Levellass' Softdisk Library page helped hack fax machines

Anything related to Keen Modding.
Post Reply
User avatar
Malvineous
Posts: 113
Joined: Sat Mar 13, 2004 12:54 am
Location: Brisbane, Australia
Contact:

Levellass' Softdisk Library page helped hack fax machines

Post by Malvineous »

Hi all,

Just briefly stopping by to let @levellass know that the ModdingWiki page on the Softdisk Library Format that is predominantly her work just showed up in a DEFCON video on fax machine vulnerabilities.

Turns out it's possible to send a fax to vulnerable fax machines and from that alone, take over the firmware and then if it's an all-in-one device connected to the company network, branch out and start attacking computers on the internal network.

In order for the security researchers to achieve this, they had to first figure out how to decompress the HP printer firmware, and guess what, it was compressed with the same algorithm that Softdisk used. It looks like they slightly misunderstood the origin of the algorithm (since the talk is peppered with Commander Keen references) but hey, who's complaining :)
User avatar
Nisaba
Posts: 320
Joined: Fri Jan 01, 2016 11:15 pm
Location: patch.pat
Contact:

Re: Levellass' Softdisk Library page helped hack fax machines

Post by Nisaba »

Great find!
Who would have thought that Lemm's & Lass' reverse engineering skills will help security researchers to 'fix faxes'.
BTW very interesting DEF CON talk about fax exploitation. watched the whole video and ask myself when I last used a fax machine... '96/'97, maybe? Dunno.
Have you been to this years DEF CON 26! hacking conference?
[...] in some dark corner of the internet we find this strange wiki page [...]
User avatar
Malvineous
Posts: 113
Joined: Sat Mar 13, 2004 12:54 am
Location: Brisbane, Australia
Contact:

Re: Levellass' Softdisk Library page helped hack fax machines

Post by Malvineous »

No I haven't been to the conference as international travel is such a pain. It was quite an interesting talk, and although I haven't used a fax machine for many years either, as they said in the talk, many larger companies (at least here in Australia) still have one available.

Makes me wonder what this compression algorithm "really" is, since it's unlikely someone at Softdisk made it up themselves.
levellass
Posts: 3001
Joined: Wed Oct 11, 2006 12:03 pm
Location: Ngaruawahia New Zealand

Re: Levellass' Softdisk Library page helped hack fax machines

Post by levellass »

This was highly unexpected.
Benvolio
Posts: 228
Joined: Sun Aug 29, 2004 4:44 pm
Location: Ireland
Contact:

Re: Levellass' Softdisk Library page helped hack fax machines

Post by Benvolio »

Very amusing! Finally keen modding has been put on the map.

Disquietingly, fax is still a core means of communication both within and between hospitals in the British Isles, especially Ireland. If we get hacked, I'm blaming Levellass!
levellass
Posts: 3001
Joined: Wed Oct 11, 2006 12:03 pm
Location: Ngaruawahia New Zealand

Re: Levellass' Softdisk Library page helped hack fax machines

Post by levellass »

Interestingly HP has contacted me about this and seems likely to change the method used to 'encrypt' their code.
User avatar
Nisaba
Posts: 320
Joined: Fri Jan 01, 2016 11:15 pm
Location: patch.pat
Contact:

Re: Levellass' Softdisk Library page helped hack fax machines

Post by Nisaba »

that's indeed interesting. can you share any further details?! did HP offer you a job?
and most importantly: will the new encryption code be in SGA?
User avatar
Nisaba
Posts: 320
Joined: Fri Jan 01, 2016 11:15 pm
Location: patch.pat
Contact:

Re: Levellass' Softdisk Library page helped hack fax machines

Post by Nisaba »

Those guys again, similar talk, different location (CCC). This time around someone in the audience already knew the answer to their rhetorical question... https://media.ccc.de/v/35c3-9462-what_the_fax#t=1260
levellass
Posts: 3001
Joined: Wed Oct 11, 2006 12:03 pm
Location: Ngaruawahia New Zealand

Re: Levellass' Softdisk Library page helped hack fax machines

Post by levellass »

Nisaba wrote: Tue Dec 25, 2018 12:24 am that's indeed interesting. can you share any further details?! did HP offer you a job?
and most importantly: will the new encryption code be in SGA?
Essentially nobody working there knew what the compression was and my page didn't cover ALL the details. So we worked back and forth and fixed a few things, including this weird thing the program does with the buffer. Once we got that all worked out the code was decompressed then recompressed using a more secure method. This I think will be rolled out in new products over time to fix this little issue.
Post Reply