Researchers at security firm Check Point Software Technologies explored the possibility of exploiting old, complex fax protocols to gain access to modern multifunction office printers, and then pivot to connected networks.
Yaniv Balmas is head of security research at Check Point, and he joins us to share what he and his colleague Eyal Itkin discovered.
The research can be found here:
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Yaniv Balmas: [00:01:42] Faxes are, in a lot of places in the world, are legitimate evidence in court, considered legitimate, while emails are not.
Dave Bittner: [00:01:49] That's Yaniv Balmas. He's head of security research at Check Point Software Technologies. The research we're discussing today is titled "Faxploit: Sending Fax Back to the Dark Ages."
Yaniv Balmas: [00:02:01] This is why a lot of government offices and, you know, hospitals, medical, they really promote fax as a secure way of communication. This is a big misconception, and it was clear to us that this is a misconception because, basically, this protocol has been around since ever. Like, it wasn't really changed in the past thirty years or so. We're still using the same things, and in those days, nobody thought about security. This really smelled to us like, you know, a vulnerability waiting to happen. And we thought there was a lot of potential here, and we accepted the challenge.
Dave Bittner: [00:02:35] Yeah, so can you take us through a little bit of the history of fax machines? I mean, I remember, you know, early on when they first came out, thinking it was this miraculous thing that basically you could send a photocopy over a phone line. What was the underlying technology there?
Yaniv Balmas: [00:02:50] So basically, I'm not a big historian, but I can tell you that when we read some information about this in the Internet, it does have - there's some really interesting facts about it. For example, the fax was invented before the telephone - I think around forty years before the invention of the telephone - and even before the invention of the light bulb.
Yaniv Balmas: [00:03:06] But it evolved a lot throughout the years - it had a few standards to it. But then, in the 1980s, which is kind of roughly when fax became really popular, came an organization called ITU-T designed the protocols that we still use today. It's the same protocols. The main protocol is called T.30, and we used it in 1980 and we still use the very same protocol today, with very slight extensions and enhancements to it.
Dave Bittner: [00:03:33] And so within that protocol, what are we talking about here? Is there any any sort of secure encryption or compression? What's going on?
Yaniv Balmas: [00:03:41] Well, the protocol defines electronic document delivery over telephone lines, and that's basically what it does. Absolutely nothing else in terms of security. You know, because basically, in the 1980s, who thought about security? There is absolutely no security elements inside this protocol's design. No passwords, no encryption, no authenticity, nothing at all.
Dave Bittner: [00:04:02] Now, in your presentation at DEF CON, you sort of walked through your attempts to infiltrate a fax machine and get onto someone's network using that as your point of entry. Walk us through - what did you do?
Yaniv Balmas: [00:04:17] Yeah, that's actually the interesting idea here. You know, today, fax machines are no longer these standalone fax machines that we used to have in the 1980s. The protocol didn't change - what did change is the way that we use fax. Today, fax is - I would say, kind of wrapped around newer technologies. So, for example, I think the most common usage of fax today is in all-in-one printers. Those printers that you get from whatever vendor and, you know, they basically have a lot of functionalities and fax.
Yaniv Balmas: [00:04:46] So, the thing is that those printers are connected on one hand to the phone line in order to support fax, and then on the other hand, it's connected to the internal network, you know, through Ethernet USB, Wi-Fi, or whatever. But this basically creates a bridge between the phone line to the internal network. So that's - the interesting scenario that we merge into ourselves, is that an attacker would be able to send a malicious fax through the phone line, take over the printer, and then once he has a printer, he can just propagate to the internal network using any of the interfaces. And that's effectively bridging the internal network with the external network just using the telephone line.
Dave Bittner: [00:05:29] All right, well, let's explore that. When you say a malicious fax, what are we talking about?
Yaniv Balmas: [00:05:35] It took us a lot of time to understand that, but basically a fax is nothing but kind of a picture format that's being sent over the telephone line. Usually it's TIF format - that's for black-and-white faxes, the normal faxes. But it turns out that the protocol has a lot of extensions to it, and one of those extensions include a colorful fax extension. For some reason people need to use this - not sure why. And then this format allows you to send a JPEG instead of the TIF file, and the specific vulnerabilities that we found actually exist right there in the JPEG parsing functionality. So the fax is received, the JPEG is received to the printer, and once the printer comes to parse the JPEG file, that's where the vulnerability lies and that's how we managed to exploit the printer.
Dave Bittner: [00:06:23] So what is the vulnerability in the JPEG parsing?
Yaniv Balmas: [00:06:26] At the end of the day, the vulnerability itself is pretty easy. It's just a stack-based overflow in one of the JPEG headers, and that's it. The nice thing is that, since this is a printer, it has absolutely no protections. If you compare this to a modern computer, you know, with a lot of protections around these kind of things, a printer basically has nothing. So once you've been able to overflow the stack, it's basically game over.
Dave Bittner: [00:06:51] So, I mean, walk us through this. So, what you would be able to do is dial up this fax machine and send a JPEG image that you had modified to overflow the stack? So take us step-by-step - what happens then?
Yaniv Balmas: [00:07:06] Yeah, that's basically - what you described is basically what happens. An attacker wants to attack some target, he looks up their fax number, and then he just sends this malicious JPEG file over a fax. It's just a script sending a fax. Then he's basically in control of the printer, because the stack is overflowed.
Yaniv Balmas: [00:07:27] And from that point on, basically everything is possible. We did a demo onstage, and also we have a demo for this thing on YouTube, showing what we can do after we took over the printer. And basically what we decided to do is, to put EternalBlue - the leaked NSA exploits used in WannaCry and so on - so we put that exact exploit inside our fax. So once the printer got exploited, it then started looking for any connected devices on Ethernet. And once a device is located, it just tries to exploit it using EternalBlue. And if your - if the connected device is not patched, we will be able to run code on this device as well.
Dave Bittner: [00:08:11] Now, but help me understand - I guess the part I'm having trouble with is - the code is sent within the JPEG, so I understand that part of it. Now, are you all maintaining a connection over the phone line with the compromised device and able to send additional commands there, or is everything wrapped up in that initial JPEG that you send?
Yaniv Balmas: [00:08:30] Yeah, theoretically, it is possible to do a bidirectional connection over the phone line, but we didn't do that. We just wanted to show that we can exploit fax. So our specific exploit is unidirectional. So once we send a fax, that's it. We have no no more connection. The exploit's secure. Then, of course, if the printer, or if the exploited machine that was connected to the network, is connected to the Internet we were able to maintain a channel over the Internet, but not over the telephone line.
Dave Bittner: [00:09:01] Now, is this problem with parsing the JPEGs - is this something fundamental to the protocol? Is this something that would be built into every fax machine, or was this specific to the brand and model that you were attacking?
Yaniv Balmas: [00:09:14] Okay, so the specific vulnerabilities we found are specific for the vendor that we looked at. The protocol itself, T.30 , as far as we can see, doesn't really have any design issues with it - security design issues. The thing is that the protocol itself was written in 1980, and it looks that way. I mean, it's really complicated, it's complex, it's a big spaghetti code of protocol, and that makes implementation really hard, and whoever is trying to implement it will probably misunderstand something here and there, and that's a point - that's how bugs appear and that's how vulnerabilities come to be.
Yaniv Balmas: [00:09:51] So the protocol itself is not vulnerable, the implementation is. And specifically the vulnerabilities that we found are in the vendor that we looked at. We can't say if the same vulnerabilities or similar vulnerabilities exist in other vendors, but just because we didn't look at the other vendors. I'm guessing that if somebody will look at other vendors, there's a pretty high chance, I would guess, that they can find similar stuff in there as well.
Dave Bittner: [00:10:22] Now, did you notify the vendor? Was there any response from them?
Yaniv Balmas: [00:10:26] Yeah, absolutely. So Check Point Research - we only do responsible disclosures, and once we found out that this thing is possible we immediately contacted the vendor and they were very responsive. We worked really closely with them and helped them to create patches for this, and our publication came only after a patch was available, so anybody can check if his printer is vulnerable, and download and install the purchase.
Dave Bittner: [00:10:54] I can imagine this is the sort of thing, I think, with these sorts of devices, you kind of think - it's out of sight, out of mind. It's functioning properly, it's doing the things you want it to do every day, sitting there on a desk in the corner. And it might be the kind of thing where you're not actively going out and looking for patches for a device like this, particularly if it's one that's been sitting there for a few years.
Yaniv Balmas: [00:11:15] Unfortunately, I think you're right. How long ago did you update your printer?
Dave Bittner: [00:11:18] (Laughs)
Yaniv Balmas: [00:11:20] Yeah, that's really a thing. But we checked this with the vendor, and they say that most of their printers come shipped with auto-updates in them. So you don't really have to do anything, just to connect your printer to the Internet and it will be automatically updated. Now, how many printers have this feature enabled? I don't know. And I guess it could be good advice for people to take a look at those devices from time to time, especially if there is something, you know, really big going around and a new vulnerability was found, it might be worth updating them.
Dave Bittner: [00:11:52] Yeah, well, I mean, let's talk about that. What is your advice when it comes to these sorts of things? I mean, should these multifunction machines, these dedicated fax machines - should they be somehow segmented from the rest of your network?
Yaniv Balmas: [00:12:04] My first advice, and maybe best advice, would be to stop using fax.
Dave Bittner: [00:12:07] (Laughs).
Yaniv Balmas: [00:12:07] I don't know why we still need to use fax - it's 2018. But, you know, if you can't do that then, yeah, maybe the segmentation idea that you brought up is a good idea. You see, you can't possibly know how many vulnerabilities are out there and if there is any new vulnerabilities, if there's any undisclosed vulnerabilities that may affect your printers or any other devices.
Yaniv Balmas: [00:12:30] So the best idea would be to maybe segment them from the rest of your network, so that even if somebody is able to take over those devices, at least they won't be able to propagate and touch your really sensitive computers that are located in the internal network. It's not a perfect solution, but I think it's a good one, and the best one I can actually offer.
Dave Bittner: [00:12:50] Yeah. Now, it's interesting - these legacy machines, you know, sitting around, like I said, out of sight, out of mind, and it's hard to know what's going on with them. I mean, I suppose part of it too would be, if you're an organization, it's in your best interest to take inventory of these devices and perhaps be on some kind of a regular update cycle, whether it's still working or not, just so that you can get more up-to-date hardware and software in there.
Yaniv Balmas: [00:13:19] Absolutely. I absolutely agree. And I think in many organizations this is out of scope for the day-to-day maintenance work for the IT department, and it should be.
Dave Bittner: [00:13:32] Our thanks to Yaniv Balmas from Check Point for joining us. The research is titled "Faxploit: Breaking the Unthinkable." We'll have a link in the show notes. You can also find it on the Check Point website. The research was coauthored by Check Point's Eyal Itkin.
Dave Bittner: [00:13:48] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:13:56] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:14:05] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.