Tag Archives: Machines
It’s tempting to think of fax machines as a relic, every bit as relevant as an eight-track tape. But fields like health care and government still rely on faxes every day. Even your all-in-one printer probably has a fax component. And new research shows that vulnerabilities in that very old tech could expose entire corporate networks to attack.
In fact, the surprising ubiquity of fax machines is what inspired Check Point researchers Yaniv Balmas and Eyal Itkin to analyze the tech’s present-day security posture. Vulnerable network printers are a classic target, and the researchers found that they could similarly exploit bugs in faxes to get inside private networks.
“Fax is an ancient technology, the protocols we use today haven’t been changed for the past 30 years,” Balmas says. “But everybody is still using fax and nobody really looks at it as a valid attack vector. So we thought, what if we could exploit a printer just by sending a malicious fax? In an all-in-one printer, one side is connected to the phone line and the other side is connected to the network. So if we could take over the device, we could then move into the internal network.”
Hackers have targeted fax machines for decades, and the technology is still insecure in basic ways. For example, fax data is sent with no cryptographic protections; anyone who can tap a phone line can instantly intercept all data transmitted across it. “Fax is perceived as a secure method of data transmission,” says Balmas. “That’s a huge misconception—it’s absolutely not secure.”
In addition to the lack of encryption, researchers say that the fax protocol—the industry standard description of how the technology should be incorporated into products—is documented in a very confusing way. As a result, they suspected that it was likely implemented improperly in many devices. When the researchers analyzed the Officejet line of fax-capable all-in-one printers from industry giant Hewlett-Packard, the found exactly the type of issue they had suspected.
The problem they discovered was a common issue known as a “stack overflow,” in which the structure that stores information about a running software program overloads, causing it to crash. Attackers can initiate stack overflows strategically to gain more access or privileges on a system. So the researchers crafted a malicious fax with data in it that would exploit the bug when sent to a vulnerable machine.
“The attack scenario is actually pretty simple,” Check Point’s Itkin says. “A malicious attacker wants to infiltrate a covert network, let’s say a bank. And the fax number for this bank is public, so he can get that number. On the bank side, if the printer that receives the fax is also connected to the internal network, then all the attacker needs to do is send a malicious fax to this phone number and automatically he will be inside the internal network of this bank. It’s crazily dangerous.”
An attacker could also embed an additional exploit into the malicious fax, so once the first phase of taking over the all-in-one printer is complete they can bore deeper into a company’s network from there. In a demo, the researchers show that they’ve taken over an HP Officejet printer by displaying a sinister image on its screen. Then they use the infamous Eternal Blue Windows exploit as an example of a hacking tool an attacker could deploy from there to gain deeper remote network access. The researchers say it currently takes less than one minute to transmit a fax with all of this code hidden inside it, and that they could potentially reduce the transmission time even more.
Balmas and Itkin disclosed the issue, which affects all Officejet printers regardless of model or version, to HP. And the company has released a patch that adds standard protections against stack overflows. “HP was made aware of a vulnerability in certain printers by a third party researcher,” HP spokesperson Luke Cuell told WIRED. “HP has updates available to mitigate risks and have published a security bulletin with more information. … We encourage customers to keep their systems updated to protect against vulnerabilities.” Many HP printers automatically download updates, but printer update adoption rates are often slow.
IT administrators have increasingly added authentication checks to network printers so that only authorized users can initiate printing—a safeguard that cuts down on the potential that a remote attacker could send a malicious print job. But the researchers say that the fax protocol doesn’t allow for such a mechanism. “There are absolutely no protections over fax,” Balmas says. “Even if you really wanted to do that there is no way. Fax is always sent unauthenticated, it’s a design thing, so no matter what you do I will still be able to send you this fax.”
For institutions and individuals the researchers say that the crucial safeguard comes from a conceptual understanding that plugging a printer into a phone line opens up an additional avenue for potential attack.
“The real solution would be to stop using fax,” Itkin says. “But if you can’t do that then probably the solution for organizations or home users would be to segregate the printers, put them in a separate network, so even if someone takes over the printer they won’t easily be able to propagate into the main network.”
You probably haven’t thought about fax machines—or used one—in forever. But some tech never dies; it just gets less and less secure.
More Great WIRED Stories
Is it just me or is the cyber landscape getting more scary? Even as companies and consumers get better at playing defense, a host of new cyber threats is at our doorsteps—and it’s unclear if anyone can keep them out.
My doom-and-gloom stems from the dire predictions of Aviv Ovadya, the technologist who predicted the fake news epidemic, and now fears an “information apocalypse” as the trolls turbo-charge their efforts with AI. He points to the impending arrival of “laser phishing” in which bots will perfectly impersonate people we know by scraping publicly available images and social media data. The result could be the complete demolition of an already-crumbling distinction between fact and fiction.
Meanwhile, the phenomenon of crypto-jacking—in which hackers hijack your computer to mine digital currency—has quickly morphed from a novelty to a big league threat. Last week, for instance, hackers used browser plug-ins to install malignant mining tools on a wide range of court and government websites, which in turn caused site visitors to become part of the mining effort.
The use of browser plug-ins to launch such attacks is part of a familiar strategy by hackers—treating third parties (in this case the plug-ins) as the weakest link in the security chain, and exploiting them. Recall, for instance, how hackers didn’t attack Target’s computer systems directly, but instead wormed their way in through a third party payment provider. The browser-based attacks feel more troubling, though, because they take place right on our home computers.
All of this raises the question of how we’re supposed to defend ourselves against this next generation of threats. One option is to cross our fingers that new technologies—perhaps Microsoft’s blockchain-based ID systems—will help defeat phishing and secure our browsers. But it’s also hard, in an age when our machines have run amok, to believe more machines are the answer.
For a different approach, I suggest putting down your screen for a day and picking up How to Fix the Future. It’s a new book by Andrew Keen, a deep thinker on Silicon Valley culture, that proposes reconstructing our whole approach to the Internet by putting humans back at the center of our technology. Featuring a lot of smart observations by Betaworks founder John Borthwick, the book could help us fight off Ovadya’s information apocalypse.
Have a great weekend.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Gartner forecasts 25B IoT-based installed devices by 2020, with 6.8B alone in smart cities. Smart machines will become a catalyst of Industrie 4.0 adoption across global governments. Spending by national, federal and local governments worldwide on technology products and services is forecast to grow from $ 430.1B in 2016 to $ 476.1B by 2020.
The FAA is endeavoring to minimize its data centers and harness the two clouds as much as possible- a kind of cloud computing termed hybrid …