> Security researchers have long bemoaned the use of fax machines, as the antiquated devices pose real privacy issues when it comes to transmitting patient data. Considering that an estimated 75 percent of all healthcare communications are still processed by fax, the security threat is real.
The article claims that the flaw is in the fax protocol itself. But it also claims that it's a buffer overflow leading to RCE, which would be an implementation flaw, not a protocol flaw.
In the talk linked by c7h elsewhere in this comment section, a buffer-overflow exploit was found in the JPG library that allowed remote code execution. Since some fax machines support JPGs for transmitting color faxes, those fax machines were vulnerable.
aha .jpg. Been many a system fall foul to buffer overflows in attachments. Blackberry had one system (NT) doing all attachment processing and that fell foul of .jpg issues in the same vain.
Thing is, once a flaw is found in some library or another, those updates and changes don't always get propergated across to all devices, be they a router, fax machine, scanner, printer etc etc. Many of which get deemed - it works, never touched again once setup. That is even presuming that the manufacturer updates and releases new firmware in the first place.
Remember, many bits of kit list what open source libraries etc they use and versions, yet are often slow or artificially obsoleted via support being dropped. So they end up remaining vulnerable to what will be an exploit. This makes them easy to identify thanks to their open source statement and list of what they use and with that, fall foul to script-kiddy style attacks for want of a better way of phrasing it.
"The researchers used an HP all-in-one printer/fax machine, although the vulnerability is found in the fax protocol itself. Check Point worked with HP to make sure the product received a patch for the vulnerability, but other fax machines may still have the flaw." HP had the issue, which is apparently patched.
In essence you have to disconnect the fax from the network, and the network is safe. The downside is that printing-to-fax doesn't work, and you need another machine for either printing or faxing.
That may work in some contexts. In larger organizations most fax machines have no print/scan components, they are conduits to the document management system and from the EHR. Hopefully (??) those get patched more quickly than all-in-one hardware.
