On Sunday, at the annual DEF CON hacker conference, the world was warned about serious flaws that could allow an attacker to infiltrate a victim’s network via a fax machine.
Researchers from Check Point released information about the vulnerabilities they discovered in a wide range of HP multifunction and all-in-one printer devices that include fax capabilities.
The so-called “Faxploit” vulnerabilities had been responsibly disclosed, and HP had already released firmware updates for affected devices prior to Check Point’s public disclosure of the full technical details.
However, HP seems to have made a serious oversight regarding their release of firmware updates.
Of the more than 150 affected models for which HP released firmware updates, approximately one quarter of them do not have a Mac-compatible firmware update installer available to download through HP’s support site. Later in this article is a complete list of devices for which Mac-compatible firmware installation methods are not currently available.
This leaves companies and home users that only use macOS or Linux in a difficult position: unplug your fax line, or remain vulnerable to serious attacks.
Although fax is an antiquated technology by today’s standards, a surprising number of businesses and homes still rely on the technology.
The health care, legal, and real estate industries, and many government entities, continue to use fax machines to transmit facsimilies of sensitive printed documents. Check Point estimates that “hundreds of millions” of fax machines are still in use worldwide.
Check Point said earlier this week that the vulnerability was not known to be exploited in the wild yet. However, now that details have been made available to the public, and given that a plethora of potentially interesting targets openly share their fax numbers with the world, it is rather risky to keep a known-affected fax machine plugged into a landline.
How a Faxploit attack works. Image: Check Point
If you have an affected device, but do not have access to a Windows computer, you may have a few options.
Regarding the safety and efficacy of installing the firmware via a Windows virtual machine (i.e. via software such as VMware Fusion, Parallels Desktop, or Oracle VirtualBox), an HP representative told us, “It is safe to run the Windows compatible firmware update utilities on a Windows-based virtual machine running on Mac OS or OS X. The firmware updaters can find printers over both networked and USB connections.”
For organizations that rely on receiving frequent faxes, leaving the fax machine unplugged may not be an option. You will need to weigh the risks, and consider whether to bring in a technical support consultant with a Windows laptop to install the firmware update for you, or wait and see if HP releases a Mac-compatible firmware update method for your device; otherwise, you may consider replacing your fax machine with a different brand or model that is not (yet) known to be affected by Faxploit or similar vulnerabilities.
Following is a list of HP multifunction devices for which the manufacturer is not currently offering a macOS-compatible firmware update method:
*Although HP lists the Officejet 6220 as an affected device, it doesn’t appear in HP’s software and drivers search results, so even Windows users may not have a way to update its firmware. HP has not responded to a request for clarification about this model.
Shortly before publication time, an HP representative responded to our inquiries stating that it’s safe to install the firmware from a Windows virtual machine running on a Mac. Of course, this requires the purchase and installation of Windows, which is not practical for all Mac users.
As for whether HP will release macOS-compatible firmware updates for the affected devices listed above, the representative only stated that there are “more [Mac firmware updates] to be released,” but did not specify which specific devices would get Mac-compatible updates, or when those updates might become available.
This article will be updated if HP provides further information or clarifications.
