Slashdot Mirror
Hackers Could Open Convicts' Cells In Prisons
Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
Palm trees and 8
Expect this to be a new thing in hollywood movies. I think it's about the only thing they HAVEN'T used for a prison escape!
All believable, right up to:
We could blow out all the electronics.
The best I can think of is turning on the entire HVAC system at the same instant, popping the circuit breakers to the facility.
Maybe you could turn the power to the TVs on and off every second until the switching power supplies blow, or maybe that wouldn't work..
The problem with getting "average joe" to infect a PLC, is PLCs and their systems are getting more complicated, to the point that only specialists mess with them. Its a temporary thing. In the past, they were too few to matter, in the future they'll be too complicated for all but specialists to have access. This is just a momentary thing where "joe average industrial maint electrician" could theoretically screw stuff up.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
The problem being the majority of these systems were designed at a time when malware and hacking were not as big an issue as today, common sense can stop most threats easily but, no internet access, restrict physical media. Sorted. On a bigger scale but, it really worries me, cyber warfare is here and nobody is prepared. Things are going to get messy, fun fun times are ahead. :)
In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.
The network is not going to be connected to the internet as that would be stupid.
This is you do it. You just break into the warden's office, find his PC, go to a command line and enter:
UNLOCK ALL INMATE DOORS
DEACTIVATE SECURITY SYSTEM
Then you smash the screen with a hammer so that no one can override the commands. It's simple.
What?
.
Prisencolinensinainciusol. Ol Rait!
The free market is a vague metaphor. Corporations and other financial interests are more concrete, and their influence on lawmaking is very real. Although I am not sure that their influence is to blame for a high incarceration rate.
It's hardly outrageous, though: Obviously the private prison system has a direct interest in it. Pharma doesn't directly profit from incarceration, but it does have an interest in harsh penalties on trading drugs that they don't control. Etc.
But clearly, there is a multitude of forces at work here. A culture of fear that encourages harsh sentences and incarceration over rehabilitation. A crazy divide between rich and poor and a bleak economic outlook. Poor education. Obviously some people will blame the free market (whatever they think that is) for many of these things, while others will do the opposite and demand an even free-er free market (whatever they think that is).
Switch back to Slashdot's D1 system.
Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.
There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet
So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is
By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.
Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.
/.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.
I have been using PLCs for longer that some
Finally the biggest laugh for me in TFA was
The communications port is typically 9-pin RS-232 or EIA-485;
That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
I am Slashdot. Are you Slashdot as well?
This IS scaremongering.
'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'
Right there.
Your average reader now doesn't visualize a circuit-board somewhere fizzing out and releasing some of that mythical white smoke.
He sees **BUM!***BUM!***EXPLOSIONS!!!***BADA-BUM!!*** instead.
Followed by rapists and serial killers and cannibals being armed with rocket launchers and AIDS and set loose onto a kindergarten city somewhere.
You know... a city made entirely out of kindergartens. And diaper factories.
Too bad Numb3rs was canceled...
Or there would now surely be an episode in the making about just such an escape attempt.
Fortunately, CSI: Miami is still on the air.
We may yet see 2 million convicts across USA blowing up prisons with internet viruses and then rampaging across the land... no... wait...
QUICK! Someone get me Michael Bay and Jerry Bruckheimer - I've got their next blockbuster right here!
Mit der Dummheit kämpfen Götter selbst vergebens
The free market has these things called lobbyists. Lobbyists control government because Congress either toes the line, or people will be elected who will.
Want to know who is deciding why we need more felonies every day, and why people need to get locked up, even though crime rates are not impacted? Definitely not government -- in reality, politicians want crime because it can be used as a hot button issue during election time.
The people who want the prisons stuffed with inmates is the private prison system.
This is the free market at work. Pure "capitalism" without any regulations of bribery, or controls on campaign contributions is what you see here. Pure capitalism means that the most ruthless, psychopathic people get to the top and stay there.
Regulations and laws are important. Capitalism doesn't build roads unless the market is there. Capitalism doesn't feed homeless unless there is PR to be gained. It doesn't care about national defense or crime unless people pay private security companies. It cares about the almighty bitcoin (or currency of choice) and that's it.
I guess history isn't taught anymore, or people would remember Frick, Standard Oil, Carnegie, and many other companies which thrived under a government that little to no regulation. It took a depression where the whole economy that was based on bad borrowing and a president with some balls to actually fix things.
Capitalism isn't all bad, but it needs regulation or else we end up with bank crisis after bank crisis, stock scams, and many other issues.
Progress with programmable logic controllers has made them much more vulnerable. They used to be really dumb devices, often programmed by physically plugging in an EPROM. Their communications protocol tended to be some ancient multi-drop serial protocol like RS-485, or a vendor-specific proprietary network. The "host machine" tended to be some CPU on a card, connected to a dumb terminal or a control panel. This was dumb and static, but being totally isolated, secure from external intrusion.
Now, PLCs tend to be reprogrammable over their communications link. Some support Ethernet directly. The proprietary networks were all overpriced, and although Ethernet is overkill for most low-level controllers, the interface parts are cheaper, the cables are cheaper, the connectors are cheaper, and more interface devices are available. Also, 10baseT, which has differential signalling and error control, has better noise immunity than some of the lower-speed proprietary networks. I've used devices that have a built in web server just for configuration purposes. With no security.
Even if the low-level network is nonstandard, there's a tendency today to put in a gateway to an Ethernet. This allows connection to, inevitably, a PC running Windows, usually with some custom DLL from the controls vendor. (See page 9 of this Siemens brochure.) This often allows reprogramming the low level controllers from a PC. This is exactly the configuration that was used in the Iranian centrifuge facility.
Of course, once you have something that's IP over Ethernet with Windows machines on it, it tends to become accessible from the outside world. This is a recognized problem. Here's a Siemens paper on it. They talk about "firewalls" a lot, but don't go into much detail over what they really do. Note that they mention an engineering terminal use for system programming (a PC), physically outside the firewall, coming in through an encrypted VPN. That's a classic point of attack.
The trouble is that it's too convenient to have connections to external systems. The PLC system for lock control in a prison wouldn't seem to have to be connected to other systems. But there's going to be an inmate inventory system that tracks who is supposed to be in which cell. It's convenient if the interface to the locking system shows who is supposed to be where, and has important info like which prisoners are violent, which need extra medical attention, and such. Then you can have screens which show both door status and prisoner info.
But others need to talk to the prisoner inventory system. The system for food ordering needs info about how many inmates are in which parts of the prison and maybe their dietary needs. And the system for food ordering needs to talk to external suppliers to place orders. That means a link to outside the prison. This is the sort of thing which leads to a data path from non-critical to critical systems.
My father was a sheriff and handled the prisons for our county. (Ironically, my grandfather was a felon for robbing a bank) Here's my 2.5 cents. We don't have more criminals than other nations, actually we're quite low in the number of offenses. But we do have mandatory sentencing and very long prison terms, so we have more criminals in the system. Every holiday, Thanksgiving for example, there would be 2 or 3 convicts invited to our house to have a good meal and a chance for a break from the prison grind. Usually the guys committed property or other non violent crime, but sometimes assault and battery. While in most other nations these criminals would server sentences ranging from 6-20 months, and was the case in the US decades ago, in our system today they now serve 3-5 years.
So you've got some dude that, for whatever reason, decided to rob a house or steal from a liquor store. He gets caught, you always do eventually, and end up in jail. He probably feels bad and remorseful, even if only because he got caught. Either way, you'll end up spending a decent chunk of time in the slammer that usually costs you your job and maybe even your family. Hence why my old man liked to bring these guys around. It wasn't charity. He'd invite them, they could turn him down or not. Nor were they expected to 'work it off' as so many people seem to think when I tell them this story.
Other things he did before mandatory sentencing became overbearing were;
1) Weekend prison stays for non-violent and first time offenders. There was an honor system involved in this. The idea being if you were truly sorry you'd do the time and be thankful you still had a job on the weekdays.
2) Work release programs where local businesses would hire prisoners for odds and ends. They got paid immediately, perhaps it was low I do not know, but it was real money that lots of guys gave to their families who needed it now that the bread winner was in the slammer.
3) Mock chain gangs. Prisoners who wanted a chance to leave the walls could dress up in the joke outfits and go around place to place singing stupid songs about prison life. Shools, malls, places like that.
4) A slew of other options for men to do their time with dignity. Decades ago, it was thought that surrounding normally decent people with true thugs was not such a good idea.
What happened in the last couple of decades was the use of metrics and statistics. Politicians could go out and say things like, "vote for me and I'll keep the prisoners in jail longer. Look at what [insert State here] did! They upped minimum sentences and now property theft is down 20%". Sounds good to a voter I suppose, however it's really kind of useless since it discounts better law enforcement and education in the first place, not to mention the dramatic increase in repeat offenses. The solution... "Longer prison terms for repeat offenders!" Now you rob a store that is occupied and it's jail for 15 years. You get caught with drugs 'next' (within 3 miles) of a school and you get tossed in the big house for 6 years. Good luck trying to not live withing 6 miles of a school, or robbing a store with people in it. I'm not trying to put on a liberal sob story, but from my very conservative point of view and upbringing things have dramatically changed. It's almost as if you've got nothing to lose, I mean hell, if you get caught you know you're done for the rest of your life so 'just go for it.' There are very few second chances, and almost no third chances. So in my opinions, prisons haven't become a place to punish criminals, they've become a place to get rid of them forever.
Keep in mind, the prisons I'm talking about are the majority of minimum or medium security facilities managed by counties. I'm not talking about the super-max industrial complexes. That's a whole different ball-o-wax, yet it does seem that they are growing while the others are shrinking due to the reasons cited above.
2.5 cents. Caveat emptor.