Faxes and the Cloud Are a Dangerous Combination

You’re on COVID-19-induced health lockdown but you still have a deadline to hit, or a customer to support. What do you do to send the vital information that someone needs? Many companies are moving to collaborative systems like Slack or Teams. Others are sticking with email and phone calls, but there’s a third, decidedly old-school class of user that is still using faxes to exchange information.

Your average gen-zedder might not even know what a fax machine is. There are still plenty of these machines in offices and homes today, though, and retailers still sell them. Even for those that don’t have one humming away in the corner, there are cloud-based faxing services that accept images as PDFs or other formats. They are convenient, but they also present a security problem.

Cloud-based apps often run on Amazon Web Services and use its S3 storage buckets to house their data. We know that many developers fail to secure these buckets properly, meaning that the data they hold is stored out in the open for anyone to see. Sure enough, Gizmodo found that online faxing services were no different.

It discovered tens of thousands of fax images stored in S3 buckets, waiting for anyone to come and download them. That means the faxes people thought they were sending in private (or perhaps sent deliberately via a fax machine because they didn’t trust email) were exposed out in the open. That included personally identifiable information in many cases.

Faxes aren’t just a COVID-19 phenomenon, of course. Some of the exposed faxes dated back to 2013. In some cases, people might be forced to send them because the party they’re dealing with refuses to accept anything else. Every sector, from government through to legal, has organizations that are still stuck in the early nineties. In these situations, people who wouldn’t normally keep a fax machine around the house are forced to find a quick and easy cloud-based service. Due diligence is probably the last thing on their mind, and as Gizmodo pointed out, many of these online services aren’t developed with security in mind.

All of which is to say: just because a communications medium was born in the stone age doesn’t mean it isn’t susceptible to modern-day security problems. So be careful what you send, and how.

What’s Hot on Infosecurity Magazine?