Hackers Could Open Convicts' Cells In Prisons

Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"

Internet?

[betterunixthanunix]

Why are the prison control systems connected to the Internet? Who thought that was a good idea?

Re:Internet?

[vlm]

I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.

With more prisoners in the system than the rest of the world combined, for profit private prisons automate to save money. That makes them cheaper that govt prisons, which forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market". In a race to the bottom, there is no opting out.

By controlling the showers you can stop people from F-ing around during lockdown... If the guards have to go in to break up a fight, at least the water is off.

Re:Internet?

[DarkOx]

Well there is a little more than to running a modern prison then just sequestering and feeding the inmates. We have decided that we care about their health and safety as well.

In the event its necessary to evacuate the prison, say because there is a fire or something, central control of the locks would be very valuable. Much easier for the guards to grab the shotguns and rifles and say "Alright we are evacuating to the yard, the doors are going to unlock all of you then step out hands in the air were we can see them and form a line." than it would be for them to go through the cell block unlocking each cell or row of cells at time.

At the very least that would be a dangerous situation for the guards, already somewhat chaotic they don't want to have their backs turned to other prisoners while they focus on operating a lock mechanism rather than their surroundings. I should expect the folks we keep locked in high security detention facilities are likely to be the sort that would try to take advantage of an unusual situation which may arise, and being able to lock and unlock all doors at the same time is one of the many ways prions try and mitigate that risk.

Lots of scary buzz words

[OzPeter]

TFA has lots of security related buzzwords, but for me the meat in TFA is buried down in

Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.

There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet

So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is

By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.

Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.

I have been using PLCs for longer that some /.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.

Finally the biggest laugh for me in TFA was

The communications port is typically 9-pin RS-232 or EIA-485;

That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).