Hackable flaw found in US prisons' computerized security systems

Security holes in the computer systems of federal prisons in the United States can effectively allow hackers to trigger a jailbreak by remote control.

 

A group of researchers disclosed the vulnerability at the Hacker Halted information security conference in Miami last Oct. 26, the Washington Times reported.

 

The report said the researchers showed how the flaws allowed outsiders to potentially remotely take over systems to open and overload cell door mechanisms and shut down internal communications systems.

 

“You could open every cell door, and the system would be telling the control room they are all closed,” said John Strauchs, a former Central Intelligence Agency officer who helped develop the cyber-attack on a simulated prison computer system.

 

“Personally, I think the greatest danger is assassination. You create chaos as a way to [implement a plan to] kill someone,” he added.

 

For its part, the US Federal Bureau of Prisons said it is aware of the research and taking it seriously.

 

"(We are) aware of this research and taking it very seriously," the Washington Times quoted Federal Bureau of Prisons spokesman Chris Burke as saying.

 

Sean P. McGurk, who led the Department of Homeland Security’s efforts to secure ICS until leaving in September, said the department had looked into the researchers’ claims using the special ICS computer test bed at the Idaho National Laboratory.

 

“We validated the researchers’ initial assertion … that they could remotely reprogram and manipulate” the special software controllers that run the systems, he said.

 

Industrial Control Systems

 

Strauchs noted the security systems in most American prisons are run by special computer equipment called industrial control systems (ICS).

 

ICSs, which control power plants, water treatment facilities and other critical national infrastructure,  have increasingly been targeted by hackers because an attack on one such system successfully sabotaged Iran’s nuclear program in 2009, the Washington Times report said.

 

But he said a malicious cyber-intruder could “destroy the doors,” by overloading the electrical system that controls them, locking them permanently open.

 

He added hackers could “shut down secure communications” through the prison intercom system and crash the facility’s closed-circuit television system, blanking out all the monitors, he added.

 

Joining him in his research were his daughter Tiffany Rad, and Teague Newman.

 

Internet connection

 

Newman noted ICS systems are not supposed to be connected to the Internet.

 

“But in our experience, there were often connections” to other networks or devices, which were in turn connected to the Internet, he said.

 

On the other hand, some of the facilities the team visited had guards using the same computer that controls the prison’s security systems to check their personal email.

 

This makes them potentially accessible to hackers, he said.

 

Even systems that were successfully cut off from the Internet could be attacked by malicious insiders or anyone with enough access to insert a thumb drive into a computer work station, Strauchs said.

 

“The mostly likely vector would be to bribe a prison guard to insert a USB drive with malicious programming. Hard to stop and hard to find out who did it,” he said.

 

Less than $2,500

 

Tech site ArsTechnica said the researchers spent less than $2,500 to develop the attacks that could take control of prisons' ICSs.

 

The researchers started their work after Strauchs was called in to investigate an incident in which all the cell doors on one prison's death row spontaneously opened.

 

While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed, ArsTechnica said.

 

"In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems. But even in the absence of an Internet connection, the researchers found, a Stuxnet-like attack could be brought in on a flash drive and introduced into the network, either through social engineering or through the actions of a bribed guard or other prison employee," it said. — TJD, GMA News