When you think “prison” you think “security.” Iron bars, guards, high walls, barbed wire, and … insecure computer networks? Granted, that last one doesn’t exactly leap to mind, but maybe it should, according to research by Tiffany Rad, Teague Newman, and John Strauchs, which has show that it’s startlingly easy to gain external access to prisons’ industrial control systems, allowing them to do things like open the doors. The tattoos were pretty awesome Scofield, but maybe the cyber-approach would have been a better bet.
When presenting their findings at the October 26 Hacker Halted conference, the trio revealed that with $2,500, no prior knowledge of prison security systems, a few long nights coding in a basement, they could pretty reliably gain access to the systems that controlled all of the prisons mechanized security measures.
The main vulnerability seems to be that while most prison security systems aren’t supposed to be connected to the Internet (for good reason), many of them actually are. In fact, the trio found that every system they looked at was connected to the Internet in one way or another. Sometimes, the link had to do with automatic software maintenance or, in more egregious cases, prison staff used the same computers to do prison-y things and surf the web. Even in the absence of an Internet connection, most systems proved to be less than secure and would actually be vulnerable to a simple Stuxnet-like attack brought in on a USB drive — something that would be fairly trivial to bribe, or trick, someone into doing.
Once the systems are compromised, it’s open season and the hackers have the power to do all kinds of things. One of the most interesting possibilities being the ability to open prison cell doors while allowing the control software to continue to report that, “Nah, they’re closed bro. It’s all cool. I got this.” Obviously, this is not a good thing, and would be especially useful for things like prisoner assassination.
The data has been delivered to federal prison authorities and the Department of Homeland Security who have confirmed that these vulnerabilties are an issue, and are getting right on tightening things up, for obvious reasons. Still, this just betrays the danger of an Internet connection. If being connected to the Internet constitutes a security risk, this kind of problem will only become more prevalent in the future. What happens once our cars are all online, or our synthetic organs, or worse, our washing machines. Can you live in a world where hackers might be able to remotely start your laundry at any time they please? I’m not sure I can.
(via Ars Technica)
- Hide your car
- Hide your insulin pump
- And hide your Sesame Street YouTube channel, cuz they’re hacking everything out here
Have a tip we should know? firstname.lastname@example.org