On the Security of Faxes
This rant originally stemmed from a question to which my wife asked me to respond — she works in health care and saw that there is a carve-out for Protected Health Information (PHI) being sent via fax under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Her question was simple: “Is fax security sufficient, and is fax security really better than email, which does not enjoy a similar carve-out?”
The system security rests on accountability to two key elements: the physical security and the network security of each: fax vs. email.
The architecture of a fax system is for a scanner to terminate a telephone line and transmit the data (dot by dot, line by line) to a receiving fax machine on the other end of the telephone line. While improvements to the original semaphore structure have been made, the basis for the protocol is unchanged. The physical Attack Surface, therefore, includes the physical security of the original, the sending fax machine, the telephone network, the receiving fax machine, and the physical security of the printed facsimile.
The sending fax could have a recording/replay device inside it, or attached to the output, there could be a camera positioned to view the fax being sent, and there is the potential for operator error in either misdialing the number or not picking up the scanned fax as well as the proper disposal of the sent fax; this could continue to include the shredding service for disposal of originals, the mean time between pickups, who has physical access to the shredding bin, etc. The sending fax machine may also have a log or buffer where a saved version of the sent file is kept; concerns around this log include controlling who has access, how long those are kept, how they are deleted, what the logs contain (just the recipient number and success status, or full fax). If these buffers store sent faxes, could they be resent, printed, or sent to a different recipient?
On the receiving end of a fax, if the recipient is a physical fax machine, how long would the fax sit on the machine? Would a printed cover sheet indicating confidentiality actually protect the contents? Who would pick up the fax? Would it then be sorted into an unlocked mail box? After successful delivery to the intended recipient, the same disposal concerns exist as were present on the sending side. If the recipient is an online service, who has access to the electronic document (employees at the service operator, anyone who shares the password to the account, or could guess or attack the password). The not unlikely configuration is that the unencrypted electronic document is delivered via email to the recipient anyway. Further discussion of security of these documents will be covered below.
The telephone network fax machines used to rely heavily on was the Public Switched Telephone Network (PSTN), and the PSTN does not use encryption to transport traffic, it is also possible to eavesdrop on a PSTN call and enable exfiltration of all data, including PHI, from a fax transmission. As practitioner offices and hospitals have moved increasingly from PSTN to Voice Over Internet Protocol (VOIP) phone services, fax machines have swung to this newer technology as well. While VOIP protocols allow for (and many use) encryption, it also opens up a different set of attack vectors and questions about encryption key management, access and sharing of keys, as well as hardware protection and tamper-resistance for those keys. It is also possible for a sending number to be spoofed, and for decisions to be made based on improperly accepting a facsimile as being sent from a valid sender.
The email aspect is different from faxes in many ways, but also similar from an attack surface perspective: security of the original file, the security of the transmission network, and the security of the receiving file, are all important. Just like the security of the file in the fax network, the original file may be viewed on a machine which has been compromised by a virus or Trojan, by troubleshooting/remote-viewing software, or there may be other surveillance devices (e.g. screen capture software, or even a camera behind the viewer). The receiving end of email is also similar to the fax environment, the attachment to the email can be saved multiple times, it can be forgotten, it could be saved onto shared drives, or access could be exposed to the physical machine or network to which it was saved (e.g. resale of the computer, loss of the tablet/phone, or physical access enabled because the screen doesn’t lock after use). Access to the email server with the email is typically protected by a username and password credential, notoriously easy to social engineer, susceptible to keystroke logging and even shoulder surfing (looking over someone’s shoulder or surreptitiously recording their fingers while they are typing in their password).
When email is sent, the actual text, as well as attachments, are sent through a series of relays, each of which stores and forwards the message according to routing instructions, until it reaches the SMTP (Simple Mail Transfer Protocol) destination. Each of those intermediaries/relays can follow different rules on how long those messages are stored. For messages that are not independently encrypted, or for connections that do not use transport security (TLS/SMTPS), that means the email and attachments are available. From a confidentiality perspective, it cannot be said that the email was protected. In fact, from a message integrity perspective, if external encryption or signing was not employed, it cannot be proven that it wasn’t tampered with during transport, or even if the message was actually delivered.
To answer the original question: fax security is precarious, easily thwarted, and opens up trust to questions of sender-identity, message-confidentiality, and message-integrity; it is insufficient for any but the most public uses. Email without encryption or transport security has some of the same concerns, but secure remedies to these have been commercially available long enough for us to move past the outmoded reliance on insecure technologies like the facsimile. Particularly for sensitive information like health or financial data, it’s time to abandon the insecure fax methods, originally patented in 1843.
