Researchers Say Vulnerabilities Could Let Hackers Spring Prisoners From Cells
Of course, if prisons using PLCs are vulnerable to computer-based attacks, so are any facilities that use SCADA systems in access control, to the extent that such control systems are either accessible to the Internet, or vulnerable to a “poisoned USB key” attack.
Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
“Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it,” says Strauchs. “How many people know they’re built with the same kind of PLC used in centrifuges?”
PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities.
Diagram showing the typical parts of a PLC used for door-control systems. Image courtesy of Teague Newman
Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.
“Within three hours we had written a program to exploit the [Siemens] PLC we were testing,” said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.
“We acquired the product legally; we have a license for it. But it’s easy to get it off [eBay] for $500,” she said. “Anyone can do it if they have the desire.”
They recently met with the FBI and other federal agencies they won’t name to discuss the vulnerabilities and their upcoming demonstration.
“They agreed we should address it,” Strauchs said. “They weren’t happy, but they said it’s probably a good thing what you’re doing.”
A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldn’t be, but sometimes are, connected to networks that control critical functions.
Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.
An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.
“We’re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,” he said.