[BreachExchange] Attackers could ‘faxploit’ all-in-one printer to penetrate network and steal data

[Destry Winant]

https://www.csoonline.com/article/3297240/security/attackers-could-faxploit-all-in-one-printer-to-penetrate-network-and-steal-data.html#tk.rss_news

That all-in-one printer of yours may have fax capabilities that
attackers could exploit by sending maliciously crafted image data via
fax in order to take control of the printer, penetrate your network,
and exfiltrate files. That’s what Check Point researchers Yaniv Balmas
and Eyal Itkin warned attendees at Def Con 26.

Fax? Who still uses fax? The researchers said they Googled to find 300
million fax numbers still in use. And a fax number is all that an
attacker needs to potentially take complete control of an all-in-one
printer and “possibly infiltrate the rest of the network connected to
this printer.”

The researchers were able to “faxploit” an HP Officejet Pro 6830
all-in-one printer. As you may recall, HP recently released firmware
updates and advisedusers to patch ASAP. If you haven’t patched yet,
you might want to get on that, as no one wants to admit to being pwned
via antiquated fax.

As for that pwnage, the researchers “strongly believe that similar
vulnerabilities apply to other fax vendors, too, as this research
concerns the fax communication protocols in general.” Even the popular
online fax service fax2email uses the same protocol and may be
vulnerable.

Balmas admitted, “Nobody owns just a fax machine. Instead they own
all-in-one printers. Many are connected to vulnerable networks.” He
added, “We are able to take complete control over the printer just by
sending a malicious fax. There is no prerequisite for this attack. All
you need to do is send a malicious fax to the printer and you have
control.”

How an attack via fax works

Armed with a fax number, an attacker could send a malware-coded image
file to the target. The fax machine portion of an all-in-one printer
would then decode the image file and upload it to memory. An attacker
could then spread their malicious payload to the network, which is
accessible to the printer.

They added, “Once an all-in-one printer has been compromised, anything
is possible. It could be used to infiltrate the internal network,
steal printed documents, mine Bitcoin, or practically anything.”

In this case, after faxploiting the all-in-one printer, the
researchers opted “to use Eternal Blue in order to exploit any PC
connected to the same network, and use that PC in order to exfiltrate
data back to the attacker by sending … a fax.”

To our knowledge, we now had the first (publicly documented) printer
capable of using Eternal Blue and Double Pulsar to autonomously spread
an attacker’s payload over a computer network.

The researchers hope their hack acts as the “canary in the coal mine.”
They exploited the implementation of fax protocols defined in the
1980s and 1990s. “We believe that this security risk should be given
special attention by the community, changing the way that modern
network architectures treat network printers and fax machines. From
now on, a fax machine should be treated as a possible infiltration
vector into the corporate network.”