Computer systems used to control federal prison facilities are riddled with vulnerabilities that might allow criminals to meddle with cell door opening mechanisms or shut down internal communications systems, according to security researchers.
The vulnerabilities – which stem from flaws in industrial control systems and programmable logic controllers – were demonstrated by a team led by John Strauchs, who demonstrated the flaws at the recent Hacker Halted information security conference in Miami. Despite having no previous experience with SCADA (industrial control) kit, Strauchs and his colleagues were able to develop workable exploits, validated using a test rig that cost just $2,500 to construct in the basement of his research partner, Teague Newman. Strauchs' daughter – attorney, professor and computer security researcher Tiffany Strauchs Rad – also contributed in the research.
The resulting talk, SCADA And PLC Vulnerabilities In Correctional Facilities (abstract below), sounds absolutely gripping.
On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. Using original and publically available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.
The researchers have turned over a dossier on their findings to state and federal prison authorities, who have good reason to take its findings seriously. "We validated the researchers’ initial assertion ... that they could remotely reprogram and manipulate [the ICS software and controllers]," Sean P McGurk, a former Department of Homeland Security cybersecurity director, told the Washington Times.
Possible exploits include overloading the electrical system that controls prison doors, locking them permanently open, or crashing either CCTV or prison intercom systems.
Strauchs began his project to investigate the security of industrial control systems in prisons after he was asked to investigate an incident during which all the cell doors on one (unnamed) prison's death row spontaneously opened. The cause was eventually traced back to a random power surge, but the incident got Strauchs thinking and prompted him to have a closer look at the security of industrial control systems in prisons.
Industrial control systems in prisons have no business being connected to the internet. Despite this, the team of researchers led by Strauchs discovered every prison system they looked at was connected to the internet one way or another.
In some cases, for example, the internet connection was set up so that remote maintenance of the kit could be carried out without the need for contractors to visit the jail. In other cases networks used to enable prison staff to access the net were poorly segmented from SCADA control systems. Infected USB drives contaminated with a Stuxnet-style worm posed another, wholly unguarded infection vector. SCADA systems might be deprogrammed by malware of this type either accidentally or (more plausibly) by either bribing or blackmailing a prison guard. A targeted malware-infected email might also be used to introduce a SCADA worm into a prison environment.
"You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Washington Times.
Anyone who got out of their cell this way would still have prison guards, dogs, guns and barbed wire to contend with if they hoped to escape. Strauchs said a more plausible scenario might be that the security weakness was exploited to slip assassins out of their cells in order to gain access to a targeted prisoner. ®