faxed JPEG file with a malformed header, is icing on the cake.
If this starts showing up in the wild as a new attack vector, it would be great if companies/governments decided to abandon faxes and embrace email attachments as a response. If both are subject to vulnerabilities are there any upsides to continuing to use fax?
1) Get a public IP address on the internet.
2) Put a server on the internet, with an open port, running software that can receive arbitrary files.
3) Connect to it from your computer and send it a file. 4) Receive confirmation that the remote server correctly received your whole file.
Everything else, like e-mail, depends on a chain of service providers and accounts to deliver and store content reliably over the network. Fax enables any person with a phone number to send documents to any person with a phone number. E-mail may seem similar (you need a phone service provider and a fax machine), but I think faxing is a less technically complicated solution, more reliable overall, and allows a lot more independence.
The last I knew, in the U.S. the fax still carried some legal recognition/privileges that email did not.
For example, your doctor can fax a prescription to the pharmacist. Or a request for records to another doctor. A faxed copy of a signed contract carries some degree of official legal recognition/status (yeah, go figure).
Bog standard email did/does not carry such authority. Maybe closed email interconnects now do. For example, I think our area health care networks (we have 3 big ones, here) now support email requests for some things requiring authorization. But those emails are within their private network, and on private links between their networks where they've agreed to interconnect on such things.
Or they should be... Speaking more generally, I observe at least some doctors and offices emailing all sort of stuff on the public, general Internet, that should actually remain protected.
(One of the reasons I expect the Internet to continue to be de facto locked down by authority (laws and rubber hoses, as opposed to technically complete "solutions"). People, including authority figures, insist upon using it as if it is secure. They have a lot of power, that will end up enforcing "security" through physical power against those who don't "obey the rules".)
German lawyers use fax, because the receipt shows the recipient has legally received the message. This is not the case with email. Therefor they created a different kind of electronic mail system (De-Mail [0]) they want people to subscribe to, so people can receive legally binding documents in an account they never look into.
I don't have any numbers about monthly active users and other relevant KPIs, but I bet they are really low.
FWIW the country I live in has a law that forces all public services to accept requests over email. Though the motivation was to stop the well known "send us a fax" customer abuse vector.
Forgive me if this self evident or discussed in the article, my head was reeling by the time I got to the end. I'd appreciate if it anyone could confirm that I understand the situation correctly:
1. The buffer overflow identified exists in a JPEG parser that was written by HP from scratch. Therefore this exploit may only apply to the specific models of HP fax that utilise this firmware (and HP have already patched it, so a fix is available).
2. Disabling colour faxes would mitigate the vulnerability. (I've just scanned three years worth of fax logs from our fax server and we've never received a colour fax).
3. These mitigations aside, the principle remains that fax is often present without any kind of security attached directly to the network and thought should be given to isolating fax infrastructure to reduce exposure to exploitation. (Additionally the constant and ongoing lobby to management to permanently retire fax should be maintained).
1. That someone wrote. Maybe HP got it from an OEM and it is in dozens of manufacturers' machines.
2. Would mitigate this vulnerability. And, the nasty thing about this is that it could potentially rewrite your logs. You can't trust a compromised machine to tell the truth.
As some have pointed out, some countries put more legal weight on a fax. That's just not a thing in Estonia, where everything is digitally signed with your ID card, so you either email or upload official documents.
In New Zealand, you can send practically any legal documents via email. I don't think you even need to have them signed, being sent from your email address counts as signing them. It makes sense really, forging a signature is actually trivial for most legal documents. Nobody ever looks very hard. It would be harder to access my email account and send an email than it would be to forge my signature.
I was watching a round table with Ridley Scott the other day where he admitted he still uses fax because it's more secure than e-mail [0]. Does anyone know how valid that claim is?
Fax isn't encrypted. If you wiretap the line, you can just read off any faxes. Email can be sent over TLS, and the email itself can be encrypted with PGP.
However, superficially, fax is more secure because there are no stored copies (maybe depending on the machine?). There's the original, and the copy that gets printed out on the other end. If you were to fax over a script for a movie, there wouldn't be a copy sitting on a disk on the receiving end, there would only be a printout. That's what Ridley Scott is alluding to in that video.
[+] [-] zaroth|7 years ago|reply
We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.
This is a great piece of research and a beautiful write up which is extremely accessible to anyone interested in how these attacks are developed.
The twist at the end, of bundling NSA exploits for complete network takeover all starting from a faxed JPEG file with a malformed header, is icing on the cake.
[+] [-] mamurphy|7 years ago|reply
[+] [-] peterwwillis|7 years ago|reply
1) Get a public IP address on the internet. 2) Put a server on the internet, with an open port, running software that can receive arbitrary files. 3) Connect to it from your computer and send it a file. 4) Receive confirmation that the remote server correctly received your whole file.
Everything else, like e-mail, depends on a chain of service providers and accounts to deliver and store content reliably over the network. Fax enables any person with a phone number to send documents to any person with a phone number. E-mail may seem similar (you need a phone service provider and a fax machine), but I think faxing is a less technically complicated solution, more reliable overall, and allows a lot more independence.
[+] [-] pasbesoin|7 years ago|reply
For example, your doctor can fax a prescription to the pharmacist. Or a request for records to another doctor. A faxed copy of a signed contract carries some degree of official legal recognition/status (yeah, go figure).
Bog standard email did/does not carry such authority. Maybe closed email interconnects now do. For example, I think our area health care networks (we have 3 big ones, here) now support email requests for some things requiring authorization. But those emails are within their private network, and on private links between their networks where they've agreed to interconnect on such things.
Or they should be... Speaking more generally, I observe at least some doctors and offices emailing all sort of stuff on the public, general Internet, that should actually remain protected.
(One of the reasons I expect the Internet to continue to be de facto locked down by authority (laws and rubber hoses, as opposed to technically complete "solutions"). People, including authority figures, insist upon using it as if it is secure. They have a lot of power, that will end up enforcing "security" through physical power against those who don't "obey the rules".)
[+] [-] rmetzler|7 years ago|reply
I don't have any numbers about monthly active users and other relevant KPIs, but I bet they are really low.
[0]: https://en.wikipedia.org/wiki/De-Mail
[+] [-] avip|7 years ago|reply
[+] [-] Spare_account|7 years ago|reply
1. The buffer overflow identified exists in a JPEG parser that was written by HP from scratch. Therefore this exploit may only apply to the specific models of HP fax that utilise this firmware (and HP have already patched it, so a fix is available).
2. Disabling colour faxes would mitigate the vulnerability. (I've just scanned three years worth of fax logs from our fax server and we've never received a colour fax).
3. These mitigations aside, the principle remains that fax is often present without any kind of security attached directly to the network and thought should be given to isolating fax infrastructure to reduce exposure to exploitation. (Additionally the constant and ongoing lobby to management to permanently retire fax should be maintained).
[+] [-] edent|7 years ago|reply
2. Would mitigate this vulnerability. And, the nasty thing about this is that it could potentially rewrite your logs. You can't trust a compromised machine to tell the truth.
3. Yup.
[+] [-] amaccuish|7 years ago|reply
[+] [-] toomanybeersies|7 years ago|reply
[+] [-] tehlike|7 years ago|reply
[+] [-] rustcharm|7 years ago|reply
[deleted]
[+] [-] tearns|7 years ago|reply
I've checked Dell's sites for updated firmware but for the models I would need, they haven't released a firmware upgrade since 2016.
[+] [-] ehsankia|7 years ago|reply
[0] https://www.youtube.com/watch?v=3_9bdVECQLo&t=20m37s
[+] [-] toomanybeersies|7 years ago|reply
However, superficially, fax is more secure because there are no stored copies (maybe depending on the machine?). There's the original, and the copy that gets printed out on the other end. If you were to fax over a script for a movie, there wouldn't be a copy sitting on a disk on the receiving end, there would only be a printout. That's what Ridley Scott is alluding to in that video.
[+] [-] madshiva|7 years ago|reply
[deleted]