Fax Machines Can Be Exploited to Infiltrate Organizations in Less Than a Minute

Fax machines may seem like harmless, quaint relics of a bygone era, secluded and safe from the perils of modern day, connected devices. But at the Def Con hacker conference in Las Vegas, security researchers said that unsecured fax lines jeopardize the safety of millions of companies.

That is because many companies use machines that combine fax, printer, and photocopier, which are connected to an internal network. If attackers break into that network, they would be able to use the access to hack into the organization.

The two researchers that presented the findings explained that some outdated protocols used by fax machines can be exploited with a fax containing a malicious payload.

Fax is weak. Data sent over fax is not encrypted, meaning that anyone who can tap into the phone line will be able to intercept all the data that is being sent. Furthermore, the researchers noted that the protocols are often implemented improperly, due to bad documentation of the industry standard.

Initially, attackers can exploit a common issue known as a stack overflow – which entails overloading and crashing part of the system in the fax machine – that, if done strategically, enables the attackers to gain access or privileges on a system.

The attackers can also include another exploit in the fax that initiates once the take over phase is done. The second exploit allows them to infiltrate deeper into the company’s network. Data for such an attack can be transmitted in less than one minute.

and said they were “surprised” by the extent to which fax was still used. There seems to be a lot of organizations, government agencies, banks and others that are still using fax

Though the technology is outdated, fax is still used in many organizations, including government agencies and banks. And there are many reasons that companies still choose to use. Speaking to the BBC, one of the researchers noted that “Fax is still considered as visual evidence in court but an email is not,” he said. “That’s why some government agencies require you to send a fax.”