Tuesday, 8 November 2011

Hackers could throw open prison doors, research shows | Naked Security

Filed Under: Featured, Law & order, Malware, Privacy, Vulnerability

John J Strauch headshotResearch presented at the Hacker Halted conference in Miami late last month showed how hackers could take control of industrial control systems (ICS) used in prisons.

The research team, made up of ex-CIA man John Strauchs, who boasts 40+ years in the security and intelligence business, his daughter, a computer researcher/attorney/professor named Tiffany Rad, and Teague Newman, presented the paper "SCADA and PLC Vulnerabilities In Correctional Facilities" to share their findings at the conference.

The team revealed that security systems used in most American prisons were shown to be vulnerable, allowing hackers to overload the circuitry controlling prison doors, effectively locking them permanently open, according to a Washington Times article by Chris Burke.

The research began after Strauchs was called in by a warden to figure out how all the cell doors on one prison's death row spontaneously opened, according to ArsTechnica.

Prison Doors Open 175x175ICS is a general term that includes supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).

ICS effectively allow for the remote control of specific operations such as opening and closing of doors in a prison. They can collect data from sensor systems, as well as monitor the local environment for alarm conditions. They are used in many industries, including prisons.

While ICS should not be on the internet, the research team found many instances where the system was connected to other networks or devices after specialist installation. This would allow for remote attacks on the ICS.

In fact, in the process of validating the research, the Department of Homeland Security found internet capabilities at every one of the 400-plus locations they inspected. Staff apparently wanted to check their email, surf the web, or perform a software update remotely.

Even systems that were successfully cut off from the Internet could be attacked by malicious insiders, or anyone with enough access to insert a thumb drive into a computer work station, Mr. Strauchs told the Washington Times.

So the take-away all businesses can learn from this one?

Educate your users when you cannot provide ubiquitous services like the internet or remote administration. Users absolutely need to understand the risks associated with their actions to avoid the organisation being put at danger because the employees didn't know better.

After all, the human urge to simplify and facilitate where possible is a natural one. Expect it, and circumvent it, before it becomes a problem.

, , , , , ,

About the author

Carole Theriault has been working in the computer security industry since the late 1990s. She currently heads up Sophos's Naked Security news website. She also looks after the company's threat communications and social media strategy. You can contact Carole at ct@sophos.com, or follow her on Twitter at @caroletheriault.