Facsimile, the Forgotten Cyber Compliance Vulnerability

A Check Point Research study found that hackers are able to infiltrate any home or corporate network with the use of only a fax number. Although the use of fax machines has dramatically declined in recent years, fax is still a common method of electronic communication for many businesses. Ironically, many businesses consider faxes to be a more secure form of communication. However, hackers have a long history of targeting fax machines, making communications through fax insecure in many ways. For example, fax data is sent without cryptographic protections. Individuals with the skills to intercept a phone line can easily intercept all of the data being transmitted across the phone line used by a fax machine. Additionally, fax machines are often connected to a company’s internal servers. These tend to be weak points which hackers can exploit to gain access to a company’s entire Information Technology network, including the company’s documents and customer or patient information.

The following include reasons why fax machines remain so prominent despite the increase in use of email and other forms of electronic communication:

1. Faxes provide delivery notifications to senders to inform them of whether the delivery was a success or a failure;
2. Faxes do not end up in spam folders which make them highly traceable and assured to get to their receiver;
3. Faxes are often the preferred method for healthcare organizations since under HIPAA, documents transmitted between doctors, laboratories, and insurers have to be secure;
4. There is a general belief that third parties cannot reasonably intercept and/or make changes to documents while the documents are being sent between the sender and the receiver; and
5. Lawyers favor faxes because they are a convenient method for sending documents to clients and receiving receipt confirmation.

The reality is that there are no protections for faxes from attackers. To protect against attackers, companies should consider segmenting their fax machines from their network and other devices. If the company does not use the fax function, phone lines should also be disconnected from an all-in-one machine.