Hackers Could Open Convicts' Cells In Prisons 203
Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"
Internet? (Score:5, Insightful)
Re: (Score:2)
most of them are not. but that's irrelevant, as most have network nodes across the entire prison. it would really have to be a targeted attack anyways, as you'd need to know which plc's they're using and so forth. but the point is, it's just couple of grand in hardware after you know what's in use in that specific prison.
Re:Internet? (Score:5, Informative)
The PLCs (and their controllers) form their own network that is not connected to the Internet; it's not even TCP/IP.
However... the desktop computers that interface with the controllers are often on the Internet because they use the local area network to communicate with both the controllers and get email, surf the web, etc. There is a close connection between the SCADA software on the desktop PC and the PLC so that if a sophisticated attack on that PC is successful then the attacker can have complete control over the PLC system.
Worse yet... many of the PCs controlling the PLC systems are older versions of Windows because updates are expensive (usually requiring specialists from outside the plant due to the nature of the systems) so people tend to put them off. I've seen lots of desktops running NT, for instance.
Re: (Score:2)
Not completely true. ProfiNet, Modbus/TCP, EtherNet/IP, FINS, BACnet are all communication over ethernet tcp/ip stacks to the scada system and capable of issuing write commands. But then again perhaps prisons are using DCS style hardwired systems. Now the control system operating drives, switches, sensors or whatever are generally going to use some other system like Modbus, CAN, I2C, ... but even then EtherCAT, EtherNet/IP are industrially used for plcs to talk to drives and sensors if you want.
The scada
Re: (Score:2)
I'm more worried about DNP3 substations than prisons since power companies tend to have a unified system and spread out over long distances though they know that.
I've said it on many occasions that a single person with a 4wd vehicle, and a high powered rifle with a scope could do more damage to the power system in a short time and do it more easily than anyone with a keyboard and a computer.
Re: (Score:2)
Re: (Score:2)
Having said that I really do hope that the EEs who know the system best (IE the ones who actually keep the grid running) have removed line of sight from the most vulnerable junctions.
A simple question for you to consider: How do you hide transmission lines from line-of-site?
Re: (Score:2)
Having said that I really do hope that the EEs who know the system best (IE the ones who actually keep the grid running) have removed line of sight from the most vulnerable junctions.
A simple question for you to consider: How do you hide transmission lines from line-of-site?
The problem is you pop a hole in the bottom of an oil cooled transformer and as fast as the oil can run out, it'll overheat and shut down, or overheat and catch fire. Every hunting season at a previous job we used to lose power to a repeater site or two from that form of recreation.
Re: (Score:2)
That person would have to risk getting caught.
Caught doing what? Surely not this:
a single person with a 4wd vehicle, and a high powered rifle with a scope
That would raise eyebrows in downtown Manhattan or maybe Norway now, but around here that is a standard issue hunter, a protected species, herd size measured in the hundreds of thousands each fall, no kidding. Mostly they spend "deer hunting time" drinking beer but they have been known to take pot shots at aerial fiber; I assume they occasionally miss our fiber and hit the electric co lines, insulators, and transformers. The big high voltage towers are supposed to be mu
Comment removed (Score:5, Interesting)
Re: (Score:2)
Fixed that for you.
Re: (Score:2)
The person to control the door is not on site. So if he sees that I want to enter and he does not want me to, he can't be physically be forced to do so.
I have a gun to someone's head. If you don't open the door, I'll shoot them. You will watch on the camera. I will repeat this until the door opens.
The real question is: How much of a stomach do you have for watching people die because you won't push a button? Will you be able to live with yourself for the rest of your life seeing visions of their brain meats smeared across the wall?
The problem with geeks is they never consider the human angle, just the technical one.
Re: (Score:2)
Re: (Score:2)
I still say why are any of these connected to a commodity OS as well.
You don't *need* it to be online directly, nor do you need it to be tied to any specific commodity OS at this stage of the game. In the old days this was the case. Isolated networks, and dedicated operating systems were the norm ( including the monitoring systems ).
Re: (Score:2)
I still say why are any of these connected to a commodity OS as well.
You don't *need* it to be online directly, nor do you need it to be tied to any specific commodity OS at this stage of the game. In the old days this was the case. Isolated networks, and dedicated operating systems were the norm ( including the monitoring systems ).
Name a major SCADA system that doesn't require Windows. Heck, I know some that require very specific versions and service packs or they don't work...
Re: (Score:2)
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
They are designed to operate without a connection to the internet. However, the computers used to control them run Windows on general purpose hardware.
Which means it is possible to connect them to the internet.
If you ask me, the designer of the system should utilize embedded hardware booted from flash media and basically read-only to the end user. Any reporting/data collection/data storage should be done
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
And what does the other half of *that same sentence* say?
Re: (Score:2)
"Since SOME control systems are connected to the internet".
Re:Internet? (Score:4, Interesting)
Re:Internet? (Score:5, Insightful)
I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.
With more prisoners in the system than the rest of the world combined, for profit private prisons automate to save money. That makes them cheaper that govt prisons, which forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market". In a race to the bottom, there is no opting out.
By controlling the showers you can stop people from F-ing around during lockdown... If the guards have to go in to break up a fight, at least the water is off.
Re: (Score:2)
Re: (Score:3)
A simple manual valve wheel outside the secure area will take care of this, with far fewer potential fail points.
Doesn't look as cool as a couple of guys in a room with a bunch of computers (running rooted XP) and video monitors. Valves don't sex up a Power Point presentation. Control rooms do.
Re: (Score:2)
A simple manual valve wheel outside the secure area will take care of this, with far fewer potential fail points.
Yes, but then we would have to hire an additional unionized state employee, with full benefits, just to turn the valve when told to do so. You may laugh, but the various prison guard unions would almost certainly insist that turning the valve is not part of their job description and requires an additional full time staff member who's job description includes this duty. Perhaps now you begin to understand the appeal of an automated system, even a complicated one, from the standpoint of cash-strapped governme
Re:Internet? (Score:4, Informative)
With more prisoners in the system than the rest of the world combined,
That's just NOT true. That's a lie, a calumny, a vile piece of propaganda.
We just have more prisoners (2.3 million) than China (No. 2, at 1.650 million) and Russia (No. 3, at 806,000) and India combined (No. 5, at 384753).
source [prisonstudies.org]
Re: (Score:2)
>>We just have more prisoners (2.3 million) than China (No. 2, at 1.650 million) and Russia (No. 3, at 806,000) and India combined (No. 5, at 384753).
source
By your own source, the US figure includes people outside the "normal" prison system, but, say, the China figures do not include it. If you include the extra 650,000 not counted in China's 1.65M, then they're tied with the US in 1st place.
Isn't it fun when people actually read your references?
Re: (Score:2)
My My, you're just full of excuses today.
Re: (Score:2)
But China also has 1.3 billion people in it, whereas the US has a bit over 300 million. So there numbers in prison shouldn't be anywhere near each other...
Re: (Score:2)
>>My My, you're just full of excuses today.
Hey, don't blame me if someone checks your numbers.
It'd also be fair to mention that between 10%-30% of the US prison population aren't actually from the US.
Re: (Score:2)
Authoritarian (at least the stable) governments generally have less crime than democracies. However, the Chinese are gaining on the U.S. in terms of organized crime. Also, there's whole class of white collar crime in the U.S. which is standard operating procedure in China.
Now, what point was it you were attempting to make?
Re: (Score:2)
>>My My, you're just full of excuses today.
Hey, don't blame me if someone checks your numbers.
It'd also be fair to mention that between 10%-30% of the US prison population aren't actually from the US.
Other countries are offshoring their prisons to the US? Excellent...
Re: (Score:2)
Authoritarian governments generally lock people up who haven't committed crimes more often than democracies.
And I wasn't making a point.
Re:The free market (Score:5, Insightful)
The free market is a vague metaphor. Corporations and other financial interests are more concrete, and their influence on lawmaking is very real. Although I am not sure that their influence is to blame for a high incarceration rate.
It's hardly outrageous, though: Obviously the private prison system has a direct interest in it. Pharma doesn't directly profit from incarceration, but it does have an interest in harsh penalties on trading drugs that they don't control. Etc.
But clearly, there is a multitude of forces at work here. A culture of fear that encourages harsh sentences and incarceration over rehabilitation. A crazy divide between rich and poor and a bleak economic outlook. Poor education. Obviously some people will blame the free market (whatever they think that is) for many of these things, while others will do the opposite and demand an even free-er free market (whatever they think that is).
Re: (Score:3)
My father was a sheriff and handled the prisons for our county. (Ironically, my grandfather was a felon for robbing a bank) Here's my 2.5 cents. We don't have more criminals than other nations, actually we're quite low in the number of offenses. But we do have mandatory sentencing and very long prison terms, so we have more criminals in the system. Every holiday, Thanksgiving for example, there would be 2 or 3 convicts invited to our house to have a good meal and a chance for a break from the prison gr
Re: (Score:2, Insightful)
The free market has these things called lobbyists. Lobbyists control government because Congress either toes the line, or people will be elected who will.
Want to know who is deciding why we need more felonies every day, and why people need to get locked up, even though crime rates are not impacted? Definitely not government -- in reality, politicians want crime because it can be used as a hot button issue during election time.
The people who want the prisons stuffed with inmates is the private prison syste
Re: (Score:2)
If it weren't for labor's precious FDR fucking with SCOTUS for his precious reforms the vast majority of laws causing non-violent drug incarceration would not be constitutional.
Re: (Score:2)
I politely disagree - when you have corporation that have their hands on lawmakers strings, or you have lawmakers who are on the boards of various corporations/etc, you have the 'free market' influencing who is a criminal.
Want proof - read the front page of slashdot today. Or any other day .. the BSA, RIAA, etc ...
So, more realistically, it's the government who decides, with the influence of the free market.
Re:Internet? (Score:4, Funny)
I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock?
It allows them to open up(or close/lock) whole rows of cells, or a single cell from a secure, central location. This way, if person is able to get out of his cell, he can't simply run down to the end of the row and flip a switch. Also, think about how Sean Connery got out in The Rock.
Re:Internet? (Score:5, Interesting)
Well there is a little more than to running a modern prison then just sequestering and feeding the inmates. We have decided that we care about their health and safety as well.
In the event its necessary to evacuate the prison, say because there is a fire or something, central control of the locks would be very valuable. Much easier for the guards to grab the shotguns and rifles and say "Alright we are evacuating to the yard, the doors are going to unlock all of you then step out hands in the air were we can see them and form a line." than it would be for them to go through the cell block unlocking each cell or row of cells at time.
At the very least that would be a dangerous situation for the guards, already somewhat chaotic they don't want to have their backs turned to other prisoners while they focus on operating a lock mechanism rather than their surroundings. I should expect the folks we keep locked in high security detention facilities are likely to be the sort that would try to take advantage of an unusual situation which may arise, and being able to lock and unlock all doors at the same time is one of the many ways prions try and mitigate that risk.
Re: (Score:3)
Re: (Score:2)
Sure, computer control makes total sense and i agree is pretty much required for safety. So does monitoring. But designing a system where a control component has direct outside access is just dumb.
Re: (Score:2)
Re: (Score:3)
The real question is why do any of these controls get connected to the internet. And is automation really the best option, would simple toggle switches not be a safer option. Fewer fail points and vulnerabilities. We seem to want to automate everything (which I can fully understand) yet those automated
Re: (Score:3)
Use a serial port, and let the warden keep a USB to serial connector in his safe.
Non-standard interfaces are more expensive. USB2.0 ports are high-speed serial interfaces. Older interfaces are inappropriate for large transfers.
Simply not providing any user access to the interfaces would be sufficient, however. They could use a NIC interface for performing updates, however.
The machines that run the control systems should be industrial grade equipment, kept in a locked cabinet, never able to be touched
It is all about state contracts (Score:2)
And the skim. These PLC systems are more expensive. They seem sexy. And did I say they are expensive? More skim. Our jails are privatized. More prisoners equal more "customers". Get hard on crime (Looks good, Right?) More customers. More prisons. More skim. In the last twenty years the prison population has jumped from two hundred thousand to two million. One order of magnitude. When were the prisons privatized? (About twenty years ago it got into full swing as I recall.) It's a growth industry.
Prison lobb
Re: (Score:2)
Re: (Score:2)
(read the fucking second part of the sentence)
Re: (Score:2)
They aren't.... install it via an infected USB-stick is what the summary says...
So if the guards play games, then the prisoners can too. Someone sent a stick for "Breakout."
Re: (Score:2)
One of the prison officers was seen checking his Gmail account on the same computer running the prison control software - that's what TFA says.
It even mentions in the summary that some of the control systems are connected to the Internet.
Re: (Score:2)
Hollywood, infect your heart out (Score:3)
Why are prison doors connected to a computer? (Score:2)
Wouldn't a good old switchboard do?
BS (Score:3)
All believable, right up to:
We could blow out all the electronics.
The best I can think of is turning on the entire HVAC system at the same instant, popping the circuit breakers to the facility.
Maybe you could turn the power to the TVs on and off every second until the switching power supplies blow, or maybe that wouldn't work..
The problem with getting "average joe" to infect a PLC, is PLCs and their systems are getting more complicated, to the point that only specialists mess with them. Its a temporary thing. In the past, they were too few to matter, in the future they'll be too complicated for all but specialists to have access. This is just a momentary thing where "joe average industrial maint electrician" could theoretically screw stuff up.
Re:BS (Score:4, Informative)
If you could activate all the doors at once you could possibly overload the system. You're not going to blow out all the electronics, but you may well disable a critical path system. And if you opened all the doors and then opened them all some more simultaneously, that might well get them stuck open to the point where a human would have to manually close and lock each cell.
Re: (Score:3)
If you could activate all the doors at once you could possibly overload the system.
I would disagree as "instant-lockdown" is probably one of the main features of the system. Any time they see a fight, to stop it from turning into a (bigger) riot, slap the big red switch to isolate the inmates. The opposite is the "fire switch" so you can instantly let all the inmates out of their cells; I suppose it depends on the security level of the inmates and local policies; some prisons might let them fry in their cells if there's a fire.
And if you opened all the doors and then opened them all some more simultaneously, that might well get them stuck open to the point where a human would have to manually close and lock each cell.
Now we're getting somewhere, cycle half open half closed unt
Re: (Score:2)
I would be totally unsurprised if you didn't have to at least account for motor start delay, especially when the prison is being built by the lowest bidder.
Re: (Score:2)
The PLC code should account for motor lag and door travel lag if motors are used.
Yes, that's the whole point of this article, that prisons are vulnerable to attacks in PLC code. I only wish you had logged in.
Seriously, detention hardware is tough, not anything like what you find at the hardware store.
Yeah, that's the idea...
The easiest way to bugger a security door control system is to do it through the Window OS bugs or with the touch screen software not the PLC.
Unless you happen to have some PLC attack software lying around...
Re: (Score:2)
The things is your typical "PLC" these days is pretty much a ruggedized PC running Windows, and a likely buggy stack of control software packages on top of that; which do not get along with the security patches for Windows, so Windows does not get patched. This is pretty serious problem when these machines are not properly isolated.
What if... (Score:2)
You got control of the PLCs, started the emergency generator, set it to run at 75Hz, and forced it to connect to the mains? I'm thinking that might blow up a few bits and pieces of electronics.
Remember that Stuxnet was designed to use the PLCs to vary the frequency of the equipment.
Re: (Score:2)
Clearly you don't know much about how backup emergency diesel speed control systems are set up. Most of em are physically unable (as in a mechanical limiter) raise speed above 63 hz. And most if not all have automatic tripping if speed drops to or below 57 hz while loaded. I can see sitting there at 57 hz for a long time, that might cause high current draw from your loads, eventually leading long time delay current trips. Can't see much chance of long term damage. Might be a PITA to restart in manua
Re: (Score:2)
I don't know too much about diesel generators, but I *have* seen what happens when one is switched in when it's out of phase: no mechanical damage, but the magic smoke escaped from the transfer switch. I don't know if that counts as "blow[ing] out /all/ the electronics", but it definitely blew, and the server room was dark for hours.
Re: (Score:2)
It took out the UPS. In proper operation this would not have happened. This was during a maintenance window when the UPS vendor was installing upgrades. The whole site was operating on generator power during the outage; when they went to cut back over to mains the whole thing popped. The root cause was a wiring fault by the UPS vendor. Fortunately we had plenty of maintenance window left to boot and fsck everything.
Re: (Score:2)
The things is your typical "PLC" these days is pretty much a ruggedized PC running Windows, and a likely buggy stack of control software packages on top of that; which do not get along with the security patches for Windows, so Windows does not get patched. This is pretty serious problem when these machines are not properly isolated.
Actually the PLC itself is most likely designed with embedded architectures. The only company that advertise the use of an Intel processor is GE and I don't think I have heard them bragging about it for the last couple of years, most likely because their customer (or intended audience) do not like the fact that it is too similar to a standard PC.
What is running the Windows are your operator interfaces, which is what the operator (in this case, the guards) would possibly be using to interface with the PL
Re: (Score:2)
Common sense? (Score:2)
Re: (Score:2)
Cyber warfare? Stand back, I have a laptop and I know how to use it!
C'mon, melodrama much? Cyber warfare is the buzzword for "we were too stupid/miserly/lazy to implement security, now people found out how our shoddy semblance of a figment of security can be bypassed, so they are cyber terrorists and cyber criminals and cyber whatever. It's not that we were negligent/lazy/greedy, no way!"
This article is Shite (Score:4, Informative)
In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.
The network is not going to be connected to the internet as that would be stupid.
Re: (Score:2, Informative)
The problem is that this is not the case as is detailed in the paper.
Re: (Score:2)
++mod
I agree and would like to add that when you say "likeley not Ethernet" also means that there are some that are. We've recently started using Directlogic PLC's. Some do have ethernet (like the DL205).
http://support.automationdirect.com/docs/plc_selection_considerations.html [automationdirect.com]
You could run all of your PLC's through a router so you could have all your PLC's programmable from a remote location. We've never done that, but then again we also don't have a prison population and access controls to deal with.
Re:This article is Shite (Score:4, Interesting)
You could run all of your PLC's through a router so you could have all your PLC's programmable from a remote location. We've never done that, but then again we also don't have a prison population and access controls to deal with.
I've done things like this and it works well. Had multiple remote sites connected to the home base via a VPN over the Internet. Not that I recommend programming from a remote location, but being able to ensure you have central backups, and do a centralized version control is a boon. The alternative was to have contract cowboys in each region with their own private copy of what they think the PLC program should be. So now the contractor arrives at site, checks out the PLC code from the central repository, modifies the PLC and then checks the code back in.
Re: (Score:3)
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.
Unless the control computer is running an HMI (Human Machine Interface) to monitor and/or control lock and alarm status. Then that's the attack vector. Think you can keep that system off the Internet? Good luck with that.
From TFA:
He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet.
Back when I worked for Boeing, we (engineering) supported some shop floor ATE (automated test equipment). Over our objections and warnings, management instituted a program to port all the ATE equipment over to Windows specifically so that shop floor personnel could use the system
Re: (Score:2)
Re: (Score:2)
The attack vector (as its been explained to me) is to pwn the Windows control console running the HMI. Then, any command that the attacker sends via that console to the PLC is indiscernible (by the PLC) from a legit command from console app.
Undoubtedly, there's an 'open all cell doors' button on the PC. If an attacker can duplicate that command and send it out to the connected door control PLCs, well, game over. And its not a matter of blocking ports on the PC. Once that has been infiltrated, it phones ho
Re: (Score:2)
Since when has stupidity stopped something from being implemented? If there's a cent to save, it will be done. To hell with security, this is just to keep criminals locked up, where do you need security in that?
No no no no..... (Score:5, Funny)
UNLOCK ALL INMATE DOORS
DEACTIVATE SECURITY SYSTEM
Then you smash the screen with a hammer so that no one can override the commands. It's simple.
What?
.
Re: (Score:2)
This is you do it. You just break into the warden's office, find his PC, go to a command line and enter: UNLOCK ALL INMATE DOORS DEACTIVATE SECURITY SYSTEM Then you smash the screen with a hammer so that no one can override the commands. It's simple. What? .
Totally wrong. Wrong I tell you. You have to Deactivate the alarm system first, then open the doors. That way you you don't announce to the rest of the world that you have engineered the breakout. Just make sure not to overlook the hidden alarm that the was secretly put in by the super crime fighter to let him know when his nemesis has escaped.
Unless of course you engineered the breakout to cover for the fact that you are committing a crime in another part of the city. In which case you only open som
Re: (Score:2)
Did I just write a hollywood movie? Or a series of movies????
Depends.. Isn't that the plot of Batman Begins?
Re: (Score:2)
Did I just write a hollywood movie? Or a series of movies????
Depends.. Isn't that the plot of Batman Begins?
You know, it probably was .. but I didn't have that movie in mind when I wrote my comments as I had totally forgotten about it - not to mention that I never saw it either
Re:No no no no..... (Score:5, Funny)
This is you do it. You just break into the warden's office, find his PC, go to a command line and enter: UNLOCK ALL INMATE DOORS DEACTIVATE SECURITY SYSTEM .
You left out a critical step. The computer will respond with ACCESS DENIED, at which point you type OVERRIDE
Re: (Score:2)
If you're going down that road...
First of all, there will be a password prompt, in nice HUGE letters on the screen - you know in case the warden lost his reading glasses or something...
You look around and notice a picture of his son on the table and a drawing signed "Joshua" on the wall... So now you know the password is "Joshua" (of course it is)
UNLOCK ALL INMATE DOORS
"Ok"
DEACTIVATE SECURITY SYSTEM
But wait! - the warden is not supposed to deactivate the security system! - "ACCESS DENIED!"
But the warden bei
Re: (Score:2)
Nah, you just need a stock standard R2-series astromech droid, have it insert its computer access probe into the nearest rotary dial socket, then tell it "Unlock all trash compactors on the detention level".
Or load the secret battle station plans into it and tell it to launch a lifepod. Nobody will ever shoot it because, hey, it's just a droid, and droids never smuggle data.
Or you send your droid into the druglord's hideout, and instead of doing a mandatory security wipe or even checking for hidden compartm
Stuxnet super worm .. (Score:2)
The perfect safe digital weapon with layers of unique code to seek out a sub set of industrial units.
Now cost cutting Microsoft based programmable logic controllers are at risk in other areas...
Why are so many expensive unique projects connected to low end Windows code?
Lots of scary buzz words (Score:5, Informative)
Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.
There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet
So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is
By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.
Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.
/.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.
I have been using PLCs for longer that some
Finally the biggest laugh for me in TFA was
The communications port is typically 9-pin RS-232 or EIA-485;
That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
Re: (Score:2)
The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
Hm ... a hundred K seems a bit high, but you're right that the stuff isn't cheap. On the other hand, nobody in his right mind would use an Apple product to run valve & pump control for an oil refinery or some other critical process (although I'm sure there are people that try.) There are substantial liability issues with which manufacturers of industrial controllers have to contend that commercial vendors do not.
Re: (Score:2)
While I don't disagree that PLCs are way over priced. $100,000 sounds a bit too high for a PLC even if its a safety PLC with redundancy
I was surprised at the cost as well. This was the latest bleeding edge (less than 6 month old) AB system, 2 racks, 2 cpu's per rack, 2 Ethernet cards and 2 Fibre cards and a couple of other cards. So you are down in the $10K+ per card on average - which is not that unreasonable. So your cards are not that far off. I used to think that GE stuff was pricey too - until I did some jobs with Toshiba PLCs.
Re: (Score:2)
I concur with the overpriced hardware for most PLC vendors. I think AB/Rockwell is probably the most pricey. The Software costs and Maintenance for software is also outrageous.
But when you look at DCS costs the PLC seems cheap.
Yeah. Honeywell, I'm looking at you.
If this is indeed true, (Score:2)
First off it shows a STUNNING lack of of any sort of thought on the part of the people in charge of security and system design, connecting ANY command and control system of any kind to the real internet is something that should never, ever, be done, peroid.
I don't care HOW convenient it is or how useful it is, it's painting a giant soft target on your system and anyone who does it should be fired.
Furthermore, anyone who takes a usb stick or other media and plugs it into a secure C&C system needs to be f
Re: (Score:2)
Furthermore, anyone who takes a usb stick or other media and plugs it into a secure C&C system needs to be fired also, as a matter of fact such systems should probably be designed with little to no access to external media and any actually required access points should be as secured as possible.
I know nothing about prison control systems, but I've spent a couple of decades in industry (okay, maybe a little more than that.) It is astounding the difference in security procedures you see across different organizations. I've seen some outfits that have completely electrically separate engineering/process and business networks, with all communication between those networks (if any!) being pinholed and heavily monitored, and other outfits that just run one big fiber loop around their facility and hook e
The trouble with PLCs (Score:3)
Progress with programmable logic controllers has made them much more vulnerable. They used to be really dumb devices, often programmed by physically plugging in an EPROM. Their communications protocol tended to be some ancient multi-drop serial protocol like RS-485, or a vendor-specific proprietary network. The "host machine" tended to be some CPU on a card, connected to a dumb terminal or a control panel. This was dumb and static, but being totally isolated, secure from external intrusion.
Now, PLCs tend to be reprogrammable over their communications link. Some support Ethernet directly. The proprietary networks were all overpriced, and although Ethernet is overkill for most low-level controllers, the interface parts are cheaper, the cables are cheaper, the connectors are cheaper, and more interface devices are available. Also, 10baseT, which has differential signalling and error control, has better noise immunity than some of the lower-speed proprietary networks. I've used devices that have a built in web server just for configuration purposes. With no security.
Even if the low-level network is nonstandard, there's a tendency today to put in a gateway to an Ethernet. This allows connection to, inevitably, a PC running Windows, usually with some custom DLL from the controls vendor. (See page 9 of this Siemens brochure. [siemens.com]) This often allows reprogramming the low level controllers from a PC. This is exactly the configuration that was used in the Iranian centrifuge facility.
Of course, once you have something that's IP over Ethernet with Windows machines on it, it tends to become accessible from the outside world. This is a recognized problem. Here's a Siemens paper on it. [siemens.com] They talk about "firewalls" a lot, but don't go into much detail over what they really do. Note that they mention an engineering terminal use for system programming (a PC), physically outside the firewall, coming in through an encrypted VPN. That's a classic point of attack.
The trouble is that it's too convenient to have connections to external systems. The PLC system for lock control in a prison wouldn't seem to have to be connected to other systems. But there's going to be an inmate inventory system that tracks who is supposed to be in which cell. It's convenient if the interface to the locking system shows who is supposed to be where, and has important info like which prisoners are violent, which need extra medical attention, and such. Then you can have screens which show both door status and prisoner info.
But others need to talk to the prisoner inventory system. The system for food ordering needs info about how many inmates are in which parts of the prison and maybe their dietary needs. And the system for food ordering needs to talk to external suppliers to place orders. That means a link to outside the prison. This is the sort of thing which leads to a data path from non-critical to critical systems.
In other news (Score:2)
It's almost like they were designed for being used in a wide variety of applications.
Same vulnerabilities...nice. (Score:2)
"Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors."
They're going to spin the prison faster and faster until the cell doors shake off? Nice. I'd watch that.
Wouldn't work in Texas state prisons... (Score:2)
Though it might work in some of the city and county jails. But the state prisons here are all run off gear that is non-networked. Sure, some of the newer facilities might have VOIP phones or IP-based cameras in some areas, but you're still not going anywhere or getting much done in a TX state prison without a ring of keys. About the best you could hope for might be to shut off a camera. Which might work if you're coordinating a hit, but you're better off doing that during a medical transfer or something si
Re: (Score:2, Offtopic)
F1ST P0ST!
Or did everyone else get infected?
Not everyone else is in jail pressing F5.
Why is the Coward above labeled Flamebait? (Score:4, Insightful)
This IS scaremongering.
'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'
Right there.
Your average reader now doesn't visualize a circuit-board somewhere fizzing out and releasing some of that mythical white smoke.
He sees **BUM!***BUM!***EXPLOSIONS!!!***BADA-BUM!!*** instead.
Followed by rapists and serial killers and cannibals being armed with rocket launchers and AIDS and set loose onto a kindergarten city somewhere.
You know... a city made entirely out of kindergartens. And diaper factories.
Too bad Numb3rs was canceled...
Or there would now surely be an episode in the making about just such an escape attempt.
Fortunately, CSI: Miami is still on the air.
We may yet see 2 million convicts across USA blowing up prisons with internet viruses and then rampaging across the land... no... wait...
QUICK! Someone get me Michael Bay and Jerry Bruckheimer - I've got their next blockbuster right here!
Re: (Score:2)
Well, criminals are evil, hackers are evil, OF COURSE they help each other! Just like the terrorists, communists and other boogymen du jour. They're all after us, they climb in our windows, they snatch our... ok, it gets old, but I just wanted to use that once. Just once.
But in this time and age, you have to scare people to get some funding. And if that scare is directing funding for a change towards more actual security instead of the usual security theater, I'm for it.
Re: (Score:2)
That's pretty much what I'd expect. Nobody will question the shoddy security, everyone's going to blame people who actually didn't (yet) do anything, just that "they" are able to do it is enough to condemn them.
Re: (Score:2)
Realism?
You never had to badger someone for a budget, did you? Painting a realistic picture, i.e. that yes, some thing might happen, but they're about as likely as you hitting the national lottery jackpot, will not get you funding.
Re: (Score:2)
Re: (Score:2)
Alternate reading of the title: hackers could open convicts' cellphones and send their voice mail to some enterprising news organization.
"enterprising news organization." That's hilarious.