The critical data risk of the humble fax machine
With the advent of GDPR, risk managers are already advised to undertake risk assessments to ensure technical and organisational measures are robust enough to secure their data. However, new research by security software provider Check Point has found a critical data risk in the humble fax machine.
While it’s now nowhere near its heights of the 1980s and 90s, fax machine use remains ubiquitous in some industries. According to some estimates, there are approximately 46.3 million active fax machines in the world. In the banking sector, businesses still rely on faxes when conducting overseas business or sending signed documents, with their perceived security considered a major asset. The same is true for healthcare, with almost 9,000 machines in operation in the NHS alone, while both the legal industry and government departments rely on fax machines to send hand-signed legal documents or sensitive information. After the Sony hack in 2014, Hollywood executives allegedly resorted to faxing handwritten notes to each other, as they were considered more secure than the company’s emails.
According to Check Point’s findings, many fax machines are open to infiltration by hackers, thanks to their use of an unencrypted telephone line to receive information. The vulnerability of the network stems from the fact that fax machines are generally connected to the outside world via telephone line and to the company’s IT network via Ethernet cable.
The ‘Faxploit’ hack takes advantage of vulnerabilities in the fax machine’s communication protocols, which have remained unchanged since the 1980s. Hackers can upload a malicious ‘fax’ to the machine simply by using its fax number, which overloads the machine’s software programme and causes it to crash – known as a stack overflow. This allows the hackers to take control and infiltrate the rest of the network to target computers for their own gain, such as stealing sensitive information, locking down the network with ransomware or simply instructing the computer to send them a copy of every fax transmitted to the target’s bank.
In an interview with Wired, Check Point’s Yaniv Balmas said: “Fax is perceived as a secure method of data transmission. That’s a huge misconception—it’s absolutely not secure… There are absolutely no protections over fax. Even if you really wanted to do that there is no way. Fax is always sent unauthenticated … no matter what you do I will still be able to send you this fax.”
Until Check Point’s research, the telephone line was considered safe, but this vulnerability means that even offices which are not connected to the internet can be affected. And while the initial research was carried out on fax machines manufactured by HP, the same protocols can be exploited in a wide variety of other makes and models, including all-in-one printer fax machines and possibly even online fax services.
Secure your network
In most organisations, the IT network is set up for business efficiency and operational needs, with security considered a means to ensure the continuation of these two elements. This can mean that once a hacker has breached the outer defences of a network such as a standard firewall, there is little to stop them moving from one computer to another.
The safest way to prevent these attacks is to stop using fax altogether and to disconnect the machines from the network. However, where this is not feasible, risk managers must work with the IT department to ensure the organisation’s network is properly segmented. This minimises access to different parts of the network for those without authorisation, limiting an attacker’s ability to move across from one computer to another. The fax machine can be separated from the rest of the network through additional firewalls or a virtual local area network (VLAN), which is a partitioned and isolated domain within the network. While this additional layer of security can be a challenge to implement while maintaining the same level of efficiency, it is nevertheless a valuable strategy for protecting the organisation from outside threats.
Another form of protection worth considering is endpoint security– software for remote devices within corporate networks. In addition to laptops, mobiles and other devices, this can ensure fax machines are individually protected with antivirus, antispyware, firewall and a host intrusion prevention system (HIPS), which isolates intrusions and infections to the individual device.
Check Point’s research led to HP releasing patches that were automatically updated for all of its affected machines. This demonstrates how essential regular updates are for all types of machines within the organisation, as they allow technology manufacturers to address security breaches and protect the network as quickly as possible.
Don’t get complacent
With hand-signed documents considered the only official form of legal evidence in some cases, fax machines are unlikely to become obsolete for a while. While this technology may seem outdated to many, risk managers should be talking to their IT colleagues about the risks associated with all the organisation’s technology and the steps being taken to mitigate them.
The Institute of Risk Management (IRM) is the world’s leading enterprise-wide risk education Institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals. IRM passionately believes in the importance of risk management and that investment in education and continuing professional development leads to more effective risk management.
We provide qualifications, short courses and events at a range of levels from introductory to expert. IRM supports risk professionals by providing the skills and tools needed to put theory into practice in order to deal with the demands of a constantly changing, sophisticated and challenging business environment. We operate internationally, with members and students in over 90 countries, drawn from a variety of risk-related disciplines and a wide range of industries.
As a not-for-profit organisation, IRM reinvests any surplus from its activities in the development of international qualifications, membership, short courses and events.
- 18 Jul 2019
- 24 Jun 2019
- 18 Feb 2019
- 11 Feb 2019
- 21 Jan 2019
- 16 Jan 2019
- 13 Dec 2018
- 10 Dec 2018
- 3 Dec 2018
- 28 Nov 2018