If you’re reading this, it’s likely you’ve seen the press release from Check Point Software Technologies Ltd. that discussed what, in its view, were vulnerabilities and potential security risks in fax devices and the T.30 fax protocol. I’m not here to question whether Check Point did indeed find a vulnerability in HP Officejet Pro All-in-One printers; instead, I want to set the record straight about what the vulnerability did and did not mean.
The security risk was due to exploitation of vulnerabilities in the HP device’s proprietary JPEG parser and embedded OS, and the risk was patched by HP right after being identified. If the patch is installed, the security risk apparently vanishes.
What was not responsible for the security risk or vulnerability, however, was the T.30 protocol. Real-time faxing uses the T.30 fax protocol as the underlying transport for sending and receiving faxes over IP or TDM networks. The vulnerability described in the Check Point research did not reside in the transport, but rather on the post-processing of a JPEG file on the device, which was not related to the fax communication. The situation is akin to malicious code being sent via an email in that the means by which transport occurs is not where the vulnerability lies.
Do you still use email despite knowing that email is a medium which, if you're not careful, can introduce viruses and other malicious code onto your computer? Of course you do. And this is exactly why you should continue to use fax if it is part of your business processes. No vulnerabilities relating to the T.30 protocol were demonstrated, nor was it shown how this issue could apply to other fax devices.
If you’d like to read more, check out Dialogic’s response to the press release and the negative implications about fax it has – mistakenly – created.