Hacking Faxes

Prisoner is freed from jail based on a forged fax:

In West Memphis District Court yesterday, Tristian Wilson was set to appear on the docket for a bond hearing on the charges. When he did not appear, Judge William “Pal” Rainey inquired about his release and found that a jail staff member released Wilson by the authority of a fax sent to the jail late Saturday night.

According to Assistant Chief Mike Allen, a fax was sent to the jail which stated “Upon decision between Judge Rainey and the West Memphis Police Department CID Division Tristian Wilson is to be released immediately on this date of October 30, 2004 with a waiver of all fines, bonds and settlements per Judge Rainey and Detective McDugle.”

Jail Administrator Mickey Thornton said that these faxes are part of a normal routine for the jail when it comes to releasing prisoners, however, this fax was different.

Faxes are fascinating. They’re treated like original documents, but lack any of the authentication mechanisms that we’ve developed for original documents: letterheads, watermarks, signatures. Most of the time there’s no problem, but sometimes you can exploit people’s innate trust in faxes to good effect.

Posted on November 8, 2004 at 7:12 AM18 Comments


malcomvetter November 8, 2004 7:46 AM

It’s amazing how much the healthcare industry still relies upon faxes for distributing Protected Health Information (PHI). Not only is it a privacy issue, but could you imagine abuse of pharmaceuticals or medical procedures because of a social engineering attack? Yet, take away the fax today, and many healthcare organizations would be unable to conduct business.

Frédéric Grosshans November 8, 2004 10:57 AM

A similar story happenned last year in France. I guess it’s a pretty common way to get prisonners out of jail…

Davi Ottenheimer November 8, 2004 11:39 AM

The article does in fact mention that the fax was missing the “standard letterhead with the WMPD logo on it”. The fax header also apparently said it originated from a McDonalds. I don’t know if I’d call that “trust”…

Joe Ganley November 8, 2004 2:05 PM

Like that last comment said, the fax machine probably isn’t the weak link here. It’s not as if this is a new idea — the most successful escape attempt from Alcatraz was based on forged release orders.

Israel Torres November 9, 2004 9:00 AM

Mark one up for Social Engineering (SE) Attacks! – The human is the weakest link and is very vulnerable to things that shouldn’t make sense!

Israel Torres

Paul Wallich November 9, 2004 11:06 AM

Setting aside for the moment the reasons that this fax (and the many release-papers forgeries that have preceded it) should have been recognized as a fake, I think that faxes in general are perceived as trustworthy because most people experience fax machines as closed systems, with neither directories to send to any arbitrary unauthorized destination nor arbitrarily-settable sender information. (That the experience is contrary to fact is a minor nit.)

I was thinking about this the other day when I had to fax a legal document overseas. It would have been easier and cheaper to just email the scan to the recipient for printing, but that embedded timestamp and sender information added a veneer of authenticity that a printed PDF attachment couldn’t match.

As sender-address spoofing becomes even more common — From: headers, caller-ID, fax headers — when will people finally stop relying on the transmission infrastructure for (apparent) authentication?

lightning November 9, 2004 2:40 PM

I am consistantly amazed by the number of small businesses (especially law offices) where the FAX is the responsibility of the front- desk receptionist. FAXes come out and are stacked for pickup in the front- office waiting area. Anybody who walked in the door could look them over.

Background Investigations November 11, 2004 11:48 AM

Wow. Even if they had had a system that included certain special official “marks” and such, allowing someone to be released simply with a fax seems, uh, not too bright. The same goes for (as a prior person has commented) the notion that ‘the fax came from the right number’

One would think that a required call-back to a predetermined, pre-validated number at the very least would be required.


rick May 1, 2006 4:26 AM

I would like to have some more information about fax hacking in general.

Is it possible to enter a faxmachine by remote services ?

Is it also possible to enter a faxnumber through hacking the protocal of the remote services from the faxmichine?

George June 30, 2006 2:49 AM

Hello Rick,

What do you exactly mean by “enter a faxmachine”.
With remote services it is quite easy to change the fax settings or to inspect (parts) of the fax memory. It certainly is possible to add or modify fax numbers stored in the remote machine, if the machine is equiped with remote service possibilities (and most machines do), unless the fax is connected through some fax firewall.
Occasionaly you can also read “private” fax mailboxes because passwords are stored in plain ASCII. What would you like to modify in the fax machine?

Marco January 1, 2010 10:40 AM

This message is for Ricky and George, about messages posted on May 1, 2006 and June 30, 2006, talking about the possibility to enter in remote fax machine.
For “enter in fax machine” i mean that with a regular modem class2 is possible to dial a fax machine, every where in the world, and send, trought some commands, setup, configuration, store numbers, etc.
But really exist a procedure for make it?
Can be send a fax to remote fax machine that is not regular fax but a command sequence for configure it or trought AT commands?
For example configure a callback number for dial a schedule time or send fax a schedule time?
Thanks you.

Marco January 1, 2010 10:48 AM

Hello again.
I have forgot to write a side of message.
One month ago, I have receive my phone bill. I have a regular fax machine (HP multifuncion).
With big surprise i have seen 6 international calls to some numbers.
I have try with tech assistance to retrieve info from the fax with report, etc. But totally empty. No trace about these calls.
After 2 weeks talking with others people in the same city, happened the same with them.
No fax was sent, simple dial call, because the duration of calls was 2-3 seconds.
Then I would like to know how is possible this?

Thanks you.

Charlie March 12, 2010 10:40 PM

My lawyer refuses to show fax he sent to Merrill lyNch. Same day 40 k. Trades were made onacct. Which was to be froze. For child support. I have cover sheet Can contents be recovered

timothy September 17, 2010 5:43 AM

Yes this is a big thing for me too, do fax machines have a stored memory of what has been sent and received on it, just like a computer can they be recovered even from in the past (like in a computers case they can be recovered even when deleted). I need to recover a fax that was sent to me and it is a large piece of evidence in an important case, can it be done? with more or less unlimited funding or capabilities can it be done, does the technology or capability exist, is it feasable,, assistance would be much appreciated asap thanks

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.