> Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol. Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer.
We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.
This is a great piece of research and a beautiful write up which is extremely accessible to anyone interested in how these attacks are developed.
The twist at the end, of bundling NSA exploits for complete network takeover all starting from a faxed JPEG file with a malformed header, is icing on the cake.
If this starts showing up in the wild as a new attack vector, it would be great if companies/governments decided to abandon faxes and embrace email attachments as a response. If both are subject to vulnerabilities are there any upsides to continuing to use fax?
1) Get a public IP address on the internet.
2) Put a server on the internet, with an open port, running software that can receive arbitrary files.
3) Connect to it from your computer and send it a file. 4) Receive confirmation that the remote server correctly received your whole file.
Everything else, like e-mail, depends on a chain of service providers and accounts to deliver and store content reliably over the network. Fax enables any person with a phone number to send documents to any person with a phone number. E-mail may seem similar (you need a phone service provider and a fax machine), but I think faxing is a less technically complicated solution, more reliable overall, and allows a lot more independence.
Doesn't calling a phone number rely on a chain of service providers as well? Your fax probably needs to be bounced through several companies and some of that infrastructure ends up shared with internet infra anyway.
Though I agree that for many end users sending a fax is easier and simpler, but that seems mostly because of experience and familiarity.
The big differences to me are that faxes don't need an "account" to send/receive files, the machines are simpler and cheaper, they have far fewer intermediary technical and user issues, and their network is way more reliable. If you depend on sending and receiving documents, faxes are light-years more reliable and less complicated than, say, e-mail.
Can you count the number of times an internet connection has gone down for a business, compared to the number of times the PSTN has gone down? Unless a truck takes out a utility pole, there's no contest. And the lack of obstructions for user access removes a whole slew of other issues.
> The big differences to me are that faxes don't need an "account" to send/receive files, the machines are simpler and cheaper, they have far fewer intermediary technical and user issues, and their network is way more reliable. If you depend on sending and receiving documents, faxes are light-years more reliable and less complicated than, say, e-mail.
You most definitely need an "account" with your telephony provider in order to receive anything.
I meant regarding e-mail (or any other internet file transfer service). Your e-mail account, and that of your recipient, are accounts used to authorize access. If either you or your recipient lose account access, you can not send and receive files. This happens all the time, like when your corporate ID gets locked for no reason, or a user forgets their password, or some other problem occurs.
Faxes require no such accounts. Just plug the machine in to a phone line and send a document.
More accurately, faxes do not support accounts. Faxes assume that a single phone line has a single user, like machines on computer networks in the bad old days. The modern equivalent would be using a single email account for the entire company and posting the password around the office.
I recently had to send some things by fax (and actually do have a fax machine), and had trouble with the remote fax server disconnecting in the middle. I finally figured out part of the problem was it did not like the direction I was feeding the pages. But there was no worthwhile error message, and the connection only errored out several pages in.
Also the quality is kind of crap. One of the pages was unreadable, so after having sent the "official" version as a fax (they accepted faxed raised-seal documents as originals), I had to follow up with a higher quality color scan anyway.
Still your point about it being P2P, relying on just the physical network and its addressing is appreciated and duly noted.
>>Can you count the number of times an internet connection has gone down for a business, compared to the number of times the PSTN has gone down?
I will give you that point, but counter with this: fax machines rely on printers, which IME are one of the least reliable pieces of technology. A printer being jammed/broken is far more common than losing internet connectivity.
And business people nowadays can check their email on a cellphone. Even if they don't, the email will still be there when they get back online. A mangled fax or one received when the power's out can be permanently lost.
In fact, it is possible for telephony providers to recognize fax signals, decode them themselves and just send the decoded bits over the connection, then re-generate the fax sounds at the other end. See https://en.wikipedia.org/wiki/T.38 .
Reliable? Depends on the implementation I guess. If it's competing with a phone line they might not get it. We used fax to communicate with with far flung doctors offices and it was nothing but trouble. The process of sending or receiving a fax often entaled calling back and fourth to ensure that it arrived and re-sending.
It doesn't need to be that equivalent though. Some changes can be / are beneficial.
The last time I had to send a fax was when my back account had fraudulent charges made against it. My now-former bank wanted me to fill out a form — fine — which they would only snail-mail or fax to me.
This form could simply be hosted on their website, as a PDF. In fact, the form I received had something like Z:\BigBankCo_Shared\Docs\Forms\Fraud.docx on the bottom of it, and in the end, I gave them a number of a service that automatically converts faxes into PDFs in emails.
Now, they wanted me to fax (or snail mail) it back. A email with an attachment to a support address, such as fraud-form-returns@bigbank.example.com, would have suffice. Directly, bit for bit equivalent? No. Gets the job done? Yes.
All together, the entire thing was a few simple questions (my info, information about the transactions, and a statement essentially swearing up and down it wasn't my fault) that could also have just been gathered by an HTML form.
(And, I'm not saying these should replace the snail mail/fax; keep them, if there is sufficient demand for them. Which I suspect that once you have an HTML form, there won't be.)
The official protocols do support this, true, but nearly all of the major email service providers (e.g., Gmail, etc) will assume your email is spam if you send it from your own random mail server.
I think there's an assumed split between infrastructure providers (ISP, PSTN, telco) and service providers (webmail, hosting, etc.) and fax only needs the former.
Ok, so, we're all agreeing on the same thing. The internet method I proposed is the same as faxing, but anything else requires more service providers, machines and steps.
An FTP server that also then does some processing on the received file. It’s the processing that opens the machine up to exploit, not the receiving of the data.
The last I knew, in the U.S. the fax still carried some legal recognition/privileges that email did not.
For example, your doctor can fax a prescription to the pharmacist. Or a request for records to another doctor. A faxed copy of a signed contract carries some degree of official legal recognition/status (yeah, go figure).
Bog standard email did/does not carry such authority. Maybe closed email interconnects now do. For example, I think our area health care networks (we have 3 big ones, here) now support email requests for some things requiring authorization. But those emails are within their private network, and on private links between their networks where they've agreed to interconnect on such things.
Or they should be... Speaking more generally, I observe at least some doctors and offices emailing all sort of stuff on the public, general Internet, that should actually remain protected.
(One of the reasons I expect the Internet to continue to be de facto locked down by authority (laws and rubber hoses, as opposed to technically complete "solutions"). People, including authority figures, insist upon using it as if it is secure. They have a lot of power, that will end up enforcing "security" through physical power against those who don't "obey the rules".)
> The last I knew, in the U.S. the fax still carried some legal recognition/privileges that email did not.
Much of this is the direct consequence of fax being carried over the POTS copper telephone network, where there is some belief (not necessarily accurate in today's world) that the link between sender and receiver over a POTS line is free of "men in the middle". Therefore fax is viewed as 'secure' due to this belief.
In really olden times, you had to talk to the switchboard operator to connect your call. It was free of men in the middle only by dint of the fact that most operators were women.
Partly, but also because it is easier to authenticate as not being spoofed or faked. Faxes have a 'sending number' that is transmitted as part of the protocol, and caller ID allows checking the source, whereas email senders can be very easily changed. However, even the fax may not be secure enough - I worked for a gold bullion trading firm in the 90s where they used faxes for secondary trade confirmation, but sent a telex with the data as then main mechanism, because the telex network was considered more secure than the PSTN and relying on fax sender numbers.
They also used X.25 a lot, as they didn't trust the fancy new TCP/IP stuff that was around, though, so there's that...
> Partly, but also because it is easier to authenticate as not being spoofed or faked. Faxes have a 'sending number' that is transmitted as part of the protocol, and caller ID allows checking the source, whereas email senders can be very easily changed.
In the US, there is a widespread problem of robocalls that appear to originate from the same exchange as the phone number assigned to the cell phone. Couldn't this also affect faxes?
Unlike email, caller id does not have the equivalent of SPF[1], DKIM[2] or DMARC[3].
Yeah, I should have emphasized the historical aspect more - this was the nineties, when those protocols didn't exist and SSL wasn't as widely deployed. Although, it's probably still a sort of vestigial, holdover opinion from then, even now?
This is an unfortunate historical accident of fax and paper coming first. They are not subject to the same security rigor that other IT services are. And a recipe for lost health information and poor patient outcomes.
I wonder if we could actually get gpg in use here; it's already a tightly regulated, controlled environment, so we might be able to push through actually standardizing on it, and being able to verify that something truly was signed by a doctor and then encrypt it in transit would be really useful.
The web of trust isn't really helpful here. Ideally we'd have government run certification authorities issuing official X.509 certificates to individuals and corporations.
If both are subject to vulnerabilities are there any upsides to continuing to use fax?
Like a lot of things in the world, actual use comes down to practicality. There hasn't been a big enough scandal, yet, with regard to legal recognition of faxed documents. And it's a legacy format that remains in place, that allows for immediate communication of same. So, people use it.
Thinking of this reminds me of U.S. voter registration and voting. Right now, we have a manufactured political uproar about supposed fraud and abuse of the extant systems. But studies have shown this to be very negligible. Yes, in theory voter registration in the states and municipalities could be further "secured". But, up until this use as a political tool, doing so wasn't viewed as necessary. Localities did a sufficient job of managing registration and identification of their own bases.
And actually, the "security" of voter registration had to be forcibly loosened, in order to prevent it from being used as a tool of disenfranchisement (e.g. difficult tests to pass, in order to register -- but only for African Americans).
Faxes aren't really "secure". But they are used to put an official, sanctioned imprimatur on what is already understood and happening, anyway, when the parties involved aren't immediately face-to-face.
Maybe there are some cases over whether a faxed signature is genuine, but these apparently haven't risen in prominence to the point of derailing the faxed signature as legal mechanism. They would have a lot of convenience and "efficiency" -- these days, "necessity" -- to outweigh, before they would do so.
German lawyers use fax, because the receipt shows the recipient has legally received the message. This is not the case with email. Therefor they created a different kind of electronic mail system (De-Mail [0]) they want people to subscribe to, so people can receive legally binding documents in an account they never look into.
I don't have any numbers about monthly active users and other relevant KPIs, but I bet they are really low.
FWIW the country I live in has a law that forces all public services to accept requests over email. Though the motivation was to stop the well known "send us a fax" customer abuse vector.
Forgive me if this self evident or discussed in the article, my head was reeling by the time I got to the end. I'd appreciate if it anyone could confirm that I understand the situation correctly:
1. The buffer overflow identified exists in a JPEG parser that was written by HP from scratch. Therefore this exploit may only apply to the specific models of HP fax that utilise this firmware (and HP have already patched it, so a fix is available).
2. Disabling colour faxes would mitigate the vulnerability. (I've just scanned three years worth of fax logs from our fax server and we've never received a colour fax).
3. These mitigations aside, the principle remains that fax is often present without any kind of security attached directly to the network and thought should be given to isolating fax infrastructure to reduce exposure to exploitation. (Additionally the constant and ongoing lobby to management to permanently retire fax should be maintained).
1. That someone wrote. Maybe HP got it from an OEM and it is in dozens of manufacturers' machines.
2. Would mitigate this vulnerability. And, the nasty thing about this is that it could potentially rewrite your logs. You can't trust a compromised machine to tell the truth.
As some have pointed out, some countries put more legal weight on a fax. That's just not a thing in Estonia, where everything is digitally signed with your ID card, so you either email or upload official documents.
In New Zealand, you can send practically any legal documents via email. I don't think you even need to have them signed, being sent from your email address counts as signing them. It makes sense really, forging a signature is actually trivial for most legal documents. Nobody ever looks very hard. It would be harder to access my email account and send an email than it would be to forge my signature.
It's a common misconception that sending something "from your email address" requires any degree of accessing your email account. It does not. The visible "From" is transmitted as a regular header and you are free to modify it at will, much like the Subject line.
Some low-level clients make this easier (say, Mutt) but most clients allow you to do so. For instance, all desktop and mobile apps, such as Outlook, Thunderbird and Apple Mail have an Accounts setting screen where you can change your "sender" email address. You can write anything you want in that field.
Online services, such as GMail, require you to have access to the addresses you wish to use as "sender", but they are the exception. Anybody can still use your GMail address as sender in their emails. (Anti-SPAM features such as SPF notwithstanding.)
Indeed, but putting sociopolitical (read: secretary-implemented) weight on something so easily confused (View Original Message > manually decipher headers, vs "From:") sounds... uninformed and underfunded, at the very least, to me.
I was watching a round table with Ridley Scott the other day where he admitted he still uses fax because it's more secure than e-mail [0]. Does anyone know how valid that claim is?
Fax isn't encrypted. If you wiretap the line, you can just read off any faxes. Email can be sent over TLS, and the email itself can be encrypted with PGP.
However, superficially, fax is more secure because there are no stored copies (maybe depending on the machine?). There's the original, and the copy that gets printed out on the other end. If you were to fax over a script for a movie, there wouldn't be a copy sitting on a disk on the receiving end, there would only be a printout. That's what Ridley Scott is alluding to in that video.
Haha no. Telcos have had a tapping mentality for a long time. It's not advertised, but it's clearly there.
So, if we go from there and then take something like https://theintercept.com/2018/06/25/att-internet-nsa-spy-hub... and consider the complexity of that, then ponder XKEYSCORE and so forth, yes, absolutely ISPs store faxes __precisely because they're unencrypted__ and __precisely because they're routinely used for medical and other sensitive data__.
Or the NSA isn't worth its $1B/yr.
I don't know Ridley Scott, but he needs to talk to a nice security researcher at some point, someone whose feet are on the ground and who likes sharing honestly.
While it would be great if everyone used PGP, I don't think you can guarantee that interim SMTP servers (of which there could be several on your email's path to its recipient) will communicate with each other over TLS, or that your end user will download the email over a secure connection either. So, wiretapping your email is definitely that can happen even if you send it securely.
We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.
This is a great piece of research and a beautiful write up which is extremely accessible to anyone interested in how these attacks are developed.
The twist at the end, of bundling NSA exploits for complete network takeover all starting from a faxed JPEG file with a malformed header, is icing on the cake.