HP’s critical patches blocked fax attacks on networked printers

Fax machines might seem an obsolete technology, but they’re still part of millions of multifunctional printers and can be exploited via phone networks to overrun an IT network. 

HP recently released patches for two critical flaws affecting dozens of its Inkjet printers that, it turns out, was because security researchers figured out how to hack its all-in-one printers with built-in fax functionality using a “maliciously crafted fax”. With a malicious payload, all an attacker needs to launch the attack is the target’s fax number. 

The worst case scenario is if that all-in-one HP printer is connected to the PSTN phone network in order to receive faxes, and an IT network connected to other PCs that can send print jobs over the network, according to the researchers at Check Point who notified HP of its printer issue. 

To drive home the hidden dangers of all-in-one printers, they used the NSA’s leaked Eternal Blue exploit, which encrypted files on 300 million PCs with WannaCry, to attack PCs on the same network as vulnerable HP printer-faxes.

The so-called “Faxploit” attack relies on protocols that comply with 1990s standards developed by the International Telecommunications Union (ITU) for handling fax transmissions, in this case ITU T.30.  

And while physical fax machines have vanished from desktops, there remain around 300 million fax numbers in use today that are probably connected to networked multifunctional printers. 

The in-built fax functionality is low-hanging fruit. As Check Point notes, the only information an attacker would need to launch an attack is the target’s fax number, which can quickly be found with a search on Google using the company’s name and “fax number” query. 

Check Point’s researchers only reported their findings to HP as they used its equipment to test the attack, but say it is likely other OEM’s multi-functional printers with fax are also vulnerable given the attack exploits flaws in the fax protocol itself to break into an IT network. 

“With merely a fax number as its sole piece of information, however, our team of researchers was able to penetrate though the vulnerabilities inherent in the fax protocol to gain access to an entire IT network,” the security firm notes. 

“This presents a completely new attack vector in the fifth generation of the cyber threat landscape from which cyber criminals could launch an offensive, targeting industries that hold even the most protected data.”

Organizations with extra sensitive data could opt to completely disconnect computer networks from the internet, but Check Point researchers argue their attack still applies since it relies on PSTN telephone lines rather than than the internet, provided the printer-fax is connected to the IT network via both ethernet and the PSTN line. 

“If you are no longer actually using the fax functionality in your all-in-one printer then we recommend you to disconnect the PSTN line,” the company warns.

The attack on fax machines relies on ITU T.30 extensions where modems tell each other the best transmission method based on what’s being exchanged, which historically has been TIFF format files for black and white transmissions. 

However, the researchers found after using a T.30 script that HP’s printers also supported a component of the ITU standard for JPEG that allowed them to send full color faxes in a way that gave the sender control over the JPEG file. They also exploited a custom JPEG parser made by the firmware developers that led to them to the two exploitable vulnerabilities. 

They chose CVE-2018-5924, a stack-based buffer overflow affecting HP Inkjet printers, because it allowed the full payload to be stored in a JPEG file on a target's printer, take over the printer’s LCD screen, and in turn allow the attacker to check if the printer’s network cable was connected. 

The real damage would occur if the attacker then used exploits such as Eternal Blue to hit a network of PCs the printer is also on, and taking control of it. 

“Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol. Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer,” they explain.

Tags HPPrinterfaxpstnmodem

Show Comments