Slashdot Mirror
Hackers Could Open Convicts' Cells In Prisons
Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
Palm trees and 8
F1ST P0ST!
Or did everyone else get infected?
Not everyone else is in jail pressing F5.
It is dangerous to be right when the government is wrong.
Scatter a bunch of infected usb keys around the parking lot. Someone will insert it into a computer.
So, anyone want to guess whether people will react with "That security system is horrible." or with "Hackers can do anything." ?
Expect this to be a new thing in hollywood movies. I think it's about the only thing they HAVEN'T used for a prison escape!
Wouldn't a good old switchboard do?
All believable, right up to:
We could blow out all the electronics.
The best I can think of is turning on the entire HVAC system at the same instant, popping the circuit breakers to the facility.
Maybe you could turn the power to the TVs on and off every second until the switching power supplies blow, or maybe that wouldn't work..
The problem with getting "average joe" to infect a PLC, is PLCs and their systems are getting more complicated, to the point that only specialists mess with them. Its a temporary thing. In the past, they were too few to matter, in the future they'll be too complicated for all but specialists to have access. This is just a momentary thing where "joe average industrial maint electrician" could theoretically screw stuff up.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
The problem being the majority of these systems were designed at a time when malware and hacking were not as big an issue as today, common sense can stop most threats easily but, no internet access, restrict physical media. Sorted. On a bigger scale but, it really worries me, cyber warfare is here and nobody is prepared. Things are going to get messy, fun fun times are ahead. :)
In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.
The network is not going to be connected to the internet as that would be stupid.
This is you do it. You just break into the warden's office, find his PC, go to a command line and enter:
UNLOCK ALL INMATE DOORS
DEACTIVATE SECURITY SYSTEM
Then you smash the screen with a hammer so that no one can override the commands. It's simple.
What?
.
Prisencolinensinainciusol. Ol Rait!
Recall all the Stuxnet comments on how it was so unique and targeted it was.
The perfect safe digital weapon with layers of unique code to seek out a sub set of industrial units.
Now cost cutting Microsoft based programmable logic controllers are at risk in other areas...
Why are so many expensive unique projects connected to low end Windows code?
Domestic spying is now "Benign Information Gathering"
It must be traumatic to feel like there is a Bear in your mind (Assuming it is the grizzly kind, not the furry friendly kind), I wonder how the author can bare it?
You got control of the PLCs, started the emergency generator, set it to run at 75Hz, and forced it to connect to the mains? I'm thinking that might blow up a few bits and pieces of electronics.
Remember that Stuxnet was designed to use the PLCs to vary the frequency of the equipment.
No one ever had to evacuate a city because the solar panels broke!
The free market is a vague metaphor. Corporations and other financial interests are more concrete, and their influence on lawmaking is very real. Although I am not sure that their influence is to blame for a high incarceration rate.
It's hardly outrageous, though: Obviously the private prison system has a direct interest in it. Pharma doesn't directly profit from incarceration, but it does have an interest in harsh penalties on trading drugs that they don't control. Etc.
But clearly, there is a multitude of forces at work here. A culture of fear that encourages harsh sentences and incarceration over rehabilitation. A crazy divide between rich and poor and a bleak economic outlook. Poor education. Obviously some people will blame the free market (whatever they think that is) for many of these things, while others will do the opposite and demand an even free-er free market (whatever they think that is).
Switch back to Slashdot's D1 system.
Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.
There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet
So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is
By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.
Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.
/.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.
I have been using PLCs for longer that some
Finally the biggest laugh for me in TFA was
The communications port is typically 9-pin RS-232 or EIA-485;
That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
I am Slashdot. Are you Slashdot as well?
This IS scaremongering.
'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'
Right there.
Your average reader now doesn't visualize a circuit-board somewhere fizzing out and releasing some of that mythical white smoke.
He sees **BUM!***BUM!***EXPLOSIONS!!!***BADA-BUM!!*** instead.
Followed by rapists and serial killers and cannibals being armed with rocket launchers and AIDS and set loose onto a kindergarten city somewhere.
You know... a city made entirely out of kindergartens. And diaper factories.
Too bad Numb3rs was canceled...
Or there would now surely be an episode in the making about just such an escape attempt.
Fortunately, CSI: Miami is still on the air.
We may yet see 2 million convicts across USA blowing up prisons with internet viruses and then rampaging across the land... no... wait...
QUICK! Someone get me Michael Bay and Jerry Bruckheimer - I've got their next blockbuster right here!
Mit der Dummheit kämpfen Götter selbst vergebens
Yes You could have this done over Ethernet TCP/IP. You could bridge the local Control Net to the internet and this is done in some cases. You could program from a central location in the facility. There are many reasons that you may want to do that but the safety consideration of someone accidentally remotely turning on or off a valve or causing a robot to swing into a new position means it is not commonly done in the most automated of factories. Of course each system is custom engineered for an application so anything is possible.
I would imagine in a Prison there may be a reason to program from a remote (safe) location. But I see no need to do that from outside the prison walls.
"where would we, the working public, be, without prisons?"
Drowning in commas?
The free market has these things called lobbyists. Lobbyists control government because Congress either toes the line, or people will be elected who will.
Want to know who is deciding why we need more felonies every day, and why people need to get locked up, even though crime rates are not impacted? Definitely not government -- in reality, politicians want crime because it can be used as a hot button issue during election time.
The people who want the prisons stuffed with inmates is the private prison system.
This is the free market at work. Pure "capitalism" without any regulations of bribery, or controls on campaign contributions is what you see here. Pure capitalism means that the most ruthless, psychopathic people get to the top and stay there.
Regulations and laws are important. Capitalism doesn't build roads unless the market is there. Capitalism doesn't feed homeless unless there is PR to be gained. It doesn't care about national defense or crime unless people pay private security companies. It cares about the almighty bitcoin (or currency of choice) and that's it.
I guess history isn't taught anymore, or people would remember Frick, Standard Oil, Carnegie, and many other companies which thrived under a government that little to no regulation. It took a depression where the whole economy that was based on bad borrowing and a president with some balls to actually fix things.
Capitalism isn't all bad, but it needs regulation or else we end up with bank crisis after bank crisis, stock scams, and many other issues.
Well, criminals are evil, hackers are evil, OF COURSE they help each other! Just like the terrorists, communists and other boogymen du jour. They're all after us, they climb in our windows, they snatch our... ok, it gets old, but I just wanted to use that once. Just once.
But in this time and age, you have to scare people to get some funding. And if that scare is directing funding for a change towards more actual security instead of the usual security theater, I'm for it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Realism?
You never had to badger someone for a budget, did you? Painting a realistic picture, i.e. that yes, some thing might happen, but they're about as likely as you hitting the national lottery jackpot, will not get you funding.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Comment removed based on user account deletion
First off it shows a STUNNING lack of of any sort of thought on the part of the people in charge of security and system design, connecting ANY command and control system of any kind to the real internet is something that should never, ever, be done, peroid.
I don't care HOW convenient it is or how useful it is, it's painting a giant soft target on your system and anyone who does it should be fired.
Furthermore, anyone who takes a usb stick or other media and plugs it into a secure C&C system needs to be fired also, as a matter of fact such systems should probably be designed with little to no access to external media and any actually required access points should be as secured as possible.
As far as the systems go, designing a system in such a way that it is possible for software to actually destroy or even damage hardware is just fucking lazy, hardware should be (and traditionally is) designed to not exceed it's limits.
And yes, you can make the argument that a motherboard can be set to overclock till it destroys the CPU, but that's not a supposedly secure command & control system now is it? Those are different things for a reason.
Progress with programmable logic controllers has made them much more vulnerable. They used to be really dumb devices, often programmed by physically plugging in an EPROM. Their communications protocol tended to be some ancient multi-drop serial protocol like RS-485, or a vendor-specific proprietary network. The "host machine" tended to be some CPU on a card, connected to a dumb terminal or a control panel. This was dumb and static, but being totally isolated, secure from external intrusion.
Now, PLCs tend to be reprogrammable over their communications link. Some support Ethernet directly. The proprietary networks were all overpriced, and although Ethernet is overkill for most low-level controllers, the interface parts are cheaper, the cables are cheaper, the connectors are cheaper, and more interface devices are available. Also, 10baseT, which has differential signalling and error control, has better noise immunity than some of the lower-speed proprietary networks. I've used devices that have a built in web server just for configuration purposes. With no security.
Even if the low-level network is nonstandard, there's a tendency today to put in a gateway to an Ethernet. This allows connection to, inevitably, a PC running Windows, usually with some custom DLL from the controls vendor. (See page 9 of this Siemens brochure.) This often allows reprogramming the low level controllers from a PC. This is exactly the configuration that was used in the Iranian centrifuge facility.
Of course, once you have something that's IP over Ethernet with Windows machines on it, it tends to become accessible from the outside world. This is a recognized problem. Here's a Siemens paper on it. They talk about "firewalls" a lot, but don't go into much detail over what they really do. Note that they mention an engineering terminal use for system programming (a PC), physically outside the firewall, coming in through an encrypted VPN. That's a classic point of attack.
The trouble is that it's too convenient to have connections to external systems. The PLC system for lock control in a prison wouldn't seem to have to be connected to other systems. But there's going to be an inmate inventory system that tracks who is supposed to be in which cell. It's convenient if the interface to the locking system shows who is supposed to be where, and has important info like which prisoners are violent, which need extra medical attention, and such. Then you can have screens which show both door status and prisoner info.
But others need to talk to the prisoner inventory system. The system for food ordering needs info about how many inmates are in which parts of the prison and maybe their dietary needs. And the system for food ordering needs to talk to external suppliers to place orders. That means a link to outside the prison. This is the sort of thing which leads to a data path from non-critical to critical systems.
People are shocked to see that standard PLCs are used in a wide range of industrial control applications.
It's almost like they were designed for being used in a wide variety of applications.
---
"I can't complain, but sometimes still do..." Joe Walsh
"Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors."
They're going to spin the prison faster and faster until the cell doors shake off? Nice. I'd watch that.
Alternate reading of the title: hackers could open convicts' cellphones and send their voice mail to some enterprising news organization.
"enterprising news organization." That's hilarious.
The higher the technology, the sharper that two-edged sword.
If it weren't for labor's precious FDR fucking with SCOTUS for his precious reforms the vast majority of laws causing non-violent drug incarceration would not be constitutional.
I politely disagree - when you have corporation that have their hands on lawmakers strings, or you have lawmakers who are on the boards of various corporations/etc, you have the 'free market' influencing who is a criminal.
Want proof - read the front page of slashdot today. Or any other day .. the BSA, RIAA, etc ...
So, more realistically, it's the government who decides, with the influence of the free market.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
And the skim. These PLC systems are more expensive. They seem sexy. And did I say they are expensive? More skim. Our jails are privatized. More prisoners equal more "customers". Get hard on crime (Looks good, Right?) More customers. More prisons. More skim. In the last twenty years the prison population has jumped from two hundred thousand to two million. One order of magnitude. When were the prisons privatized? (About twenty years ago it got into full swing as I recall.) It's a growth industry.
Prison lobby: "We need harsher laws and sentence guidelines." Pols: "We'll look good and be tough on crime." Three strikes. More prisoners. More prisons. More... skim.
You don't put in a five dollar valve when you can put in a ________ dollar PLC. (How much does a PLC cost I wonder?) More skim. So don't concern yourself with the logic of how to make a prison more secure. Concern yourself with the logic of how to make it more expensive and you will be thinking like a real leader of men.
Now, during the recession, we have a game changer with tight state budgets. Let's relax those cannabis laws. Uh oh. Less skim. w00t.
"No fear. No envy. No meanness." Liam Clancy
And give up a perfectly reasonable argument against sending hackers to prison?
Shaw Capital Management Warning You earn an automatic share on my Fb profile for writing this. This should be known by the whole school body so we are better informed on such dirty tactics.
Stuxnet worked because they had detailed intel on the facility and operation. Now a short reminder how stuxnet was injected into the plat. It was a worm that looked for a computer that has the engineering software and the right project. The worm then modified the PLCs control code and the SCADA logic. To work the modified project had to be downloaded onto the target devices. This was done by the engineers of the plant. All PLCs I know have a physical switch (often a key) that you need to set to download the PLC code. The reason this is done is security, not because of hackers, but because you don't want to bring your PLC offline by mistake on your nuclear power plant. It took stuxnet ages to actually work and only worked because it infected the a master project before it was downloaded into the plant.
It is kind of difficult to apply this to prisons. You need allot of inside info to pull this off. First form the PLC code view of things the different locks, switches or sensors are only a bunch of DI/DO or AI/AO. So there is not predictable way you can influence them, other than toggle them all and see what happens. I think the entire system will then be taken offline quite fast. Then the same policy applies as in a power failure. To make any targeted attack you need intricate knowledge of the engineering project and facility layout. But even then you need to infect the master project and it needs to be downloaded onto the PLCs. This basically happens once, when the system is installed. You may get some differential downloads when components are fixed and updated but that happens not to often.
Pulling something like this off is more along the lines of Mission Impossible than your average computer tug. Yes I think that stuxnet is material that could come directly from Hollywood. I don't know what went down with stuxnet, but is must have been a hell of an operation, of which we only saw the tip of the iceberg.
Maybe, just maybe, it may be possible for some organized crime or some country trying to pull out an political convict. But, honestly, getting a military grade helicopter and well trained mercenaries is far more cost effective that trying mess with the PLCs.
Though it might work in some of the city and county jails. But the state prisons here are all run off gear that is non-networked. Sure, some of the newer facilities might have VOIP phones or IP-based cameras in some areas, but you're still not going anywhere or getting much done in a TX state prison without a ring of keys. About the best you could hope for might be to shut off a camera. Which might work if you're coordinating a hit, but you're better off doing that during a medical transfer or something similar anyways. It'd be easier to bribe a guard to look the other way than any electronic attack.
That's all I can really speak from experience, because the only Federal facility I've been in was just a detainment center that was run by the local cops anyways, so it had the same methodology. The Harris County jail has a lot of unpatched, unprotected Windows PCs, but even the ones that are networked only go to the LAN and have no Internet access (I should know, I've gotten disciplinary action for getting a local sheriff's login [via shoulder-surfing] and using it while I was doing time in 1200 Baker Street, Houston, TX). And all movements and release are coordinated via an armband system that has a hard-copy of your picture (which almost all cops check, especially on prisoners like myself who are deemed "security threats" and "aggravated" - they're pretty serious about that shit, since apparently they've had some escapes by other high-security prisoners who managed to get ahold of another prisoner's armband and get released under that name; if you don't know one bit of information [like who bailed you out, or what all of your charges are - I kid you not, they quiz you fairly extensively on that before buzzing you into the steel cage that surrounds the magnetically-locked steel door that leads downstairs ATW exit - then they'll detain you and run all kinds of checks before letting you out...between that and their general laziness, it's no wonder that it takes up to 48 hours from when your bond or other release papers go through and when you actually walk onto the city street). You're not getting out of Harris County without inside help, period. You're far more likely to be able to escape from a state prison than a county jail in Texas, at least without some sort of serious injury or illness (and who wants to be on the run with a Hep C attack or after stabbing yourself? That kind of defeats the purpose of the word "run", eh?). Other than Harris County, all of the other city and county jails I've been in both in Texas and other states were dirt-primitive compared to modern technology. And the only state prison system I've been in has been in Texas, and I wasn't in that many units since my stay was only a few years and I was in administrative segregation for most of that time. And of course my time as a juvenile doesn't count, since that was back in the days when BBSes were high-tech communications and modems were almost priceless.
Anyways, I just thought I'd share some first-hand experience with computer systems and penology. Oh, though it is pretty funny that the county I live in right now (Fort Bend, which is right outside of Houston and much more pleasant, not to mention much more affordable as long as you don't mind getting up early to make the commute, but since I work long hours anyways that would happen regardless) uses their network closet (which is seriously stone-age) as temporary storage for prisoners getting visits (at least on the 2nd and 6th floors, which are the only ones I've been on since they're the high-security floors). I've been left alone before in the network closet (since my visit was relatively brief - I'm not one of those people that likes a lot of contact with the outside world when I'm doing time, plus that go-round I wasn't in for very long), where I was sitting there thinking about rewiring their LAN and their video system, but finally decided that they'd figure it out eventually and just add more time so it wasn't worth the short-term laughs. If I'd been in there for months or years instead of just a few weeks, I'd have decided differently, but I wasn't.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
just blow them up man, stop wasting billions keeping those serail murderers alive anyways....
My father was a sheriff and handled the prisons for our county. (Ironically, my grandfather was a felon for robbing a bank) Here's my 2.5 cents. We don't have more criminals than other nations, actually we're quite low in the number of offenses. But we do have mandatory sentencing and very long prison terms, so we have more criminals in the system. Every holiday, Thanksgiving for example, there would be 2 or 3 convicts invited to our house to have a good meal and a chance for a break from the prison grind. Usually the guys committed property or other non violent crime, but sometimes assault and battery. While in most other nations these criminals would server sentences ranging from 6-20 months, and was the case in the US decades ago, in our system today they now serve 3-5 years.
So you've got some dude that, for whatever reason, decided to rob a house or steal from a liquor store. He gets caught, you always do eventually, and end up in jail. He probably feels bad and remorseful, even if only because he got caught. Either way, you'll end up spending a decent chunk of time in the slammer that usually costs you your job and maybe even your family. Hence why my old man liked to bring these guys around. It wasn't charity. He'd invite them, they could turn him down or not. Nor were they expected to 'work it off' as so many people seem to think when I tell them this story.
Other things he did before mandatory sentencing became overbearing were;
1) Weekend prison stays for non-violent and first time offenders. There was an honor system involved in this. The idea being if you were truly sorry you'd do the time and be thankful you still had a job on the weekdays.
2) Work release programs where local businesses would hire prisoners for odds and ends. They got paid immediately, perhaps it was low I do not know, but it was real money that lots of guys gave to their families who needed it now that the bread winner was in the slammer.
3) Mock chain gangs. Prisoners who wanted a chance to leave the walls could dress up in the joke outfits and go around place to place singing stupid songs about prison life. Shools, malls, places like that.
4) A slew of other options for men to do their time with dignity. Decades ago, it was thought that surrounding normally decent people with true thugs was not such a good idea.
What happened in the last couple of decades was the use of metrics and statistics. Politicians could go out and say things like, "vote for me and I'll keep the prisoners in jail longer. Look at what [insert State here] did! They upped minimum sentences and now property theft is down 20%". Sounds good to a voter I suppose, however it's really kind of useless since it discounts better law enforcement and education in the first place, not to mention the dramatic increase in repeat offenses. The solution... "Longer prison terms for repeat offenders!" Now you rob a store that is occupied and it's jail for 15 years. You get caught with drugs 'next' (within 3 miles) of a school and you get tossed in the big house for 6 years. Good luck trying to not live withing 6 miles of a school, or robbing a store with people in it. I'm not trying to put on a liberal sob story, but from my very conservative point of view and upbringing things have dramatically changed. It's almost as if you've got nothing to lose, I mean hell, if you get caught you know you're done for the rest of your life so 'just go for it.' There are very few second chances, and almost no third chances. So in my opinions, prisons haven't become a place to punish criminals, they've become a place to get rid of them forever.
Keep in mind, the prisons I'm talking about are the majority of minimum or medium security facilities managed by counties. I'm not talking about the super-max industrial complexes. That's a whole different ball-o-wax, yet it does seem that they are growing while the others are shrinking due to the reasons cited above.
2.5 cents. Caveat emptor.
You should get a hold of Louis Theroux: Miami Mega Jail. Don't let the title put you off, Theroux (a Brit) often covers "tacky" topics, but does so in a very serious and insightful way. It's gonzo journalism.
Switch back to Slashdot's D1 system.