Malicious faxes leave firms 'open' to cyber-attack
SEE ALSO :'Flying cars' set for major tech showHe added that there were historical and legal reasons why the ageing technology was still so prevalent. "Fax is still considered as visual evidence in court but an email is not," he said. "That's why some government agencies require you to send a fax." England's NHS is known to be a big user of fax machines. About 9,000 of them were recently found to still be in use in the service. Gaining control of the machine that handles faxes, copying and printing can give attackers a foothold on a vulnerable network. They could then use this access to explore and attack the larger organisation, said Mr Balmas. The weakness emerges in the protocols that define the way the data making up fax messages should be prepared. "The protocols we use for fax were standardised in the 1980s and have not been changed since," Mr Balmas said. Image copyright Getty Images Image caption Doctors are using old-fashioned fax machines to communicate this weakness let the pair craft an image that harboured a malicious payload. For their test case, the payload used was a software exploit known as Eternal Blue, which was behind the massive WannaCry attack last year. The fax protocols were poorly worded, which had led to them being interpreted in different ways by different manufacturers, said Mr Balmas. And this had contributed to the vulnerabilities in the fax system. In particular, the researchers found problems with the way the protocols were used in some multi-purpose printers made by HP that are widely used in the business world. HP has now issued a patch for its printers, which will close the loopholes found by the pair. But, said Mr Balmas, because fax numbers were very widely shared, they could be an easy-to-find attack route for malicious hackers who targeted different machines. So far, there is no evidence that malicious hackers are using the booby-trapped images to penetrate otherwise well defended networks.