There are very few cyber security scandals that caught the headlines like the Sony Pictures Hack. Thousands of documents were stolen and displayed online, including emails and messages between executives. In the wake of the hacks, Sony’s management team sought a way to avoid the vulnerabilities of email that caused such great problems. The result was they turned to fax machines.
While Sony might have been alone in the scale of the security attacks against them, they were not alone looking for ways to protect their data from hackers and thieves. With data protection becoming more and more important to businesses, and the vulnerabilities of platforms like email becoming more and more obvious, companies are starting to seek other ways of protecting their data, and that has led them to fax.
The concern about email comes from its access to the internet, and how hackers can access accounts that should be protected. The technology is also widespread, which means it’s well-known to many hackers, with a near-endless volume of attempts to find weaknesses to take advantage of.
Fax machines, however, are old-fashioned pieces of technology not connected to the internet in the same way. They are analogue devices that transmit data through phone lines instead of over the internet. Fax machines have also fallen out of favour, which means they don’t provide the same value to hackers, resulting in the hardware falling under the radar.
Fax machines are essential “off-the-grid” devices that can safely transfer sensitive data. At least, that is the theory.
But fax machines can be hacked — well, kind of.
Fax machines are digital devices, which means they have programmable computer elements that can be manipulated by external sources. However, there is a major difference between fax machines and emails, resulting in a misconception that they are safe for data transmission. You cannot hack into a fax machine and access what’s on it like you can an email. The fax machine as a unit is not what is vulnerable to hackers. Instead, it’s those pieces of technology connected to it that are hackable.
Hacking threats
There are two major hacking threats not often considered by those who use fax machines as a method of increasing security:
- Interception — It’s true that while on a fax machine, your data is secure. Why? Because a digital hacker cannot get the data from the machine as they would with an email portal. However, once that data is sent, it becomes vulnerable. Fax machines do not encrypt information; they are old-fashioned machines that don’t possess the ability to scramble and unscramble messages. That means the data is transmitted without any protection. Because it is sent using analogue lines, it’s not as easy to get hold of. But if a hacker were to intentionally infiltrate the line, they could access the data sent without any problems.
- Faxploit — Modern technology has become very good at protecting against malicious attacks through the use of firewalls. It doesn’t always work, as Sony proved, but it often takes very persistent and sustained attackers using sophisticated techniques to get past. This is not a problem for most small businesses. Fax machines, however, do not have firewalls protecting them — but they connect to your IT network, often through the internet or cables. Hackers can actually use fax machines as an unprotected backdoor to your computer network, using elementary, malicious programs to bypass the systems protecting your more advanced hardware and causing nightmare problems.
What is a Faxploit?
Faxploit is a method of computer network infiltration. It uses programs similar to other methods of hacking — such as malicious files — to gain unsolicited access to computers for criminal activity. This may be stealing data, conducting blackmail activities, or data manipulation. Only fax machines are vulnerable to faxploit, hence the name.
When a hacker attempts to infiltrate your system, he or she normally meets a firewall. A firewall protects against unwanted access and stops programs that could harm your network from getting onto your business computers. The keyword here is ‘normally’.
A fax machine does not have a firewall. Fax machines are old technology and aren’t built to fight digital threats. This is because they’ve never needed to, so investment in this technology seems superfluous. However, hackers have become aware of this. They’ve learned that fax machines are unprotected — yet they are often linked to IT networks of an entire business using the internet or cable connectivity because they connect to a multifunction printer or wifi.
Since there is no protection here, hacks can launch an attack on the fax machine, gain entry and then access your computer network, spreading malicious files by hopping around using internal connections.
Imagine your computers are all locked front doors, but your fax machine is an unlocked backdoor. You’re all tightly sealed up where you think you’re going to be targeted, but people have worked out that backdoor is unprotected, and can just slip right in, gaining the same access as if they managed to break down the locked entrance.
This is faxploit.
How Does Faxploit Work?
Your fax machine connects to your phone line, which has no protection.
Your fax machine is then connected to your IT network, which has protection from external threats — but not internal threats, as once something is in the system, it is trusted. Hackers can send malicious attacks through the phone line to your fax machine in the form of a script that runs on the device. The hardware has no way of stopping this happening, as there isn’t a function to prevent the script activating when the fax machine receives the message.
Why is that? Because when a fax machine receives data, it is programmed by design to take the information and turn it into a file without testing what it receives. The is supposed to be an image file, but hackers have found a way to get it to run scripts that aren’t just images; programming scripts that let them take control of the hardware. The script then allows the hacker to gain access to the fax machine and search for available networks connected. The hacker can then move through the network to remotely control computers on the system and engage their malicious files.
What happens after that is not ever going to be good news.
How Can Your Business Protect against Faxploit?
There is only one way to really protect against the faxploit, and that is to ditch fax machines.
The core problem behind faxploit is phone lines just don’t have built-in protection to stop emerging digital threats, and nor do fax machines. It would take a total reinvention of the technology to secure the platform completely. While the faxploit tested by Checkpoint was patched, that only protected from a very specific piece of code working. The basic flaw still exists in the fax machine, in that nothing is stopping it executing malicious scripts because it is designed to do what it’s told without question.
But this then creates another nightmare scenario. Fax machines might be old-fashioned and out-dated, but any successful business knows it’s still a significant player in the world of communication. Fax is still a major part of trade and relationships for many. Ditching the fax machine isn’t really an option.
Or is it?
eFax lets you ditch the fax machine without axing the fax. Our solutions enable fax transmission to continue through digital platforms. You can still communicate with old-fashioned fax machines, but all your documents and data transmit through computers or smartphones, not centuries-old hardware.
Make sure your business isn’t faxploited but can still send and receive fax! With eFax, you lose absolutely none of the functionality of the fax but gain much-needed security.
Scott Wilson, Vice President, International Sales & Support at Consensus Cloud Solutions
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.