LAS VEGAS — Your fax machine may not be as safe to use as you think — especially if it’s part of an all-in-one printer/scanner with Wi-Fi, USB and Bluetooth access.
The HP OfficeJet 4650, one of the affected models. Credit: HP
That’s what two Israeli security researchers revealed Sunday (Aug. 12) at the DEF CON 26 hacker conference here. Eyad Itkin and Yanav Balmas, both of whom work at Check Point, demonstrated how an HP OfficeJet Pro could be remotely hacked through the its telephone line by literally sending the machine a malicious fax document. They then used the hacked printer to take over a connected PC.
“This attack works on any recent HP OfficeJet printer,” Balmas said, which might be only a slight exaggeration. A security bulletin issued by HP earlier this month lists some 150 printer models, not just OfficeJets, that are affected by this flaw and need to have their firmware updated.
The other option, Balmas said, would be to simply stop sending and receiving faxes — a tall order when many legal and government actions depend on faxed forms.
Why All-in-One Printers are Vulnerable
Fax-machine technology hasn’t changed substantially since 1985, Itkin and Balmas explained. It was designed with no security in mind, even though faxes move and handle a substantial amount of data. Thirty years later, faxes are still used by ships at sea, by lawyers and bureaucrats, and by the occasional homeowner. Most businesses in North America have a fax number, and you can even fax the White House.
Yet this 1980s technology is bundled into millions of office and home all-in-one printers that also have USB, Wi-Fi and often Ethernet and Bluetooth connections.
Those more modern forms of electronic communication have security measures built in. But what if you could attack an all-in-one unit over the phone line? Iktin and Balmas showed that you can.
The researchers bought an HP OfficeJet Pro 6830 because it was cheap, but they had a hard time learning how its software operated internally until they found an online repository of firmware for almost every device HP has ever made.
MORE: Best All-in-One Printers
Even then, they had a hard time decompiling the binary file, or turning the machine code into something human-readable. It turned out the HP all-in-one firmware used a rare compression format used by Softdisk, a Louisiana company that among other things published some of the Commander Keen series of PC games in the early 1990s.
Once they’d figured that out, Balmas and Itkin had a stroke of luck: In July 2017, news broke of a remote-code-execution vulnerability in the SOAP protocol, a communication used by many web applications. The flaw was labeled “Devil’s Ivy” and involved a buffer overflow, in which memory allocated to a specific process overflows its boundaries and bleeds into other processes, letting the controller of the overflowing process control the others.
Among other things, the researchers’ HP all-in-one printer used SOAP.
Using that flaw, the researchers were able to send a malicious fax that created a buffer overflow in a SOAP operation. The catch was that it required 2GB of data, which took about seven minutes of continuous transmission over the telephone lines.
Then Balmas and Itkin discovered that faxes don’t just come in black and white. They can be in color as well. A standard black-and-white fax is actually a TIFF image file, but a color fax is a JPEG, the most common type of image file used online and one that is well understood.
JPEG files are compressed images, and each file contains a compression table buried in its code that tells the receiving software exactly how to decompress the data and render a full image. Balmas and Itkin found they could manipulate the data in a JPEG’s compression table to create another buffer overflow in the receiving fax machine’s memory, letting them seize control of the machine.
Such a malicious fax wouldn’t noticeably be longer to transmit than a regular fax, but it would let a malicious attack completely take over an all-in-one device in a home or office network. From there, the hacked machine could reach out and try to infect other machines on the network.
Itkin and Balmas did just that onstage at DEF CON, sending a malicious fax to their HP OfficeJet Pro and taking it over. Their malware contained the EternalBlue Windows network exploit stolen by Russian hackers from the NSA (and later used in the WannaCry ransomware outbreak in May 2017).
When they connected a laptop to the hacked printer, the printer infected the PC and made the calculator tool pop up on screen. (“Popping the calculator” is a time-honored indicator of compromise in proof-of-concept hacks.)
How to Protect Yourself
The researchers told HP of their attack several months ago, and Itkin even flew to the HP research campus in Vancouver, Washington, to demonstrate it. As mentioned above, a patch was issued in early August, so if you have an HP printer, make sure to check the page to see if your model is included,.
If so, find the support page for your specific model — this is the support page for the OfficeJet Pro 6830 — and follow the instructions to update the firmware.
In general, Balmas said, the fax line is an unsecured avenue of attack into millions of offices and homes. He suggested that you disconnect the fax line when not sending or expecting a fax, although that’s going to be tough for governmental and legal offices that require receiving certain types of documents as either printed or faxed.
It’s not likely that faxes will go away any time soon, as least not in the United States. Until then, you’ll have to be wary of who’s on the other end of the line.
Balmas and Itkin’s presentation slides are available on the DEF CON website.