CyberWire Daily - Faxploitation. [Research Saturday]
Episode Date: October 27, 2018Researchers at security firm Check Point Software Technologies explored the possibility of exploiting old, complex fax protocols to gain access to modern multifunction office printers, and then pivot ...to connected networks. Yaniv Balmas is head of security research at Check Point, and he joins us to share what he and his colleague Eyal Itkin discovered. The research can be found here: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Texas are, in a lot of places in the world, are legitimate evidence in court.
They are considered legitimate, while emails are not.
That's Yaniv Balmas.
He's head of security research at Checkpoint Software Technologies.
The research we're discussing today is titled Faxbloit,
sending facts back to the dark ages.
This is why a lot of government offices and hospitals, medical,
they really promote fax as a secure way of communication.
This is a big misconception.
And it was clear to us that this is a misconception because basically this protocol has been around since ever.
It wasn't really changed in the past 30 years or so.
We're still using the same things.
And in those days, nobody thought about security. This really smelled to us like a vulnerability waiting to happen. And we thought there was a lot of potential here and we accepted the challenge.
Yeah. So can you take us through a little bit of the history of fax machines? I mean, I remember
early on when they first came out thinking it was this miraculous thing that basically you could send a photocopy over
a phone line. What was the underlying technology there? So basically, I'm not a big historian,
but I can tell you that when we read some information about this in the internet, it turns
out there's some really interesting facts about it. For example, the fax was invented before the
telephone, I think around 40 years
before the invention of the telephone and even before the invention of the light bulb. But it
evolved a lot throughout the years. It had a few standards to it. But then in the 1980s, which is
kind of roughly when fax became really popular, came an organization called ITUT designed the
protocols that we still use today.
It's the same protocols. The main protocol is called T30.
And we used it in 1980 and we still use the very same protocol today
with very slight extensions and enhancements to it.
And so within that protocol, what are we talking about here?
Is there any sort of secure encryption or compression?
What's going on?
Well, the protocol defines electronic document delivery over telephone lines.
And that's basically what it does.
Absolutely nothing else in terms of security, you know, because basically in 1980s, who
thought about security?
There is absolutely no security elements inside this protocol's design.
No passwords, no encryption, no authenticity, nothing at all.
Now, in your presentation at DEF CON, you sort of walked through your attempts to infiltrate
a fax machine and get onto someone's network using that as your point of entry. Walk us
through, what did you do?
Yeah, that's actually the interesting idea here. You know, today fax machines are no
longer these standalone fax machines that we used to have in the 1980s.
The protocol didn't change.
What did change is the way that we use fax.
Today, fax is, I would say, kind of wrapped around newer technologies.
So, for example, I think the most common usage of fax today is in all-in-one printers.
Those printers that you get from whatever vendor and, you know, they basically have a lot of functionalities and fax today is in all-in-one printers those printers that you get from whatever vendor and and you know
they basically have a lot of functionalities and facts so the thing is that those printers
are connected on one hand to the phone line in order to support fax and then on the other hand
it's connected to the internal network you know through internet usb wi-fi or whatever but this basically creates a bridge between the
phone line to the internal network so that's the interesting scenario that we imagine to ourselves
is that an attacker would be able to send a malicious fax through the phone line
take over the printer and then once he has the printer he can just propagate to the internal
network using any of the interfaces and that can just propagate to the internal network using any of the interfaces.
And that's effectively bridging the internal network with the external network just using the telephone line.
All right, well, let's explore that.
I mean, when you say a malicious fax, what are we talking about?
It took us a lot of time to understand that.
But basically, a fax is nothing but kind of a picture format that's being sent over the telephone line.
Usually it's TIFF format, that's for black and white faxes, the normal faxes. But it turns out
that the protocol has a lot of extensions to it. And one of those extensions include a colorful
fax extension. For some reason, people need to use this. Not sure why. And then this format allows you to send a JPEG instead of a T file.
And the specific vulnerabilities that we found actually exist right there in the JPEG parsing functionality.
So the fax is received, the JPEG is received to the printer.
And once the printer comes to parse the JPEG file, that's where the vulnerability lies.
And that's how we managed to exploit the printer. So what is the vulnerability in the JPEG file, that's where the vulnerability lies and that's how we managed to exploit the printer.
So what is the vulnerability
in the JPEG parsing?
At the end of the day,
the vulnerability itself
is pretty easy.
It's just a stack-based overflow
in one of the JPEG headers
and that's it.
The nice thing is that
since this is a printer,
it has absolutely no protections.
If you compare this
to a modern computer,
you know,
who has a lot of
protections around this kind of things, a printer basically has nothing. So once you've been able to
overflow the stack, it's basically game over. So, I mean, walk us through this. So what you
would be able to do is dial up this fax machine and send a JPEG image that you had modified
and send a JPEG image that you had modified to overflow the stack.
So take a step-by-step. What happens then?
Yeah, that's basically what you described is basically what happens. An attacker wants to attack some target.
He looks up their fax number,
and then he just sends this malicious JPEG file over fax.
It's just a script sending a fax.
Then he's basically in control of the printer
because the stack is overflowed.
And from that point on,
basically everything is possible.
We did a demo on stage
and also we have a demo for this thing on YouTube
showing what we can do after we took over the printer.
And basically what we decided to do is to put Eternal Blue,
the leaked NSA exploit used in WannaCry and so on.
So we've put that exact exploit inside our effects.
So once the printer got exploited,
it then started looking for any connected devices on Ethernet.
And once the device is located, it just tries to exploit it using Ethernet Blue.
And if the connected device is not patched, we will be able to run code on this device as well.
Now, help me understand. I guess the part I'm having trouble with is the code is sent within the JPEG.
So I understand that part of it.
Now, are you all maintaining a connection over the phone line with the compromised device and able to send additional commands there,
or is everything wrapped up in that initial JPEG that you send?
Yeah, theoretically, it is possible to do a bidirectional connection over the phone line,
but we didn't do that. We just wanted to show that we can exploit facts. So our specific exploit is unidirectional. So
once we send the facts, that's it. We have no more connection. The exploits occur. Then, of course,
if the printer or if the exploited machine that was connected to the network is connected to the
internet, we're able to maintain a channel over the internet, but not over the telephone line.
Now, is this problem with parsing the JPEGs, is this something fundamental to the protocol?
Is this something that would be built into every fax machine, or was this specific to
the brand and model that you were attacking?
Okay, so the specific vulnerabilities we found are specific for the vendor that we looked
at. The protocol itself, T30, as far as we can see,
doesn't really have any design issues with it, security design issues.
The thing is that the protocol itself was written in 1980,
and it looks that way.
I mean, it's really complicated.
It's complex.
It's a big spaghetti code of protocol,
and that makes implementation really hard.
And whoever is trying to implement it will probably misunderstand something here and there, and that's a point.
That's how bugs occur, and that's how vulnerabilities come to be.
So the protocol itself is not vulnerable.
The implementation is.
And specifically, the vulnerabilities that we found are in the vendor that we looked at. We can't say if the same vulnerabilities or similar vulnerabilities exist in other vendors.
But just because we didn't look at other vendors, I'm guessing that if somebody will look at other vendors, there's a pretty high chance, I would guess, that he can find similar stuff in there as well.
Now, did you notify the vendor? Was there any response from them? I would guess that he can find similar stuff in there as well.
Now, did you notify the vendor?
Was there any response from them?
Yeah, absolutely.
So Checkpoint Research, we only do responsible disclosures. And once we found out that this thing is possible, we immediately contacted the vendor.
And they were very responsive.
We worked really closely with them and helped them to create
patches for this. And our publication came only after a patch was available. So anybody can
check if his printer is vulnerable and download and install the patches.
I can imagine this is the sort of thing I think with these sorts of devices,
you kind of think it's out of sight, out of mind. It's functioning properly.
It's doing the things you want it to do every day, sitting there on a desk in the corner.
And it might be the kind of thing where you're not actively going out and looking for patches for a device like this,
particularly if it's one that's been sitting there for a few years.
Unfortunately, I think you're right.
How long ago did you update your printer?
Yeah, that's really a thing.
But we checked this with the vendor
and they say that most of their printers
come shipped with auto updates in them.
So you don't really have to do anything
just to connect your printer to the internet
and it will be automatically updated.
Now, how many printers has this feature enabled?
I don't know.
And I guess it could be a good advice
for people to take a look at those
devices from time to time, especially if there's something, you know, really big going around and
a new vulnerability was found, it might be worth updating them. Yeah, well, I mean, let's talk
about that. What is your advice when it comes to these sorts of things? I mean, should these
multifunction machines, these dedicated fax machines, should they be somehow segmented from the rest of your network?
My first advice and maybe best advice would be to stop using fax.
I don't know why we still need to use fax.
It's 2018.
But, you know, if you can't do that,
then yeah, maybe the segmentation idea that you brought up is a good idea.
You see, you can't possibly know how many vulnerabilities are there
and if there's any new vulnerabilities, if there's any undisclosed vulnerabilities that may affect
your printers or any other devices. So the best idea would be to maybe segment them from the rest
of your network so that even if somebody is able to take over those devices, at least they won't
be able to propagate and touch your really sensitive computers that are located in the internal network.
It's not a perfect solution, but I think it's a good one and the best one
I can actually offer.
It's interesting, these legacy machines
sitting around, like I say, out of sight, out of mind.
It's hard to know what's going on with them.
I mean, I suppose part of it too,
if you're an organization,
it's in your best interest to take inventory of these devices and perhaps be on some kind of a regular update cycle,
whether it's still working or not,
just so that you can get more up-to-date hardware and software in there.
Absolutely. I absolutely agree.
And I think in many organizations,
this is out of scope for the day-to-day maintenance work
for the IT department, and it should be.
Our thanks to Yaniv Balmas from Checkpoint for joining us.
The research is titled,
Faxploit, Breaking the Unthinkable.
We'll have a link in the show notes.
You can also find it on the Checkpoint website.
The research was co-authored by Checkpoint's Eyal Itkin.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.