Researchers at security vendor Check Point have demonstrated that it is possible to take control of a computer by sending a specially crafted fax to a multifunction device on the same network.
Over the years, security researchers have found many vulnerabilities in software that can be exploited via maliciously crafted image files. As a simple example, imagine that a particular file format calls for a certain element to be no longer than 64 bytes. If the software that processes this image type doesn't correctly check the length of that element, it may happen that any excess data spills over into an area of memory that contains code. So there's potential to create a malformed image file that includes code which is executed when the image is loaded.
Check Point researchers Eyal Itkin and Yaniv Balmas thought it might be possible to use this general approach to attack a multifunction device by sending a malicious fax to it .
With considerable effort, they found a series of critical vulnerabilities that allowed them to take complete control over an HP Officejet Pro 6830 in this way.
"Once an all-in-one printer has been compromised, anything is possible. It could be used to infiltrate the internal network, steal printed documents, mine Bitcoin, or practically anything," said the researchers
"Infiltrate the internal network"? Yes, it's that bad.
Having established a way to gain control over the all-in-one by sending it a fax, they further developed the payload to take over computers attached to the same network by using the EternalBlue exploit and the DoublePulsar backdoor implant tool, both of which are believed to have been developed by the US NSA, and after being leaked by the Shadow Brokers group have been used in ransomware.
Check Point did the right thing by notifying HP and not going public until the latter had released a patch to overcome the weaknesses.
A large number of models need the patch, including PageWide, Officejet, Designjet, Deskjet, Envy, Photosmart, and Smart Tank devices. Affected models are listed here, along with a link to the updated firmware. Owners are advised to install the update as soon as possible.
Itkin and Balmas said "Our research was done on HP Officejet all-in-one printers though this was merely a test-case. We strongly believe that similar vulnerabilities apply to other fax vendors too as this research concerns the fax communication protocols in general."
They further warned that "similar vulnerabilities are likely to be found in other fax implementation, such as fax-to-mail services, standalone fax machines, etc."
So if you own any device that has the ability to receive faxes, watch out for an update from its vendor. If an update isn't forthcoming, ask why. And ask yourself whether you really need fax any more - if the answer is no, the simplest fix might be to disconnect the phone cable.