The Lack of Security in a Fax Machine and How to Secure It

Most companies do not lack for information security products. Its data centers are likely full of firewalls, virtual private networks, security appliances and much more. Yet there is a device, hundreds of them perhaps, in many organizations, that lack any sort of security. This is the lowly fax machine.

The fax machine poses serious potential security issues and risks to every company where it us used. The good news is that most of these risks can easily be mitigated. The issue is that most companies are oblivious to those threats and do not take the appropriate countermeasures.

An introduction to basic fax operations is in order. The reason faxing is so seamless is that all modern fax machines operate using the same protocol, namely the Group 3 Facsimile protocol (G3). The G3 protocol was first published in 1980 by the ITU-T (International Telecommunication Union - http://www.itu.int).

The G3 standard for facsimile communications over analog telephone lines was originally approved by the CCITT in its T.4 and T.30 recommendations in 1980. This standard is supported by nearly every fax machines in use today and continues to be updated.

G3 is specified in two standards:

• T.4 - image-transfer protocol.
• T.30 - specifies the session-management procedures that support the establishment of a fax transmission.

T.30 allows the two endpoints to agree on such things such as transmission speed and page size. Since G3 is specified for switched analog networks, and it is an all-digital procedure, it must use modems or a fax relay. They are also specified in ITU standards:

• V.21 (300 bps) for the T.30 procedures, and for image transfer
• V.27ter (2400/4800 bps)
• V.29 (7.2k, 9.6k)
• V.17 (7.2k, 9.6k, 12k, 14.4k)
• Real-time IP fax transport is specified in T.38 and replaces modems.

There is a G4 standard, but this is for digital telephone networks and was approved in 1984 and updated in 1988. This standard has found greater acceptance in Europe and Japan than in the USA and is predominately used for fixed point to point high volume communications.

The T.30 specification divides a call into five phases:

• Phase A - Call setup
• Phase B – Pre-message procedures
• Phase C – Image transfer
• Phase D – Post-message procedures including multi-page and end of procedure signals
• Phase E – Call release

One of the more important works on fax security was Guidelines on Facsimile Transmission Security issued by the Information and Privacy Commissioner of Ontario, Canada all the way back in 1989. This document was one of the first to bring to light the need to deal with fax security. The document was updated in 2003 , and its sets out guidelines for government organizations to consider when developing systems and procedures to maintain the confidentiality and integrity of information transmitted by fax. While the paper was written for government organization, most of the issues and guidelines are relevant for non-government organizations.

According to Ontario, Canada based Natural Data, Inc., there are over 100 million fax machines in use worldwide today. Almost all of these fax machines are unable to connect to the Internet and as a result can only send and receive faxes using the unsecured public fax line services.

The fax machine, like all technologies, have security risks. The most notable fax issues are that the faxed document will sometimes not reach its intended destination. This is due to both human error (wrong number dialed) or technical issues (poor communication lines, incompatible equipment, and more).

While there are fax security issues, one of the main benefits of a fax is that unlike an e-mail attachment, a fax document is an image file and, therefore, is inherently not an editable file. That means that no one can alter the original itself to embed another program within it, meaning a fax can never cause a computer virus or worm to invade your network.

It is important to note that in a perfect world, every fax machine will be deployed with the highest levels of security. In the real-world, such an approach is not practical.

Computer security is simply attention to detail and good design and effective information security is built on risk management, good business practices and project management. Creating a secure fax infrastructure is no different.

The initial step of this infrastructure is to establish policies around the use of fax machines. The ultimate level of fax security is built on this foundation of effective policies and procedures which govern their use. At the end of this article is a set of core policies around fax security that can be used.

While the basic use of a fax machine is often intuitive; the secure use of a fax machine is often not so intuitive. By creating a set of standard operating procedures (SOP) around the use of secure faxes, you can mitigate most of the threats involved.

Some of the basic procedures around fax security include ensuring the number of pages of the fax received are the same amount sent, reassembling the received document, appropriate distribution, confirmation of receipt, and more.