Even if an office's fax machine hasn't been used since the late '90s, it can still be a gateway for malicious activity. Researchers found flaws in HP Officejet Pro All-in-One fax printer range similar to a stack-based buffer overflow and "Devil's Ivy," which allows hackers to remotely execute code, according to experts from Check Point Research, which unveiled the results at DEF CON. Hackers can gain full control of the fax and possibly an organization's network.
The flaws are applicable to all printers, not just all-in-one printers. It is likely other fax implementation, including fax-to-mail and standalone fax machines, have similar flaws. The vulnerabilities could grant hackers to access an "internal network, steal printed documents, mine Bitcoin or practically anything," according to the research.
While the exploits haven't "been seen in the wild" just yet, industries in banking and real estate, which require fast signatures, are at the most risk. Check Point and HP partnered up to address the vulnerability and released a patch.
When it comes to cybersecurity, organizations often forget to protect hardware like printers and fax machines. Older technologies are not seen as part of the threat landscape, but that's exactly what hackers are banking on.
While unplugging a printer or fax machine from its power supply can stop an intrusion, it's not a fix that many companies opt for. Two suggestions can make a big difference: Ensure patches are updated and require security teams to inspect every IoT device.
The findings come shortly after HP's bug bounty program. The company partnered with Bugcrowd to develop an exclusively printer-only bug bounty program.
The program is by invite only for researchers but was developed partially in response to a 21% uptick in printer-related vulnerabilities. Bug bounty programs are increasing their presence and participants have a chance of receiving an average award of $200,000.