By Corey Moss
Part 1 is here.
When discussing advanced technologies of convenience, such as mini laptops, tablets and touchpanels, let’s actually consider a true average everyday office device – the old reliable HP OfficeJet All-In-One printer. Knowing that fax-machine technology hasn’t changed much in ages (except for shinier new all-in-ones that can do everything but get your coffee), no problems there – right?
Well, if you’ve been following the news from last week’s DEF CON 26 security conference, this was one of the big stories, and it certainly made waves. On Spiceworks Fax protocol hacked, used to spread malware to PCs via EternalBlue exploit, it’s specified in a recent Spiceworks poll that 89 percent of IT pros said their organization still uses some form of fax (fax machine, fax server, fax service).
At DEF CON 26, a T.30 fax protocol vulnerability was revealed – providing the ability to connect to other devices on the network and spread malware through the EternalBlue exploit (developed by the NSA), and used as part of the worldwide WannaCry ransomware attack on May 12, 2017.
And for those who recall WannaCry, the panic that ensued over the few days was almost immeasurable.
Two Israeli security researchers, Eyad Itkin and Yanav Balmas (both of whom work for Check Point Software Technologies), demonstrated how an HP OfficeJet Pro could be remotely hacked through the telephone line, sending the machine a malicious fax document. They then used the hacked printer to take over a connected PC.
From the Spiceworks article: In the video below, security researchers from Check Point demonstrate how they’re able to use “nothing more than a phone line” to deploy a malicious script to connect to and take control of an all-in-one printer / fax machine by taking advantage of loopholes in the T.30 fax protocol.
More reference to DEF CON 26 – this is an offensive security researcher, who works for HP Enterprise Security.
His presentation at DEF CON 26, intertwined with a Wired article which reveals that your everyday devices aren’t the only potential hacker targets in your life, also points to how major enterprises are easy marks for hackers – through numerous such devices that access the network and the internet. Security is discussed in terms of being paramount of course, fingers are pointed (of course) – in what was explained as no more than a “hypothetical scenario.”
Yet, the fax exploit (Faxsploit) is not only real, it’s truly alarming.
Devices on the network, devices connected to the internet. In our work and personal lives, many of us are on a device of some sort morning from when we wake up through the evening. Those who are the least bit surprised that hacking is a possibility at any given time need to remember that if you have a computer that connects to the internet, you’ve likely been hacked. It’s happened to me a number of times, and I consider myself to be pretty careful.
In 2011, Juniper Networks sponsored a survey and published a report Ponemon Institute Survey Finds 90 Percent of Businesses fell Victim to Cyber Security Breach at Least Once in the Past 12 Months finding threat from cyber attacks nearing statistical certainty, businesses of every type and size being vulnerable to attacks.
The report states:
Organizations today are experiencing multiple breaches with more than half (59 percent) of respondents citing two or more breaches in the past 12 months. Overall, companies indicate that security breaches have cost them a least half a million dollars to address in terms of cash outlays, business disruption, revenue losses, internal labor, overhead and other expenses. Most respondents (59 percent) report that the most severe consequence of any breach was the theft of information assets followed by business disruption.
This was 2011. The Ponemon Institute 2018 Cybersecurity Report states:
While the costs of data breaches are expected to vary depending on factors such as the nature of data lost, the size and nature of the organization whose data has been compromised, and the severity or extent of the attack, Ponemon Institute reports that the global average total cost of a data breach exceeds a whopping $3.8 million.
This represents a 6.4 percent increase from last year’s $3.62 million. What does this mean? The cost of a single data breach is on the rise even as technology continues to present businesses with better, more advanced ways to protect their records both online and offline.
The connected devices you think about the least are sometimes the most insecure? Those that you think of the most ARE insecure.
It’s stated that a major percentage of the enterprise has been hacked, and the others just don’t know it yet. Enterprise, government and education have to understand the need for implementing proper solutions, strategy, preparedness and awareness.
Yet, it’s still nearly inevitable…
Note: The Wired article referencing Ricky (HeadlessZeke) Lawshae’s discovery has been referenced by others – it can be found in numerous places on the web. Here is an access control system vulnerability discovered by Lawshae in March 2016, and in May Trend Micro posted this threat update.
In the update, Trend Micro stated there was no awareness of any attacks against these systems. Trend Micro recommended that anyone using the HID VertX and/or Edge systems who had not deployed the update for this vulnerability should do so right away.
Also read Check Point Software Technologies Faxploit: New Check Point Research Reveals How Criminals Can Target Company & Private Fax Machines to Take Over Networks and Spread Malware.
(Header image: 123rf).
With over 20 years in audio visual integration and IT/computer sales and consulting, Corey Moss is the owner of Convergent AV. Corey writes for the publication and hosts/produces podcasts – The AV Life, Convergent Tech Talk and Convergent Week. He has written for numerous industry publications about AV, IT, unified communications and collaboration (UCC), cloud and software, IoT, cybersecurity and more. He has also conducted interviews with AV and IT executives and global influencers. Find him talking about a whole lot of things, tech and otherwise. On LinkedIn https://www.linkedin.com/in/mosscorey/.