Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Discovered In Prison SCADA Systems

Posted by Unknown on from the release-the-prisoners dept.

phaedrus5001 writes with an excerpt from an Ars Technica article: "Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. ... The researchers began their work after [John] Strauchs was called in by a warden to investigate an incident in which all the cell doors on one prison's death row spontaneously opened."

13 of 128 comments (clear)

  1. Re:Repeat (sort of) by Stone+Rhino · · Score: 4, Informative

    Slashdot ate the link. here:
    http://www.wired.com/threatlevel/2011/07/prison-plc-vulnerabilities/

    --


    Remember, there were no nuclear weapons before women were allowed to vote.
  2. Definitely not unexpected... by Anonymous Coward · · Score: 3, Interesting

    The US has a corrections industry with an extremely strong lobby that pushes not just Congress, but judges (whom are elected) to be "tough on crime", or else they will be replaced by people on the bench who are.

    Of course, handing over this to the private sector means that any security other than the obvious is done at the bottom most cost.

    So, if one would expect a prison locking system to actually be secure from clued people, it wasn't in the contract and paid for, so it wasn't done. It is only a matter of time before this is used for hits on well known prisoners, either by people paid by rich victims, or a gang who managed to hire or coerce someone with IT knowledge.

    Think COs wouldn't stick a USB flash drive into a machine and run stuff? A good number actually wouldn't and stay to their sworn oath. Others would plug a USB flash drive into a computer either out of curiosity, or because they are getting paid by other people in a prison gang. Smuggling a Stuxnet variant in on a fingernail sized drive is a whole lot easier than smuggling in a bag of weed or meth.

  3. Re:omg, quick, someone spend money!!! by Pseudonym+Authority · · Score: 4, Funny

    So the guards can telecommute.

  4. lost in translation by canipeal · · Score: 2

    I guess those 9 year old kids in China took the term jail break....literally.

  5. Have we learned nothing from NetForce? by freeze128 · · Score: 2

    Exactly. Hackers cannot remotely open cell doors if you connect the controls to any network. There is nothing wrong with a big lever and 2 armed guards.

    1. Re:Have we learned nothing from NetForce? by aintnostranger · · Score: 2

      +1 . There is such a thing as too much automatization/computerization

    2. Re:Have we learned nothing from NetForce? by brokeninside · · Score: 2

      There is that, but the social engineering element exists whether the automated system is in place or not. Say there is a manual lever that opens all jail cells at once in one prison and a fully automated computerized system in another. In the first prison, the guard on duty, gets the text message (or phone call, or signed order) and hits the lever, opening all the doors. In the second prison, the guard on duty, gets the text message (or phone call, or signed order) and clicks a button with a mouse, opening all the doors. The only way to eliminate social engineering from the equation is to eliminate any sort of manual override from the computerized system. And I can't imagine that anything might possibly go wrong with a prison with cells which no human agent can open.

      But what the second system adds to the equation is that the fully automated computerized system is now also vulnerable to digital attacks whether they come through back doors hidden by the vendor, trojans spread either through sneakernet or the Internet, viruses, bugs, etcetera.

  6. Easy... by bigtrike · · Score: 2

    Get ahold of metal, make lock pick. Steal key from guard, wait, insert, turn. Make mold out of soap, melt metal into it, insert into lock and turn.

  7. Re:remote maintenance / outside companies. nuke pl by wvmarle · · Score: 2

    Stuxnet managed to infiltrate Iran's nuclear facilities. There is no reason to believe security there is less stringent than it is in the US, Iran is possibly even more paranoid than the US is. There is also of course no reason to believe that Iranian scientists are harder to "social engineer" into sticking an infected USB key in a secure system than US scientists are - and that was the way the internal system got infected to begin with. Prison guards are probably easier to handle that way than scientists.

  8. Where are those numbers from? by brokeninside · · Score: 2

    Unless you're talking about a single cell in a municipal jail in some small town somewhere, I'm highly dubious that any serious vendor is offering a SCADA system for jail cells on the order of $20k for installation and an annual support contract of $400.

    1. Re:Where are those numbers from? by CastrTroy · · Score: 2

      Also, you still need the armed guards.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. You're probably correct on that, but . . . by brokeninside · · Score: 2

    . . . the point, from a security perspective, is that if such things can happen because of machine or user error, then they can also be made to happen intentionally by an attacker. And, if it was machine error, that suggests than a would be attacker will be able to duplicate the error condition entirely computationally with no need for human interaction.

  10. Re:Sure, then multiply by one thousand by jbengt · · Score: 3, Informative

    Last time I was in prison (on work) was a long time ago, before digital controls became ubiquitous. Opening every door to every cell would have been a big problem where the worst criminals were. (Some were known to do fun things like throw shit (literally) on guards when they walked by.) However, to get out of a cell block, and again to get out of the inner yard, and again to get outside of the prison walls, one had to walk through 10 foot long vestibules with guards at each end. The doors of the vestibule were hard-wired so that one could not open unless the other was closed.