Researchers at Check Point recently announced that they found a way to access a network by sending a fax. The vulnerability has been named “Faxploit”, and it allows an attacker to send a fax over a phone line that tricks vulnerable devices into running malware that is part of the fax image.
Since most fax devices are also connected to the network, the vulnerability can give the attacker access to an otherwise secure network over a simple phone line. According to Check Point, this could be used to gain entry to a network that has no Internet connection. HP has already issued a patch for this vulnerability on their All-In-One printer/copier/fax machines, but it is believed that devices from other manufacturers may also be vulnerable.
Over the years, I have been a staunch opponent of faxing, battling to eliminate it in every organization I have worked for. There are many reasons that faxing is not secure:
- Faxes are not encrypted. When a fax is sent over a phone line, anyone that can listen in on that phone line can intercept the fax using specialized equipment. Even most email is encrypted today, putting faxes at a distinct disadvantage.
- Faxes can be sent to the wrong number (Part 1). A bank that allowed commercial customers to fax their payroll in had a customer call in irate that their employees did not get paid. Upon investigation, it was discovered that the customer had pushed the wrong button and faxed their payroll request to another number. On top of not being paid, the employees had to be told that their account numbers and salaries had been disclosed to the local deli.
- Faxes can be sent to the wrong number (Part 2). It is one thing for a customer to accidently fax information to the wrong number, but bank employees are just as prone to mistakes. I have witnessed several incidents where a bank accidentally faxed transaction verifications to the wrong customer. This usually results in a breakdown of trust from both the intended recipient and the “accidental” recipient that can cause customers to take their business elsewhere.
- Faxes sit on machines. Once a fax is sent to the correct number, it may sit on top of a fax machine for a long time period before the intended recipient gets to it. During this time, information on the fax is viewable by anyone else in the vicinity.
On top of all of the common security problems listed above, the discovery of the Faxploit vulnerability by Check Point demonstrates that faxing may expose more than just the contents of a single document. We urge institutions that still exchange faxes containing customer information to seek other alternatives. While a few customers may be inconvenienced, they will usually understand once the problems of faxing are explained to them.
We help financial institutions identify and mitigate cybersecurity threats. If you believe that your institution could benefit from our services, please do not hesitate to reach out!