Study: Serious security holes in US prisons
At the Hacker Halted conference in Miami, security specialists demonstrated how attackers could gain control of US prison control and locking systems. John Strauchs (IT advisor to more than 114 US judicial institutions), Tiffany Rad (IT researcher and lecturer) and Teague Newman (cyber crime specialist) have presented their results in a report entitled "SCADA & PLC Vulnerabilities in Correctional Facilities".
According to the report, Strauchs' team replicated the prison control system, which is based on popular industry standards, using a budget of only €1,800. The experts said that, among other things, they set up scenarios in which they attempted to compromise the IT systems via known security holes such as those exploited by the Stuxnet worm. Apparently, these holes potentially allow attackers to open cell doors and even disable alarms. The researchers explained that most of the IT systems are PLC computer systems similar to those used to monitor and control industrial systems. They added that in prisons, such elements are used to control prison doors, CCTV and alarm systems, and lighting.
The experts noted that one of the attack scenarios' main elements is that prison control computers usually have an internet connection, and that prison staff can also use these computers for other tasks (for instance to browse the net or check their email). However, they said that prison internet connections can't be severed completely because they are still required for installing updates. The researchers recommend that the mostly obsolete systems should be upgraded as a matter of urgency, that they should be given state-of-the-art IT security components, and that they should only be used for their intended purpose.
The experts have discussed their work in detail in a video interview.