Faxsploit – Exploiting A Fax With A Picture

Security researchers have found a way to remotely execute code on a fax machine by sending a specially crafted document to it. So… who cares about fax? Well apparently a lot of persons are still using it in many institutions, governments and industries, including the healthcare industry, legal, banking and commercial. Bureaucracy and old procedures tend to die hard.

This is one of those exploits that deserve proper attention, for many reasons. It is well documented and is a great piece of proper old school hacking and reverse engineering. [Eyal Itkin], [Yannay Livneh] and [Yaniv Balmas] show us their process in a nicely done article that you can read here. If you are into security hacks, it’s really worth reading and also worth watching the DEFCON video. They focused their attention in a all-in-one printer/scanner/fax and the results were as good as it gets.

Our research set out to ask what would happen if an attacker, with merely a phone line at his disposal and equipped with nothing more than his target`s fax number, was able to attack an all-in-one printer by sending a malicious fax to it.

In fact, we found several critical vulnerabilities in all-in-one printers which allowed us to ‘faxploit’ the all-in-one printer and take complete control over it by sending a maliciously crafted fax.

As the researchers note, once an all-in-one printer has been compromised, it could be used to a wide array of malicious activity, from infiltrating the internal network, to stealing printed documents even to mining Bitcoin. In theory they could even produce a fax worm, replicating via the phone line.

The attack summary video is bellow, demonstrating an exploit that allows an attacker to pivot into an internal network and taking over a Windows machine using Eternal Blue NSA exploit.

Just to show how legacy a tech fax is, did you know that the first experimental fax machine dates back to 1843? Yep, you read that right, even before the first phone line.

Leave a Reply

Your email address will not be published. Required fields are marked *