Hackers Could Open Convicts' Cells In Prisons 203
Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"
Re:Internet? (Score:0, Informative)
They aren't.... install it via an infected USB-stick is what the summary says...
Re:Internet? (Score:2, Informative)
And what does the other half of *that same sentence* say?
Re:BS (Score:4, Informative)
If you could activate all the doors at once you could possibly overload the system. You're not going to blow out all the electronics, but you may well disable a critical path system. And if you opened all the doors and then opened them all some more simultaneously, that might well get them stuck open to the point where a human would have to manually close and lock each cell.
This article is Shite (Score:4, Informative)
In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.
The network is not going to be connected to the internet as that would be stupid.
Re:Internet? (Score:5, Informative)
The PLCs (and their controllers) form their own network that is not connected to the Internet; it's not even TCP/IP.
However... the desktop computers that interface with the controllers are often on the Internet because they use the local area network to communicate with both the controllers and get email, surf the web, etc. There is a close connection between the SCADA software on the desktop PC and the PLC so that if a sophisticated attack on that PC is successful then the attacker can have complete control over the PLC system.
Worse yet... many of the PCs controlling the PLC systems are older versions of Windows because updates are expensive (usually requiring specialists from outside the plant due to the nature of the systems) so people tend to put them off. I've seen lots of desktops running NT, for instance.
Re:This article is Shite (Score:2, Informative)
The problem is that this is not the case as is detailed in the paper.
Lots of scary buzz words (Score:5, Informative)
Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.
There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet
So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is
By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.
Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.
/.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.
I have been using PLCs for longer that some
Finally the biggest laugh for me in TFA was
The communications port is typically 9-pin RS-232 or EIA-485;
That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).
Re:Internet? (Score:4, Informative)
With more prisoners in the system than the rest of the world combined,
That's just NOT true. That's a lie, a calumny, a vile piece of propaganda.
We just have more prisoners (2.3 million) than China (No. 2, at 1.650 million) and Russia (No. 3, at 806,000) and India combined (No. 5, at 384753).
source [prisonstudies.org]