> <i>Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol. Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer.<p>We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.</i><p>This is a great piece of research and a beautiful write up which is extremely accessible to anyone interested in how these attacks are developed.<p>The twist at the end, of bundling NSA exploits for complete network takeover all starting from a faxed JPEG file with a malformed header, is icing on the cake.
If this starts showing up in the wild as a new attack vector, it would be great if companies/governments decided to abandon faxes and embrace email attachments as a response. If both are subject to vulnerabilities are there any upsides to continuing to use fax?
Forgive me if this self evident or discussed in the article, my head was reeling by the time I got to the end. I'd appreciate if it anyone could confirm that I understand the situation correctly:<p>1. The buffer overflow identified exists in a JPEG parser that was written by HP from scratch. Therefore this exploit may only apply to the specific models of HP fax that utilise this firmware (and HP have already patched it, so a fix is available).<p>2. Disabling colour faxes would mitigate the vulnerability. (I've just scanned three years worth of fax logs from our fax server and we've never received a colour fax).<p>3. These mitigations aside, the principle remains that fax is often present without any kind of security attached directly to the network and thought should be given to isolating fax infrastructure to reduce exposure to exploitation. (Additionally the constant and ongoing lobby to management to permanently retire fax should be maintained).
As some have pointed out, some countries put more legal weight on a fax. That's just not a thing in Estonia, where everything is digitally signed with your ID card, so you either email or upload official documents.
So has anyone heard whether Dell or Xerox are also facing this vulnerability? Or if either have made a statement?<p>I've checked Dell's sites for updated firmware but for the models I would need, they haven't released a firmware upgrade since 2016.
I was watching a round table with Ridley Scott the other day where he admitted he still uses fax because it's more secure than e-mail [0]. Does anyone know how valid that claim is?<p>[0] <a href="https://www.youtube.com/watch?v=3_9bdVECQLo&t=20m37s" rel="nofollow">https://www.youtube.com/watch?v=3_9bdVECQLo&t=20m37s</a>