Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Could Open Convicts' Cells In Prisons

Posted by Soulskill on from the need-firewalls-to-go-with-those-real-walls dept.

Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"

10 of 203 comments (clear)

  1. Internet? by betterunixthanunix · · Score: 5, Insightful

    Why are the prison control systems connected to the Internet? Who thought that was a good idea?

    --
    Palm trees and 8
    1. Re:Internet? by vlm · · Score: 5, Insightful

      I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.

      With more prisoners in the system than the rest of the world combined, for profit private prisons automate to save money. That makes them cheaper that govt prisons, which forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market". In a race to the bottom, there is no opting out.

      By controlling the showers you can stop people from F-ing around during lockdown... If the guards have to go in to break up a fight, at least the water is off.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:Internet? by DarkOx · · Score: 5, Interesting

      Well there is a little more than to running a modern prison then just sequestering and feeding the inmates. We have decided that we care about their health and safety as well.

      In the event its necessary to evacuate the prison, say because there is a fire or something, central control of the locks would be very valuable. Much easier for the guards to grab the shotguns and rifles and say "Alright we are evacuating to the yard, the doors are going to unlock all of you then step out hands in the air were we can see them and form a line." than it would be for them to go through the cell block unlocking each cell or row of cells at time.

      At the very least that would be a dangerous situation for the guards, already somewhat chaotic they don't want to have their backs turned to other prisoners while they focus on operating a lock mechanism rather than their surroundings. I should expect the folks we keep locked in high security detention facilities are likely to be the sort that would try to take advantage of an unusual situation which may arise, and being able to lock and unlock all doors at the same time is one of the many ways prions try and mitigate that risk.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:Internet? by SwedishChef · · Score: 4, Informative

      The PLCs (and their controllers) form their own network that is not connected to the Internet; it's not even TCP/IP.

      However... the desktop computers that interface with the controllers are often on the Internet because they use the local area network to communicate with both the controllers and get email, surf the web, etc. There is a close connection between the SCADA software on the desktop PC and the PLC so that if a sophisticated attack on that PC is successful then the attacker can have complete control over the PLC system.

      Worse yet... many of the PCs controlling the PLC systems are older versions of Windows because updates are expensive (usually requiring specialists from outside the plant due to the nature of the systems) so people tend to put them off. I've seen lots of desktops running NT, for instance.

      --
      No one ever had to evacuate a city because the solar panels broke!
    4. Re:Internet? by houghi · · Score: 4, Interesting

      To have remote access and that is the easiest way to do it. A leased line would be better.

      The reason to have it remotely is the same reason why access to some banks is done off premises. If there is a hostile situation, you still have control of those doors.

      The National Bank in Antwerp has a two-door entry. The second door only opens when the first door is closed. The person to control the door is not on site. So if he sees that I want to enter and he does not want me to, he can't be physically be forced to do so.

      I also assume that there is not one person who controls that door and there will be protocols as what to do in what situation.

      getting access to the person onsite might be possible. Offsite is a whole different layer.

      --
      Don't fight for your country, if your country does not fight for you.
  2. This article is Shite by ControlsGeek · · Score: 4, Informative

    In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
    The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.

    The network is not going to be connected to the internet as that would be stupid.

  3. No no no no..... by RevWaldo · · Score: 4, Funny

    This is you do it. You just break into the warden's office, find his PC, go to a command line and enter:

    UNLOCK ALL INMATE DOORS
    DEACTIVATE SECURITY SYSTEM
    Then you smash the screen with a hammer so that no one can override the commands. It's simple.

    What?

    .

    --
    Prisencolinensinainciusol. Ol Rait!
    1. Re:No no no no..... by Clueless+Moron · · Score: 4, Funny

      This is you do it. You just break into the warden's office, find his PC, go to a command line and enter: UNLOCK ALL INMATE DOORS DEACTIVATE SECURITY SYSTEM .

      You left out a critical step. The computer will respond with ACCESS DENIED, at which point you type OVERRIDE

  4. Re:The free market by moonbender · · Score: 4, Insightful

    The free market is a vague metaphor. Corporations and other financial interests are more concrete, and their influence on lawmaking is very real. Although I am not sure that their influence is to blame for a high incarceration rate.

    It's hardly outrageous, though: Obviously the private prison system has a direct interest in it. Pharma doesn't directly profit from incarceration, but it does have an interest in harsh penalties on trading drugs that they don't control. Etc.

    But clearly, there is a multitude of forces at work here. A culture of fear that encourages harsh sentences and incarceration over rehabilitation. A crazy divide between rich and poor and a bleak economic outlook. Poor education. Obviously some people will blame the free market (whatever they think that is) for many of these things, while others will do the opposite and demand an even free-er free market (whatever they think that is).

    --
    Switch back to Slashdot's D1 system.
  5. Lots of scary buzz words by OzPeter · · Score: 5, Informative
    TFA has lots of security related buzzwords, but for me the meat in TFA is buried down in

    Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.

    There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet

    So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is

    By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.

    Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.

    I have been using PLCs for longer that some /.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.

    Finally the biggest laugh for me in TFA was

    The communications port is typically 9-pin RS-232 or EIA-485;

    That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).

    --
    I am Slashdot. Are you Slashdot as well?