Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Letter: Lexar JumpDrives | Main | Peer-to-Peer Alarm Systems »

November 8, 2004

Hacking Faxes

Prisoner is freed from jail based on a forged fax:

In West Memphis District Court yesterday, Tristian Wilson was set to appear on the docket for a bond hearing on the charges. When he did not appear, Judge William "Pal" Rainey inquired about his release and found that a jail staff member released Wilson by the authority of a fax sent to the jail late Saturday night.

According to Assistant Chief Mike Allen, a fax was sent to the jail which stated "Upon decision between Judge Rainey and the West Memphis Police Department CID Division Tristian Wilson is to be released immediately on this date of October 30, 2004 with a waiver of all fines, bonds and settlements per Judge Rainey and Detective McDugle."

Jail Administrator Mickey Thornton said that these faxes are part of a normal routine for the jail when it comes to releasing prisoners, however, this fax was different.

Faxes are fascinating. They're treated like original documents, but lack any of the authentication mechanisms that we've developed for original documents: letterheads, watermarks, signatures. Most of the time there's no problem, but sometimes you can exploit people's innate trust in faxes to good effect.

Posted on November 8, 2004 at 7:12 AM17 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

It's amazing how much the healthcare industry still relies upon faxes for distributing Protected Health Information (PHI). Not only is it a privacy issue, but could you imagine abuse of pharmaceuticals or medical procedures because of a social engineering attack? Yet, take away the fax today, and many healthcare organizations would be unable to conduct business.

Posted by: malcomvetter at November 8, 2004 7:46 AM

A similar story happenned last year in France. I guess it's a pretty common way to get prisonners out of jail...

Posted by: Frédéric Grosshans at November 8, 2004 10:57 AM

The article does in fact mention that the fax was missing the "standard letterhead with the WMPD logo on it". The fax header also apparently said it originated from a McDonalds. I don't know if I'd call that "trust"...

Posted by: Davi Ottenheimer at November 8, 2004 11:39 AM

Like that last comment said, the fax machine probably isn't the weak link here. It's not as if this is a new idea -- the most successful escape attempt from Alcatraz was based on forged release orders.

Posted by: Joe Ganley at November 8, 2004 2:05 PM

Mark one up for Social Engineering (SE) Attacks! - The human is the weakest link and is very vulnerable to things that shouldn't make sense!

Israel Torres

Posted by: Israel Torres at November 9, 2004 9:00 AM

Setting aside for the moment the reasons that this fax (and the many release-papers forgeries that have preceded it) should have been recognized as a fake, I think that faxes in general are perceived as trustworthy because most people experience fax machines as closed systems, with neither directories to send to any arbitrary unauthorized destination nor arbitrarily-settable sender information. (That the experience is contrary to fact is a minor nit.)

I was thinking about this the other day when I had to fax a legal document overseas. It would have been easier and cheaper to just email the scan to the recipient for printing, but that embedded timestamp and sender information added a veneer of authenticity that a printed PDF attachment couldn't match.

As sender-address spoofing becomes even more common -- From: headers, caller-ID, fax headers -- when will people finally stop relying on the transmission infrastructure for (apparent) authentication?

Posted by: Paul Wallich at November 9, 2004 11:06 AM

I am consistantly amazed by the number of small businesses (especially law offices) where the FAX is the responsibility of the front- desk receptionist. FAXes come out and are stacked for pickup in the front- office waiting area. Anybody who walked in the door could look them over.

Posted by: lightning at November 9, 2004 2:40 PM

Wow. Even if they had had a system that included certain special official "marks" and such, allowing someone to be released simply with a fax seems, uh, not too bright. The same goes for (as a prior person has commented) the notion that 'the fax came from the right number'


One would think that a required call-back to a predetermined, pre-validated number at the _very_ least would be required.


--Kevin

Posted by: Background Investigations at November 11, 2004 11:48 AM

hi hacking faxes i am logan known as scott engle. believe it!

Posted by: logan E. at February 28, 2006 4:10 PM

I would like to have some more information about fax hacking in general.

Is it possible to enter a faxmachine by remote services ?

Is it also possible to enter a faxnumber through hacking the protocal of the remote services from the faxmichine?

Posted by: rick at May 1, 2006 4:26 AM

Hello Rick,

What do you exactly mean by "enter a faxmachine".
With remote services it is quite easy to change the fax settings or to inspect (parts) of the fax memory. It certainly is possible to add or modify fax numbers stored in the remote machine, if the machine is equiped with remote service possibilities (and most machines do), unless the fax is connected through some fax firewall.
Occasionaly you can also read "private" fax mailboxes because passwords are stored in plain ASCII. What would you like to modify in the fax machine?

Posted by: George at June 30, 2006 2:49 AM

Another fine example of creativity and another demonstration that software is not a security solution, no matter how much of it you buy!

Posted by: Secret Patrol at June 25, 2009 3:40 PM

Hello.
This message is for Ricky and George, about messages posted on May 1, 2006 and June 30, 2006, talking about the possibility to enter in remote fax machine.
For "enter in fax machine" i mean that with a regular modem class2 is possible to dial a fax machine, every where in the world, and send, trought some commands, setup, configuration, store numbers, etc.
But really exist a procedure for make it?
Can be send a fax to remote fax machine that is not regular fax but a command sequence for configure it or trought AT commands?
For example configure a callback number for dial a schedule time or send fax a schedule time?
Thanks you.

Posted by: Marco at January 1, 2010 10:40 AM

Hello again.
I have forgot to write a side of message.
One month ago, I have receive my phone bill. I have a regular fax machine (HP multifuncion).
With big surprise i have seen 6 international calls to some numbers.
I have try with tech assistance to retrieve info from the fax with report, etc. But totally empty. No trace about these calls.
After 2 weeks talking with others people in the same city, happened the same with them.
No fax was sent, simple dial call, because the duration of calls was 2-3 seconds.
Then I would like to know how is possible this?

Thanks you.

Posted by: Marco at January 1, 2010 10:48 AM

My lawyer refuses to show fax he sent to Merrill lyNch. Same day 40 k. Trades were made onacct. Which was to be froze. For child support. I have cover sheet Can contents be recovered

Posted by: Charlie at March 12, 2010 10:40 PM

Just see this little demo...
http://www.rcid.net/RCID_RDS-demo.htm
Give it a few seconds to load.

Posted by: a friend at March 16, 2010 6:13 PM

Yes this is a big thing for me too, do fax machines have a stored memory of what has been sent and received on it, just like a computer can they be recovered even from in the past (like in a computers case they can be recovered even when deleted). I need to recover a fax that was sent to me and it is a large piece of evidence in an important case, can it be done? with more or less unlimited funding or capabilities can it be done, does the technology or capability exist, is it feasable,, assistance would be much appreciated asap thanks

Posted by: timothy at September 17, 2010 5:43 AM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more