One Christmas Eve, security consultant John Strauchs received a call about a new maximum security system he’d installed in a US prison. “All the doors popped open on death row,” said the person on the other end.
Strauchs’ (pictured below, right), who owns a security consulting company, thankfully didn’t have his own prison doors hacked into that night. Rather a part of his security system was leaking enough voltage to trip the electronic locks keeping the prisoners safe in their cells. The close call was too close for Strauchs, who knew if this sort of event can happen by accident, there has to be a way to exploit it.
“[I asked myself] what could you do if you [tripped the doors] deliberately? The answer is: we can do anything,” said Strauchs in an interview with VentureBeat.
Soon thereafter, the media started reporting about the Stuxnet virus affecting programmable logic controllers (PLC), or computers that control electronic devices programmed to perform automatically, and Strauchs had an “epiphany.” According to him, most security systems don’t use PLCs, but maximum security prisons are an exception, leading him to believe a similar vulnerability could be exploited.
So, Strauchs and his team went to work poking at the hole in the system, and it didn’t take long to break into a prison system. The team created malicious code, only 30 lines, using legitimate software, which only racked up a $2,500 price tag. Not too much if you’ve got a little extra saved and feel like opening some prison doors on a Saturday, but the price tag gets even lower if you don’t buy the software outright.
“We went totally legimate,” explained Strauchs, “But if we were not scrupulous and got the software off the internet, it would have cost $500.”
Executing the code can be done in one of two ways; you can “social engineer,” or in essence talk your way, into the physical location of the targeted prison and install a USB drive with the malicious code, or you can find internet access and surf your way in. The latter, in theory, should be very hard to execute, as prison central control systems aren’t supposed to have any access to the internet. There’s no reason to have it. But Sean P. McGurk, former director of the National Cybersecurity and Communications Integration Center for the Department of Homeland Security, told the Washington Times that his team always found internet connections in the 400 plus prison control systems he visited.
“I’ve designed 114 justice design systems and I can’t imagine why central control ever needs internet access, or for that matter a USB drive,” said Strauchs, who went on to say he saw a prison guard checking his Facebook account in a control center he once toured.
The more dangerous part is that central control may never know doors have been opened. In fact, the code can cloak its activity, making it seem as if everything is fine. But just because doors have been opened doesn’t mean prisoners can immediately escape. There are a few hurdles to pass before reaching the outside, which is why Strauchs believes an attack like this is more geared toward internal initiatives. Indeed, the malware can be rigged to keep doors closed as well.
“If you are a [gang member], you prevent a door from opening, and you start a prison fire,” Strauchs gave as a possible use case other than freeing convicts.
Before bringing the vulnerability to the masses, Strauchs’ team set up multiple presentations for federal agencies, and in the end promised not to release the code itself, though Strauchs believes it so easy to duplicate that withholding it isn’t protecting people for very long.
Currently, a few agencies have started to look into the issues, despite the one main one which may simply be lack of education.
“I think a lot of it is telling people that there is a vulnerability. Most people in America aren’t computer savvy and don’t want to be,” said Strauchs, “But once they understand this a serious vulnerability … they will comply.”
[via Washington Times]