That all-in-one printer/fax machine sitting in the corner looks innocent enough, but it actually poses a subversive threat. This standard office appliance could actually be the weak link that gives bad actors access to an organization’s entire network. As reported recently by Tom’s Guide, at the DEF CON 26 hacker conference, security researchers demonstrated how a seemingly harmless HP OfficeJet Pro could be hacked remotely through its phone line by simply sending the machine a malicious fax document. Following this initial demonstration, they used the hacked printer to take over a PC that was connected to the device.
Cause For Concern
Although the DEF CON demonstration may seem to be an exaggerated threat, there is certainly cause for concern and it’s worth taking notice. HP followed up after the conference by issuing a security bulletin that named approximately 150 printer models that were found to have this same flaw and were in need of a firmware update. Aside from being vigilant with firmware updates for all on-site printer/fax machines, organizations could opt to stop sending and receiving faxes, but this hardly seems like a practical solution. Particularly in the government section, several agencies still rely heavily on fax transmission.
It’s worth noting that fax machine technology really hasn’t changed much since these devices were developed in the mid-1980s. Now consider the sheer amount of data that they transport, from important governmental information to legal documents. Add that to the fact that most US businesses have on-site printer/fax machines and the threat grows. Additionally, most of these devices now come complete with Bluetooth wireless technology, WiFi, USB ports, and even Ethernet connections, making them vulnerable to attacks similar to the one demonstrated at the DEF CON conference.
Secure Your Enterprise Network
To prevent bad actors from exploiting vulnerabilities inherent in printer/fax devices (or any IP-enabled device in your organization), we recommend shutting down threats before they begin. GoSilent is an enterprise-grade firewall and VPN, delivered in a self-contained device that is smaller than a deck of cards. It has plug-and-play functionality for any IP-enabled device, such as an all-in-one printer, and can be set-up in minutes by even the most non-technical user. GoSilent works by establishing a connection to the enterprise server and creating a totally secure “IPSec tunnel” within the enterprise firewall. Once the IPSec tunnel is created, faxes may be sent or received safely behind the corporate firewall. GoSilent’s technology can be deployed on-premise or from the Cloud. Learn more about Attila Security’s products and services.