Slashdot Mirror
Hackers Could Open Convicts' Cells In Prisons
Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
Palm trees and 8
I want to do this. Sooo bad.
F1ST P0ST!
Or did everyone else get infected?
Not everyone else is in jail pressing F5.
It is dangerous to be right when the government is wrong.
Scatter a bunch of infected usb keys around the parking lot. Someone will insert it into a computer.
F1ST P0ST!
...but where's the fist?
So, anyone want to guess whether people will react with "That security system is horrible." or with "Hackers can do anything." ?
Expect this to be a new thing in hollywood movies. I think it's about the only thing they HAVEN'T used for a prison escape!
Wouldn't a good old switchboard do?
All believable, right up to:
We could blow out all the electronics.
The best I can think of is turning on the entire HVAC system at the same instant, popping the circuit breakers to the facility.
Maybe you could turn the power to the TVs on and off every second until the switching power supplies blow, or maybe that wouldn't work..
The problem with getting "average joe" to infect a PLC, is PLCs and their systems are getting more complicated, to the point that only specialists mess with them. Its a temporary thing. In the past, they were too few to matter, in the future they'll be too complicated for all but specialists to have access. This is just a momentary thing where "joe average industrial maint electrician" could theoretically screw stuff up.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I bet reactions from officials will include:
1) This wouldn't happen, because it's illegal!
2) We have to increase sentences for these kind of acts!
3) We have to create new laws to punish people who do this!
4) Let's sue whoever found the vulnerabillities!
You can be sure they won't include:
1) Admission that anything is wrong or any mistakes were made.
2) Removal of vulnerabilities.
3) Realisation that "pays for politician-in-charge's yacht and summer home" is not a criterium for competence.
The problem being the majority of these systems were designed at a time when malware and hacking were not as big an issue as today, common sense can stop most threats easily but, no internet access, restrict physical media. Sorted. On a bigger scale but, it really worries me, cyber warfare is here and nobody is prepared. Things are going to get messy, fun fun times are ahead. :)
That right there is some over the top scaremongering oh no the hackers could let out the evil convicts!
Wow.... That's some major league bullshit spin. I gotta hand it to whatever powers that be came up with the idea that all of america now need to be afraid of the evil nasty internet hackers... Seriously. You outdid yourselves on this one. Way to reach for the stars. Go have a money fight or whatever you fucks do... That's some grade A fear trolling.
I'm impressed.. I wonder how many millions were spent on this little slice of fear to control people. That's... wow.
And in related news, hackers could turn your computer into a bomb and blow your family to smithereens.
Hackers "could" do a lot of things. How about we focus on what is realistic instead?
In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.
The network is not going to be connected to the internet as that would be stupid.
This is you do it. You just break into the warden's office, find his PC, go to a command line and enter:
UNLOCK ALL INMATE DOORS
DEACTIVATE SECURITY SYSTEM
Then you smash the screen with a hammer so that no one can override the commands. It's simple.
What?
.
Prisencolinensinainciusol. Ol Rait!
Recall all the Stuxnet comments on how it was so unique and targeted it was.
The perfect safe digital weapon with layers of unique code to seek out a sub set of industrial units.
Now cost cutting Microsoft based programmable logic controllers are at risk in other areas...
Why are so many expensive unique projects connected to low end Windows code?
Domestic spying is now "Benign Information Gathering"
My blog also been hacked..
Aku Seorang Blogger
It must be traumatic to feel like there is a Bear in your mind (Assuming it is the grizzly kind, not the furry friendly kind), I wonder how the author can bare it?
forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market"
Now that's funny. As if the free market set the goal for the highest incarceration rate in the entire world. As if the free market sat down and planned out the racket which would lock milllions of non-violent human beings in cages like animals.
Government decides who gets locked in cages and why, not the free market. These "private" prisons aren't examples of free market economics at all. They are merely subsideraries in the business of government.
You got control of the PLCs, started the emergency generator, set it to run at 75Hz, and forced it to connect to the mains? I'm thinking that might blow up a few bits and pieces of electronics.
Remember that Stuxnet was designed to use the PLCs to vary the frequency of the equipment.
No one ever had to evacuate a city because the solar panels broke!
Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.
There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet
So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is
By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.
Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.
/.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.
I have been using PLCs for longer that some
Finally the biggest laugh for me in TFA was
The communications port is typically 9-pin RS-232 or EIA-485;
That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
I am Slashdot. Are you Slashdot as well?
This IS scaremongering.
'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'
Right there.
Your average reader now doesn't visualize a circuit-board somewhere fizzing out and releasing some of that mythical white smoke.
He sees **BUM!***BUM!***EXPLOSIONS!!!***BADA-BUM!!*** instead.
Followed by rapists and serial killers and cannibals being armed with rocket launchers and AIDS and set loose onto a kindergarten city somewhere.
You know... a city made entirely out of kindergartens. And diaper factories.
Too bad Numb3rs was canceled...
Or there would now surely be an episode in the making about just such an escape attempt.
Fortunately, CSI: Miami is still on the air.
We may yet see 2 million convicts across USA blowing up prisons with internet viruses and then rampaging across the land... no... wait...
QUICK! Someone get me Michael Bay and Jerry Bruckheimer - I've got their next blockbuster right here!
Mit der Dummheit kämpfen Götter selbst vergebens
That's why the guards on the towers carry guns.
Yes You could have this done over Ethernet TCP/IP. You could bridge the local Control Net to the internet and this is done in some cases. You could program from a central location in the facility. There are many reasons that you may want to do that but the safety consideration of someone accidentally remotely turning on or off a valve or causing a robot to swing into a new position means it is not commonly done in the most automated of factories. Of course each system is custom engineered for an application so anything is possible.
I would imagine in a Prison there may be a reason to program from a remote (safe) location. But I see no need to do that from outside the prison walls.
Stuxnet managed to cheat everybody by having the display show nothing was wrong, while in fact spinning the uranium faster.
Therefore, something similar need to display that the doors are in fact closed, when they really are open.
"where would we, the working public, be, without prisons?"
Drowning in commas?
Would be to install malware on the TSA's body scanners. When scanning, it would perform gender analysis. If female, it would display a random picture of Pamela Anderson. If male, it would display a random picture of Arnold Schwarzenegger as Conan the Barbarian.
Who could complain? (Except those who want us to turn over all our lives and security to them "in our own best interest".)
Comment removed based on user account deletion
First off it shows a STUNNING lack of of any sort of thought on the part of the people in charge of security and system design, connecting ANY command and control system of any kind to the real internet is something that should never, ever, be done, peroid.
I don't care HOW convenient it is or how useful it is, it's painting a giant soft target on your system and anyone who does it should be fired.
Furthermore, anyone who takes a usb stick or other media and plugs it into a secure C&C system needs to be fired also, as a matter of fact such systems should probably be designed with little to no access to external media and any actually required access points should be as secured as possible.
As far as the systems go, designing a system in such a way that it is possible for software to actually destroy or even damage hardware is just fucking lazy, hardware should be (and traditionally is) designed to not exceed it's limits.
And yes, you can make the argument that a motherboard can be set to overclock till it destroys the CPU, but that's not a supposedly secure command & control system now is it? Those are different things for a reason.
Progress with programmable logic controllers has made them much more vulnerable. They used to be really dumb devices, often programmed by physically plugging in an EPROM. Their communications protocol tended to be some ancient multi-drop serial protocol like RS-485, or a vendor-specific proprietary network. The "host machine" tended to be some CPU on a card, connected to a dumb terminal or a control panel. This was dumb and static, but being totally isolated, secure from external intrusion.
Now, PLCs tend to be reprogrammable over their communications link. Some support Ethernet directly. The proprietary networks were all overpriced, and although Ethernet is overkill for most low-level controllers, the interface parts are cheaper, the cables are cheaper, the connectors are cheaper, and more interface devices are available. Also, 10baseT, which has differential signalling and error control, has better noise immunity than some of the lower-speed proprietary networks. I've used devices that have a built in web server just for configuration purposes. With no security.
Even if the low-level network is nonstandard, there's a tendency today to put in a gateway to an Ethernet. This allows connection to, inevitably, a PC running Windows, usually with some custom DLL from the controls vendor. (See page 9 of this Siemens brochure.) This often allows reprogramming the low level controllers from a PC. This is exactly the configuration that was used in the Iranian centrifuge facility.
Of course, once you have something that's IP over Ethernet with Windows machines on it, it tends to become accessible from the outside world. This is a recognized problem. Here's a Siemens paper on it. They talk about "firewalls" a lot, but don't go into much detail over what they really do. Note that they mention an engineering terminal use for system programming (a PC), physically outside the firewall, coming in through an encrypted VPN. That's a classic point of attack.
The trouble is that it's too convenient to have connections to external systems. The PLC system for lock control in a prison wouldn't seem to have to be connected to other systems. But there's going to be an inmate inventory system that tracks who is supposed to be in which cell. It's convenient if the interface to the locking system shows who is supposed to be where, and has important info like which prisoners are violent, which need extra medical attention, and such. Then you can have screens which show both door status and prisoner info.
But others need to talk to the prisoner inventory system. The system for food ordering needs info about how many inmates are in which parts of the prison and maybe their dietary needs. And the system for food ordering needs to talk to external suppliers to place orders. That means a link to outside the prison. This is the sort of thing which leads to a data path from non-critical to critical systems.
If I were a billionaire I would spend every penny to have every prison hit with this at once.
Guess thats why I am not one.
People are shocked to see that standard PLCs are used in a wide range of industrial control applications.
It's almost like they were designed for being used in a wide variety of applications.
---
"I can't complain, but sometimes still do..." Joe Walsh
Alternate reading of the title: hackers could open convicts' cellphones and send their voice mail to some enterprising news organization.
"Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors."
They're going to spin the prison faster and faster until the cell doors shake off? Nice. I'd watch that.
And the skim. These PLC systems are more expensive. They seem sexy. And did I say they are expensive? More skim. Our jails are privatized. More prisoners equal more "customers". Get hard on crime (Looks good, Right?) More customers. More prisons. More skim. In the last twenty years the prison population has jumped from two hundred thousand to two million. One order of magnitude. When were the prisons privatized? (About twenty years ago it got into full swing as I recall.) It's a growth industry.
Prison lobby: "We need harsher laws and sentence guidelines." Pols: "We'll look good and be tough on crime." Three strikes. More prisoners. More prisons. More... skim.
You don't put in a five dollar valve when you can put in a ________ dollar PLC. (How much does a PLC cost I wonder?) More skim. So don't concern yourself with the logic of how to make a prison more secure. Concern yourself with the logic of how to make it more expensive and you will be thinking like a real leader of men.
Now, during the recession, we have a game changer with tight state budgets. Let's relax those cannabis laws. Uh oh. Less skim. w00t.
"No fear. No envy. No meanness." Liam Clancy
Shaw Capital Management Warning You earn an automatic share on my Fb profile for writing this. This should be known by the whole school body so we are better informed on such dirty tactics.
Stuxnet worked because they had detailed intel on the facility and operation. Now a short reminder how stuxnet was injected into the plat. It was a worm that looked for a computer that has the engineering software and the right project. The worm then modified the PLCs control code and the SCADA logic. To work the modified project had to be downloaded onto the target devices. This was done by the engineers of the plant. All PLCs I know have a physical switch (often a key) that you need to set to download the PLC code. The reason this is done is security, not because of hackers, but because you don't want to bring your PLC offline by mistake on your nuclear power plant. It took stuxnet ages to actually work and only worked because it infected the a master project before it was downloaded into the plant.
It is kind of difficult to apply this to prisons. You need allot of inside info to pull this off. First form the PLC code view of things the different locks, switches or sensors are only a bunch of DI/DO or AI/AO. So there is not predictable way you can influence them, other than toggle them all and see what happens. I think the entire system will then be taken offline quite fast. Then the same policy applies as in a power failure. To make any targeted attack you need intricate knowledge of the engineering project and facility layout. But even then you need to infect the master project and it needs to be downloaded onto the PLCs. This basically happens once, when the system is installed. You may get some differential downloads when components are fixed and updated but that happens not to often.
Pulling something like this off is more along the lines of Mission Impossible than your average computer tug. Yes I think that stuxnet is material that could come directly from Hollywood. I don't know what went down with stuxnet, but is must have been a hell of an operation, of which we only saw the tip of the iceberg.
Maybe, just maybe, it may be possible for some organized crime or some country trying to pull out an political convict. But, honestly, getting a military grade helicopter and well trained mercenaries is far more cost effective that trying mess with the PLCs.
Though it might work in some of the city and county jails. But the state prisons here are all run off gear that is non-networked. Sure, some of the newer facilities might have VOIP phones or IP-based cameras in some areas, but you're still not going anywhere or getting much done in a TX state prison without a ring of keys. About the best you could hope for might be to shut off a camera. Which might work if you're coordinating a hit, but you're better off doing that during a medical transfer or something similar anyways. It'd be easier to bribe a guard to look the other way than any electronic attack.
That's all I can really speak from experience, because the only Federal facility I've been in was just a detainment center that was run by the local cops anyways, so it had the same methodology. The Harris County jail has a lot of unpatched, unprotected Windows PCs, but even the ones that are networked only go to the LAN and have no Internet access (I should know, I've gotten disciplinary action for getting a local sheriff's login [via shoulder-surfing] and using it while I was doing time in 1200 Baker Street, Houston, TX). And all movements and release are coordinated via an armband system that has a hard-copy of your picture (which almost all cops check, especially on prisoners like myself who are deemed "security threats" and "aggravated" - they're pretty serious about that shit, since apparently they've had some escapes by other high-security prisoners who managed to get ahold of another prisoner's armband and get released under that name; if you don't know one bit of information [like who bailed you out, or what all of your charges are - I kid you not, they quiz you fairly extensively on that before buzzing you into the steel cage that surrounds the magnetically-locked steel door that leads downstairs ATW exit - then they'll detain you and run all kinds of checks before letting you out...between that and their general laziness, it's no wonder that it takes up to 48 hours from when your bond or other release papers go through and when you actually walk onto the city street). You're not getting out of Harris County without inside help, period. You're far more likely to be able to escape from a state prison than a county jail in Texas, at least without some sort of serious injury or illness (and who wants to be on the run with a Hep C attack or after stabbing yourself? That kind of defeats the purpose of the word "run", eh?). Other than Harris County, all of the other city and county jails I've been in both in Texas and other states were dirt-primitive compared to modern technology. And the only state prison system I've been in has been in Texas, and I wasn't in that many units since my stay was only a few years and I was in administrative segregation for most of that time. And of course my time as a juvenile doesn't count, since that was back in the days when BBSes were high-tech communications and modems were almost priceless.
Anyways, I just thought I'd share some first-hand experience with computer systems and penology. Oh, though it is pretty funny that the county I live in right now (Fort Bend, which is right outside of Houston and much more pleasant, not to mention much more affordable as long as you don't mind getting up early to make the commute, but since I work long hours anyways that would happen regardless) uses their network closet (which is seriously stone-age) as temporary storage for prisoners getting visits (at least on the 2nd and 6th floors, which are the only ones I've been on since they're the high-security floors). I've been left alone before in the network closet (since my visit was relatively brief - I'm not one of those people that likes a lot of contact with the outside world when I'm doing time, plus that go-round I wasn't in for very long), where I was sitting there thinking about rewiring their LAN and their video system, but finally decided that they'd figure it out eventually and just add more time so it wasn't worth the short-term laughs. If I'd been in there for months or years instead of just a few weeks, I'd have decided differently, but I wasn't.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
just blow them up man, stop wasting billions keeping those serail murderers alive anyways....
"Shut down all garbage containers on the detention level!"
I think this would be beneficial in it happened in a Supermax. Hacker hacks, all those homicidors and arsonists get out of their cells rioting and then the wards shoot them dead for good. No more cost of food and shelter to the taxpayers to keep alive those, who should have been hanged years or decades ago.
As President Jackson said, USA is built upon universal respect for three basic institutions: flag, motherhood and capital punishment. No public hangings means no public morals, that's why USA is sliding down-wards so quickly! In Venice, Italy every single week there was somebody hanging between the quayside columns of St. Mark's Place and their tiny, independent merchant republic lasted over 1000 years, despite all those foreign attacks. Will the USA make it to 250 yrs?
Norm, could you read me the number on the modem?