Hackers could gain access to NHS networks by exploiting vulnerabilities in fax machines, security researchers have suggested.
Staff at Check Point Software discovered exploits in widely-used fax machines that enable hackers to spread malware through a malicious image file.
Malware can be coded into the image file which, when decoded by the fax machine and uploaded to its memory, will spread through any network it is connected to.
The exploit discovered by Check Point only requires that a hacker know the fax number of the organisation it wishes to target, which can be easily found online.
A recent freedom of information (FOI) request revealed the NHS is clinging on to some 9,000 fax machines, despite them being scrapped by most other sectors in the early 2000s.
Nick Viney, regional vice president for UK, Ireland and South Africa at McAfee, explained that the fact that protocols in fax machines hadn’t been updated since the 1980s left them “wide open to cyber-attacks.”
Viney said: “It is shocking enough that so many organisations – particularly in the NHS and the rest of the public sector – still rely upon fax machines on a daily basis.
“Public sector organisations are having to juggle outdated technology with the challenge of competing with the private sector when it comes to attracting top security talent.
“However, the stakes for securing the sector and wider critical infrastructure are extremely high, given their strategic importance to the country and their position as a prime target for cyber criminals.”
Vulnerabilities were discovered in HP’s OfficeJet Pro All-in-One fax printer, although the same protocols are used in other multi-purpose printers and online fax services, making them vulnerable to the same exploit.
Yaniv Balmas, group manager for security research at Check Point, said: “Many companies may not even be aware they have a fax machine connected to their network.
“These overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations.
“It’s a powerful reminder that in the current, complex fifth-generation attack landscape, organisations cannot overlook the security of any part of their corporate networks.”
To minimise the security risk, organisations are advised to update fax-capable devices with the latest security patches and separate them from other devices on their networks.
HP has since issued security updates for its fax printers.
NHS Digital said the threat posed by hacked fax machines was minor.
A spokesperson told Digital Health News: “We have triaged the hacking of fax machines as a low severity vulnerability. Although it is possible, it would require a great amount of effort to exploit.”