Does anyone even fax anymore? And if they do, aren't they using digital variations like eFax and SmartFax? Or maybe you're still using an all-in-one printer (like my OfficeJet 4650: Print - Fax - Scan - Copy - Web)? If yours is anything like mine, the FAX function is still automatically built in at the factory, and it is this "sweet-spot", your printer's unused fax function, that attackers are targeting.
Even with the current IoT boom, printers are often an after thought, if thought of at all, when it comes to cyber security. And, even though some manufacturer's build security features into their products, they aren't always automatically activated for features that aren't used very often, ie: the fax function. This leaves the entire system, and any connections, vulnerable to attacks.
So how is the forgotten fax function targeted? Despite the continued decline of the use of the fax machine, there are still millions of fax numbers in use. In order to attack a machine all a bad actor needs to do is send a malware-coded image to a given target. The target then decodes the image and uploads it to the memory of the all-in-one printer/host. This ultimately can (and will) result in malware being dumped into the network.
Hackers are always trying to find new ways to get into hospital networks and cause nearly $13 million in damages for every breach. With the widespread adoption of electronic health records (EHRs), more and more patient information is at risk and it is the responsibility of the CISO to protect these records. Unfortunately, many CISOs are currently unaware of a massive security risk to their network.
- Jim LaRoe, CEO of Symphion
So what can you do? The most important thing is being proactive. Apply software updates and implement security measures that control the use of your organization's faxes/printers. If your organization is one of the few that still regularly uses a fax machine, make sure the fax machines and printers are on different network segments, and as with any device connected to the internet, secure your ports. Beyond that, you need to educate and test your employees on cybersecurity best practices, and that needs to include the fax.