> Security researchers have long bemoaned the use of fax machines, as the antiquated devices pose real privacy issues when it comes to transmitting patient data. Considering that an estimated 75 percent of all healthcare communications are still processed by fax, the security threat is real.
The article claims that the flaw is in the fax protocol itself. But it also claims that it's a buffer overflow leading to RCE, which would be an implementation flaw, not a protocol flaw.
In the talk linked by c7h elsewhere in this comment section, a buffer-overflow exploit was found in the JPG library that allowed remote code execution. Since some fax machines support JPGs for transmitting color faxes, those fax machines were vulnerable.
"The researchers used an HP all-in-one printer/fax machine, although the vulnerability is found in the fax protocol itself. Check Point worked with HP to make sure the product received a patch for the vulnerability, but other fax machines may still have the flaw." HP had the issue, which is apparently patched.
In essence you have to disconnect the fax from the network, and the network is safe. The downside is that printing-to-fax doesn't work, and you need another machine for either printing or faxing.
That may work in some contexts. In larger organizations most fax machines have no print/scan components, they are conduits to the document management system and from the EHR. Hopefully (??) those get patched more quickly than all-in-one hardware.
[+] [-] c7h|6 years ago|reply
[+] [-] unixhero|6 years ago|reply
[+] [-] EamonnMR|6 years ago|reply
[+] [-] MiddleEndian|6 years ago|reply
[+] [-] CodesInChaos|6 years ago|reply
Can anybody explain that contradiction?
[+] [-] NortySpock|6 years ago|reply
[+] [-] downrightmike|6 years ago|reply
[+] [-] hollander|6 years ago|reply
[+] [-] adolph|6 years ago|reply