New research suggests they’re a security risk.
This week, a report from the BBC revealed that millions of fax machines are at risk from hackers, who only need to send a booby-trapped image to give them a way into corporate networks. From there, the criminals could easily steal data, install ransomware and cause all manner of damage. But is it time to stop using fax altogether?
There are certainly good reasons to ditch fax, not least the fact that email makes it largely obsolete. Also, in technology terms, it’s practically ancient, having remained essentially unchanged since the 1980s. And that is exactly the problem. The protocols for fax were established decades ago, and they simply don’t match up to modern security threats. Talking to the BBC, Yaniv Balmas, from security firm Check Point, said, “Fax has no security measures built in – absolutely nothing.”
It’s this lack of security that enabled Check Point to gain control of fax machines, simply by sending them an image that contained malicious code. And because fax machines are generally multi-purpose devices, with printers and scanners built in, they’re usually connected to organisations’ internal networks, opening the door to widespread attacks.
HP, whose fax machines were particularly affected by this security hole, has now issued a patch to close it, but other weaknesses may exist, and there are plenty of other manufacturers that making fax machines and fax-enabled printers.
Can You Stop Using Fax?
Despite the limitations of the technology and the security problems with it, there are reasons why millions of businesses aren’t rushing to stop using fax. Chief among them, said Balmas, “Fax is still considered as visual evidence in court, but an email is not. That’s why some government agencies require you to send a fax.”
That seems archaic. What would make fax better than email for legal documents? All a fax machine does is scan an image and send it over regular phone lines using a built-in modem. If you really need to copy a document – because it has a signature or stamp on it, for example – then you could scan it and send it via email. Plus e-signing methods, such as DocuSign, can make regular email a viable way to authorise contracts and other legal documents.
In fact, current UK law says that emails may be submitted in court. So can text messages and social media posts. They will, of course, be scrutinised carefully to ascertain their authenticity, and perhaps that’s easier with faxes, but there is nothing to say they can’t be used at all. That, it seems, may be a myth, based on old rules that have since been superseded.
Interestingly enough, another myth helping to drive fax use is that it’s somehow inherently secure – or at least considerably more so than email. In a story about the high-profile cyber attack on Sony that occurred in 2014, the Telegraph wrote, “Faxes are harder to hack than emails because fax machines transmit data over telephone lines rather than the internet. This means that a hacker would have to tap a phone line to steal a fax as it was being transmitted.”
Check Point’s work blows that theory out of the water. However, although it seems likely that businesses can stop using fax if they choose to, does that mean they should?
Should You Stop Using Fax?
Before you disconnect your fax machine from your phone line, it’s worth realising that, to date, there have been no recorded attacks using booby-trapped images. There’s every chance that this exploit may never end up in the wild and that all affected manufacturers will update their products to patch the flaw.
But while there may be no pressing need to stop using fax, it’s only sensible to question why you’re still clinging on to it at all. In a time when the NHS is being urged to leave this aged technology behind, what does it actually do for your business that couldn’t be achieved more efficiently in some other way? That’s a question that all businesses should be asking themselves about any technology they use.
Perhaps the most valuable lesson we can learn from Check Point’s research, though, is that it’s vital to challenge our assumptions from time to time, especially when it comes to something as important as cyber security.
Is your cyber security up to scratch? Find out with a Cyber Essentials assessment. Contact us for more information.