Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (1)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
General Security Discussions
Researchers Say Vulnerabilities Could Let Hackers Spring Prisoners From Cells
Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers.
Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the countryâ€™s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.
Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. â€” including eight maximum-security prisons â€” says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
â€œMost people donâ€™t know how a prison or jail is designed, thatâ€™s why no one has ever paid attention to it,â€ says Strauchs. â€œHow many people know theyâ€™re built with the same kind of PLC used in centrifuges?â€
PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnetâ€™s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the countryâ€™s uranium enrichment capabilities.
Though Siemens PLCs are used in some prisons, theyâ€™re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.
Strauchs, who lists a stint as a former CIA operations officer on his bio, became interested in testing PLCs after hearing about the systems Stuxnet targeted and realizing that he had installed similar systems in prisons years ago. He, along with his daughter Tiffany Rad, president of ELCnetworks, and independent researcher Teague Newman, purchased a Siemens PLC to examine it for vulnerabilities, then worked with another researcher, who prefers to remain anonymous and goes by the handle â€œDora the SCADA explorer,â€ who wrote three exploits for vulnerabilities they found.
â€œWithin three hours we had written a program to exploit the [Siemens] PLC we were testing,â€ said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.
â€œWe acquired the product legally; we have a license for it. But itâ€™s easy to get it off [eBay] for $500,â€ she said. â€œAnyone can do it if they have the desire.â€
They recently met with the FBI and other federal agencies they wonâ€™t name to discuss the vulnerabilities and their upcoming demonstration.
â€œThey agreed we should address it,â€ Strauchs said. â€œThey werenâ€™t happy, but they said itâ€™s probably a good thing what youâ€™re doing.â€
Strauchs says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.
â€œThe vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many,â€ Rad said. â€œUpon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC.â€
A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldnâ€™t be, but sometimes are, connected to networks that control critical functions.
â€œBear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,â€ the researchers write in a paper theyâ€™ve released (.pdf) on the topic. â€œAccess to any part, such as a remote intercom station, might provide access to all parts.â€
Strauchs adds that â€œonce we take control of the PLC we can do anything. Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.â€
Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.
An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as â€œkitchen door east opened.â€ A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.
While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, Newman says prison facilities also need to update and enforce acceptable-use policies on their computers so that workers donâ€™t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.
â€œWeâ€™re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,â€ he said.
Photo: Folsom prison inmate Joseph Sweet uses his mirror to look at California Republican lawmakers visiting the inside of Folsom Prison, in Represa, Calif. By Brian Baer/AP.
http://packetstormsecurity.org/news/vie ... Cells.html
Wow, very nice find! Things like Stuxnet intrigue me...
Wow, that's really interesting and crazy.
Classic prison break is still best. Maybe they'll make a new season incorporating this! :P
Nice read, thanks!
Nice, interesting read, thanks :)
No problem, I knew you would find it interesting and that's why I posted it ;)
Add a Comment