Just a few weeks ago, two security researchers working for Check Point, an Israeli provider of security products revealed what they called a massive flaw in the security of HP fax machines, particularly all-in-one printer/scanners with Wi-Fi, USB and Bluetooth access. The flaw was unveiled at the DEF CON 26 hacker convention, and it has created waves throughout the industry ever since.
Addressing the Elephant in the Room
Security flaws in any technology are something that need to be addressed, but they should not be blown up to a be a larger problem than they appear to be, and there are a few things that people should keep in mind:
#1: This Was Not a Hack, Per se.
The word hack gets thrown around very easily. Based on the technical definition of the word, “to gain unauthorized access to data in a system,” this was a hack. But it was not done by breaking through the security of the HP system. Instead, the security team at Check Point sent a malicious fax to the machine, similar to an email phishing scam. The hack occurred within the post processing of a JPEG file on the HP device.
#2: This Was a Flaw in HP Printer, Not the Fax Software
The flaw itself was on the hardware used, not the fax software. It was in no way related to the actual fax communication or the T.30 protocol. The fact remains that enterprise fax software is still a very secure way to send and receive sensitive information.
#3: HP Patched the Problem Almost Immediately
HP quickly released a security bulletin before major outlets broke news of the issue. A patch has already been released and, once installed, completely eliminates the vulnerability.
#4: It Appears HP Actually Asked for Something Like This to Happen
The issue with HP devices was not something so glaring that security teams decided to point it out. Just weeks before the issue was unveiled, HP released a bounty program that called for security teams to try help bolster their security. The reward was up to $10,000.
#5: Attacks Happen Far More Frequently via Email
There’s a reason why enterprises, governments and healthcare organizations still primarily use fax to transmit sensitive information: it’s still far safer than standard emails. Just last year, every single Yahoo account was hacked, and more email hacks and phishing scams took place than anyone can count, yet nearly every person in the country has one (or more) email addresses to their names, businesses, etc.
The Bottom Line
Security for all technology is evolving, and malicious people will always try to gain access to data, but faxing is still the most secure method of data transfer, by far.