Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Could Open Convicts' Cells In Prisons

Soulskill posted more than 3 years ago | from the need-firewalls-to-go-with-those-real-walls dept.

Security 203

Hugh Pickens writes "Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons where programmable logic controllers (PLCs) control locks on cells and other facility doors. Researchers have already written three exploits for PLC vulnerabilities they found. 'Most people don't know how a prison or jail is designed; that's why no one has ever paid attention to it,' says John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week. 'How many people know they're built with the same kind of PLC used in centrifuges?' A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. 'Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,' adds Strauchs. 'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'"

cancel ×

203 comments

Sorry! There are no comments related to the filter you selected.

F1ST P0ST! (-1, Offtopic)

woolio (927141) | more than 3 years ago | (#36938430)

F1ST P0ST!

Or did everyone else get infected?

Re:F1ST P0ST! (1, Offtopic)

dotancohen (1015143) | more than 3 years ago | (#36938464)

F1ST P0ST!

Or did everyone else get infected?

Not everyone else is in jail pressing F5.

Re:F1ST P0ST! (0)

Gaygirlie (1657131) | more than 3 years ago | (#36938482)

F1ST P0ST!

...but where's the fist?

Internet? (5, Insightful)

betterunixthanunix (980855) | more than 3 years ago | (#36938440)

Why are the prison control systems connected to the Internet? Who thought that was a good idea?

Re:Internet? (0, Informative)

Anonymous Coward | more than 3 years ago | (#36938446)

They aren't.... install it via an infected USB-stick is what the summary says...

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36938458)

nce some control systems are also connected to the internet,

Re:Internet? (0)

bejiitas_wrath (825021) | more than 3 years ago | (#36938474)

And I bet they run Windows XP as well...

Re:Internet? (2, Informative)

maxume (22995) | more than 3 years ago | (#36938462)

And what does the other half of *that same sentence* say?

Re:Internet? (1)

MindStalker (22827) | more than 3 years ago | (#36938478)

"Since SOME control systems are connected to the internet".

Re:Internet? (1)

maxume (22995) | more than 3 years ago | (#36938490)

So you think the 'some' really changes the question betterunixthanunix is asking?

I think they were asking why any prison control system would be connected to the internet, not asking why they all are.

Re:Internet? (3, Interesting)

hvm2hvm (1208954) | more than 3 years ago | (#36938500)

I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.

Re:Internet? (1)

Nick_13ro (1099641) | more than 3 years ago | (#36938520)

I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.

I imagine it's for contingencies involving inmates taking over the prison. The ability to leave them without water would be quite a decent leverage against them, don't you think ?

Re:Internet? (2)

dwillden (521345) | more than 3 years ago | (#36939430)

A manual control valve outside the secure areas would be the far better option. Electronic switches can fail, even if not from being hacked. A manually turned valve wheel has a much lower failure rate.

The real question is why do any of these controls get connected to the internet. And is automation really the best option, would simple toggle switches not be a safer option. Fewer fail points and vulnerabilities. We seem to want to automate everything (which I can fully understand) yet those automated controls keep finding themselves attached to the net which then leads to the question should we have really so thoroughly automated these things. Why are any critical control switches for any facility (prison, power plant, power grid, etc...) connected to the net? I know the summary said "some" but why are any connected. And why do the other controls need usb ports? I have a hard time believing those cell door controllers need frequent updates (or ever need them if properly designed). Go ahead automate it. Design the system when building the prison, write the code and test it, then install it on the controller mem chips then install the system. It should be good to go from then on. If you think you might somehow need to update the software on these critical systems, use a non-standard connector. Use a serial port, and let the warden keep a USB to serial connector in his safe. Nothing is ever going to be totally secure, but it looks like these systems were designed with zero thought as to why and how they should be secured, which is funny when dealing with a prison security system.

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36939586)

It's the price you pay for working in a prison. Be nice, and maybe there won't be a riot. Be rude, and well, you take your chances.

Re:Internet? (5, Insightful)

vlm (69642) | more than 3 years ago | (#36938526)

I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock? Also, why are the showers and everything electronically controlled? That's something most homes don't have.

With more prisoners in the system than the rest of the world combined, for profit private prisons automate to save money. That makes them cheaper that govt prisons, which forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market". In a race to the bottom, there is no opting out.

By controlling the showers you can stop people from F-ing around during lockdown... If the guards have to go in to break up a fight, at least the water is off.

The free market (0)

Anonymous Coward | more than 3 years ago | (#36938838)

forces the govt prisons to automate or else all their "guests" will get transferred to "save money by using the free market"

Now that's funny. As if the free market set the goal for the highest incarceration rate in the entire world. As if the free market sat down and planned out the racket which would lock milllions of non-violent human beings in cages like animals.

Government decides who gets locked in cages and why, not the free market. These "private" prisons aren't examples of free market economics at all. They are merely subsideraries in the business of government.

Re:The free market (4, Insightful)

moonbender (547943) | more than 3 years ago | (#36939000)

The free market is a vague metaphor. Corporations and other financial interests are more concrete, and their influence on lawmaking is very real. Although I am not sure that their influence is to blame for a high incarceration rate.

It's hardly outrageous, though: Obviously the private prison system has a direct interest in it. Pharma doesn't directly profit from incarceration, but it does have an interest in harsh penalties on trading drugs that they don't control. Etc.

But clearly, there is a multitude of forces at work here. A culture of fear that encourages harsh sentences and incarceration over rehabilitation. A crazy divide between rich and poor and a bleak economic outlook. Poor education. Obviously some people will blame the free market (whatever they think that is) for many of these things, while others will do the opposite and demand an even free-er free market (whatever they think that is).

Re:The free market (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36939698)

The free market has these things called lobbyists. Lobbyists control government because Congress either toes the line, or people will be elected who will.

Want to know who is deciding why we need more felonies every day, and why people need to get locked up, even though crime rates are not impacted? Definitely not government -- in reality, politicians want crime because it can be used as a hot button issue during election time.

The people who want the prisons stuffed with inmates is the private prison system.

This is the free market at work. Pure "capitalism" without any regulations of bribery, or controls on campaign contributions is what you see here. Pure capitalism means that the most ruthless, psychopathic people get to the top and stay there.

Regulations and laws are important. Capitalism doesn't build roads unless the market is there. Capitalism doesn't feed homeless unless there is PR to be gained. It doesn't care about national defense or crime unless people pay private security companies. It cares about the almighty bitcoin (or currency of choice) and that's it.

I guess history isn't taught anymore, or people would remember Frick, Standard Oil, Carnegie, and many other companies which thrived under a government that little to no regulation. It took a depression where the whole economy that was based on bad borrowing and a president with some balls to actually fix things.

Capitalism isn't all bad, but it needs regulation or else we end up with bank crisis after bank crisis, stock scams, and many other issues.

Idiot (-1)

Anonymous Coward | more than 3 years ago | (#36938950)

"cheaper that"

"THAT"?

Moron. No wonder you think that prisons are some sort of problem... where would we, the working public, be, without prisons? Surrounded by criminal scum, who are intent on ruining OUR lives, the people they leech off of.

What the hell is it with Americans and "more that" and "more then" - are you too stupid to remember "MORE THAN"? We even have a bloody credit card company in the U.K. called it, just to remind you.

Idiot.

Re:Idiot (1)

Anonymous Coward | more than 3 years ago | (#36939538)

"where would we, the working public, be, without prisons?"

Drowning in commas?

Re:Internet? (1)

dwillden (521345) | more than 3 years ago | (#36939440)

A simple manual valve wheel outside the secure area will take care of this, with far fewer potential fail points.

Re:Internet? (3, Funny)

Nidi62 (1525137) | more than 3 years ago | (#36938560)

I'm more curious why do they need to control everything from 1 computer? What's wrong with a simple keylock or if that's too 'medieval' for you, a standalone code lock?

It allows them to open up(or close/lock) whole rows of cells, or a single cell from a secure, central location. This way, if person is able to get out of his cell, he can't simply run down to the end of the row and flip a switch. Also, think about how Sean Connery got out in The Rock.

Re:Internet? (5, Interesting)

DarkOx (621550) | more than 3 years ago | (#36938584)

Well there is a little more than to running a modern prison then just sequestering and feeding the inmates. We have decided that we care about their health and safety as well.

In the event its necessary to evacuate the prison, say because there is a fire or something, central control of the locks would be very valuable. Much easier for the guards to grab the shotguns and rifles and say "Alright we are evacuating to the yard, the doors are going to unlock all of you then step out hands in the air were we can see them and form a line." than it would be for them to go through the cell block unlocking each cell or row of cells at time.

At the very least that would be a dangerous situation for the guards, already somewhat chaotic they don't want to have their backs turned to other prisoners while they focus on operating a lock mechanism rather than their surroundings. I should expect the folks we keep locked in high security detention facilities are likely to be the sort that would try to take advantage of an unusual situation which may arise, and being able to lock and unlock all doors at the same time is one of the many ways prions try and mitigate that risk.

Re:Internet? (2)

hairyfeet (841228) | more than 3 years ago | (#36938690)

Well if we didn't have as another poster put it "more people in prison than the rest of the world combined' (not sure if that is true but frankly wouldn't surprise me) and create criminals by giving folks records for dope which ensures they will NEVER be able to have a real job, well maybe the guards wouldn't be having to deal with teeming masses of prisoners in an emergency. Maybe when the whole system collapses like a house of cards thanks to blowing $$$$$ on 3 wars while giving tax breaks we'll start acting like sensible human beings and realize that "sin" crimes belong in the pulpit not the law books.

As for TFA WHAT THE FUCK? Why in the name of all that is good is ANY of the systems hooked to the net? What, the warden can't live without YouTube? If there was a system that should never ever in a million years be let loose on the net it is THAT one, as every troll on the planet would just looove to open all the cells "just for the LULZ". But what do I expect when prisons are now for profit human processing units instead of what they were supposed to be, which was a way for the state to keep the violent away from the rest of society.

You know this country is fucked when I look at my local paper and the only places hiring are the prisons and the MickeyDs. This just goes to show the former isn't even run as well as the latter, how fucking sad is that?

Re:Internet? (1)

nurb432 (527695) | more than 3 years ago | (#36939024)

Sure, computer control makes total sense and i agree is pretty much required for safety. So does monitoring. But designing a system where a control component has direct outside access is just dumb.

Re:Internet? (1)

houghi (78078) | more than 3 years ago | (#36938750)

Locks can be picked. Keys can be duplicated or stolen . Guards can be bribed to do so. To use them you need to be on the premises
In some situations not a real nice option.

Electronic should give a logfile of who did what and when. I can add several layers of security into it. e.g. Level one guard can't open XYZ between 20:00 and 06:00 and 10:00 and 15:00.

Re:Internet? (1)

Anonymous Coward | more than 3 years ago | (#36938758)

Because systems control is cheaper than human control. It's far easier to get one-time purchases approved for equipment than long-term additions to staff. This is seen all the damn time in IT. Can I have a new sysadmin? No. Can I have a new server? Sure, how many do you need?

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36939610)

One of the reasons that newer prisons control everything from one place is that it makes prisoner movement easier. A keylock is reliable, but if a prisoner overpowers a guard and swipes the keys, it makes it easy to turn a pod or cellblock into a riot. This is especially true in maximum security where inmates have nothing to lose. In a setting where cell openings are controlled from a tower, overpowering a guard does nothing except ensure 10-20 more years of a stay, most of it likely in the hole.

Showers and even prisoner toilets (in some prisons, only three flushes are allowed in an hour) are controlled to prevent prisoners from flooding the tier. Same with drain valves -- if a CO suspects an inmate possesses something, they remotely close the drain valve and disable water so they can't flush it down the toilet.

Re:Internet? (1)

ccguy (1116865) | more than 3 years ago | (#36938488)

RTFSPOTS

(read the fucking second part of the sentence)

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36938572)

Lol,A whole lot of them are in fact connected to the internet, by also being in contact/ communication with officers terminals and office computers.

Source: An Ex-Con

Re:Internet? (1)

Sulphur (1548251) | more than 3 years ago | (#36938830)

They aren't.... install it via an infected USB-stick is what the summary says...

So if the guards play games, then the prisoners can too. Someone sent a stick for "Breakout."

Re:Internet? (1)

gl4ss (559668) | more than 3 years ago | (#36938540)

most of them are not. but that's irrelevant, as most have network nodes across the entire prison. it would really have to be a targeted attack anyways, as you'd need to know which plc's they're using and so forth. but the point is, it's just couple of grand in hardware after you know what's in use in that specific prison.

Re:Internet? (4, Informative)

SwedishChef (69313) | more than 3 years ago | (#36938694)

The PLCs (and their controllers) form their own network that is not connected to the Internet; it's not even TCP/IP.

However... the desktop computers that interface with the controllers are often on the Internet because they use the local area network to communicate with both the controllers and get email, surf the web, etc. There is a close connection between the SCADA software on the desktop PC and the PLC so that if a sophisticated attack on that PC is successful then the attacker can have complete control over the PLC system.

Worse yet... many of the PCs controlling the PLC systems are older versions of Windows because updates are expensive (usually requiring specialists from outside the plant due to the nature of the systems) so people tend to put them off. I've seen lots of desktops running NT, for instance.

Re:Internet? (1)

JohannesJ (952576) | more than 3 years ago | (#36939058)

Yes :but the way I see it The mistake is that the USB stick isn’t unique for every device . Having PLcs USB boot and run in a standard manner is Excellent for development, but carrying that direct to a Mission critical product very bad, Stuxnet wouldn’t likely work if devices weren’t using standards . An easy fix might be to "exclusive OR" every y byte of the USB stick with some number and Format it with a proprietary method , known only to that device

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36939358)

As someone said earlier on ./, it doesn't have to be a USB stick... your USB mouse/keyboard/anything *could* potentially have something within them that compromises the system.

Here's a hypothetical scenario: you create a "fake" keyboard that opens up a DOS box, dumps binary data into a file, then runs that file. You then order 1000 USB keyboards from Amazon, disassemble them, wire'em up in a way that the keyboard would appear to function like a "keyboard", except for those few times when it "opens up a DOS box, dumps binary data into a file" (say when there's no activity on the keyboard for a few hours and it's nighttime). You seal keyboard boxes, setup Amazon account to sell those exact same keyboards for $5 less than what you paid for them. Yes, they'll sell.

Now you got a virus on most of those 1000 computers (and if you're lucky, a few hundred networks). Note that at this point what OS you're running is irrelevant (open a shell prompt and run a shell script, etc.). You only need 1 of them to be someplace interesting (say if there's a 0.1% change that the keyboard will end up in a military/prison/powerplant place...). Cost of such an attack is amazingly low.

Re:Internet? (2)

tfigment (2425764) | more than 3 years ago | (#36939306)

Not completely true. ProfiNet, Modbus/TCP, EtherNet/IP, FINS, BACnet are all communication over ethernet tcp/ip stacks to the scada system and capable of issuing write commands. But then again perhaps prisons are using DCS style hardwired systems. Now the control system operating drives, switches, sensors or whatever are generally going to use some other system like Modbus, CAN, I2C, ... but even then EtherCAT, EtherNet/IP are industrially used for plcs to talk to drives and sensors if you want.

The scada system capable of controlling the PLCs should be isolated from the internet but I've seen more than my fair share of the the other. I'm sure the prisons are more paranoid and heck there are probably 500 different contractors writing the control logic in 1500 different ways out there so if one were hacked it would like be an isolated incident. Stuxnet exploited the fact that the centrifuges used a common geometry layout so it new what addresses corresponded to what and could manipulate that. It was still super clever though.

The biggest problem is that most of those ethernet protocols used in scada have zero authentication or security around it. If you can talk to it you can do a lot of bad bad things without any passwords. Usually the HMI is responsible for authentication but who says you have to use the HMI like stuxnet. They may try to protect the control logic with passwords but usually that is just for show in the systems that support it and would not withstand any dedicated effort for very long.

I'm more worried about DNP3 substations than prisons since power companies tend to have a unified system and spread out over long distances though they know that.

Re:Internet? (1)

OzPeter (195038) | more than 3 years ago | (#36939536)

I'm more worried about DNP3 substations than prisons since power companies tend to have a unified system and spread out over long distances though they know that.

I've said it on many occasions that a single person with a 4wd vehicle, and a high powered rifle with a scope could do more damage to the power system in a short time and do it more easily than anyone with a keyboard and a computer.

Re:Internet? (-1)

Anonymous Coward | more than 3 years ago | (#36938728)

If inmates get out because the cells were put on the internet
Use the term Correction facility "
Lower The idiots who put prison cells on the internet right in the middle of the meanest and most deviant of them
He/she or they come out with a Much wider permanent "Hind Side "backside "perspective
  on the matter!

Re:Internet? (4, Interesting)

houghi (78078) | more than 3 years ago | (#36938790)

To have remote access and that is the easiest way to do it. A leased line would be better.

The reason to have it remotely is the same reason why access to some banks is done off premises. If there is a hostile situation, you still have control of those doors.

The National Bank in Antwerp has a two-door entry. The second door only opens when the first door is closed. The person to control the door is not on site. So if he sees that I want to enter and he does not want me to, he can't be physically be forced to do so.

I also assume that there is not one person who controls that door and there will be protocols as what to do in what situation.

getting access to the person onsite might be possible. Offsite is a whole different layer.

Re:Internet? (-1)

Anonymous Coward | more than 3 years ago | (#36939296)

Its' much smarter to put the prisons
Machine Guns under remote control ,
then the hackers can play live games,

Opening the cells and having Murderers, Rapists and illegal immigrants ,and Uneducated arrogant minorities
  escape is expensive and dangerous to cthe public

  Remote Controlled machine Guns Hacked ?
fine !! Great
We now just saved the public lots of Money ?

Re:Internet? (1)

Chris Mattern (191822) | more than 3 years ago | (#36939450)

If there is a hostile situation *and your remote connection hasn't been compromised*, you still have control of those doors.

Fixed that for you.

Re:Internet? (1)

nurb432 (527695) | more than 3 years ago | (#36939018)

I still say why are any of these connected to a commodity OS as well.

You don't *need* it to be online directly, nor do you need it to be tied to any specific commodity OS at this stage of the game. In the old days this was the case. Isolated networks, and dedicated operating systems were the norm ( including the monitoring systems ).

Re:Internet? (0)

Anonymous Coward | more than 3 years ago | (#36939254)

Why are the prison control systems connected to the Internet? Who thought that was a good idea?

Never mind RFFA, did you even read the summary? Perhaps this sentence fragment: A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick ...

This is how you break so-called "airwalls": by using removable media. This is also how the US DoD got nailed with Conficker (aka W32.Silly/SillyFDC) back in 2008.

Re:Internet? (1)

mysidia (191772) | more than 3 years ago | (#36939696)

Why are the prison control systems connected to the Internet? Who thought that was a good idea?

They are designed to operate without a connection to the internet. However, the computers used to control them run Windows on general purpose hardware.

Which means it is possible to connect them to the internet.

If you ask me, the designer of the system should utilize embedded hardware booted from flash media and basically read-only to the end user. Any reporting/data collection/data storage should be done by a second system connected to the control system over a NIC dedicated for that purpose.

Oh Fuck! (0)

Anonymous Coward | more than 3 years ago | (#36938444)

I want to do this. Sooo bad.

Re:Oh Fuck! (0)

Anonymous Coward | more than 3 years ago | (#36938632)

Yep.

It would absolutely kick ass if this happened to just about every prison in the US at around the same time.

And I don't mean just mess with them, I mean open all the doors, then fry the PLCs.

Re:Oh Fuck! (0)

Anonymous Coward | more than 3 years ago | (#36938782)

It wouldn't be so bad. You have the largest prison population in the world, but unless you have a higher hardcore criminal percentage than other countries, a lot of those prisoners aren't very dangerous.

Re:Oh Fuck! (0)

Anonymous Coward | more than 3 years ago | (#36938874)

Except for the fact that it is a system that creates hardcore criminals out of mere scofflaws by confining them amongst the hardcore for extended periods of time.

Who needs an insider (1)

Anonymous Coward | more than 3 years ago | (#36938476)

Scatter a bunch of infected usb keys around the parking lot [slashdot.org] . Someone will insert it into a computer.

Take a wild guess (1)

Simply Curious (1002051) | more than 3 years ago | (#36938496)

So, anyone want to guess whether people will react with "That security system is horrible." or with "Hackers can do anything." ?

Hollywood, infect your heart out (2)

DarwinSurvivor (1752106) | more than 3 years ago | (#36938502)

Expect this to be a new thing in hollywood movies. I think it's about the only thing they HAVEN'T used for a prison escape!

Re:Hollywood, infect your heart out (0)

Anonymous Coward | more than 3 years ago | (#36939244)

Not Hollywood, but Wallander (book, Swedish TV adaption and also British TV adaptation (still set in Sweden) beat them to it.

A gang with the intent to destabilise the entire economy released a comrade from the police station cells (not quite prison, admittedly) by remotely overriding the locks.

Re:Hollywood, infect your heart out (0)

Anonymous Coward | more than 3 years ago | (#36939550)

Although not a in a movie, something like this happened in an episode of Terminator: The Sarah Connor Chronicles.

Why are prison doors connected to a computer? (1)

Lord Lode (1290856) | more than 3 years ago | (#36938548)

Wouldn't a good old switchboard do?

BS (2)

vlm (69642) | more than 3 years ago | (#36938550)

All believable, right up to:

We could blow out all the electronics.

The best I can think of is turning on the entire HVAC system at the same instant, popping the circuit breakers to the facility.

Maybe you could turn the power to the TVs on and off every second until the switching power supplies blow, or maybe that wouldn't work..

The problem with getting "average joe" to infect a PLC, is PLCs and their systems are getting more complicated, to the point that only specialists mess with them. Its a temporary thing. In the past, they were too few to matter, in the future they'll be too complicated for all but specialists to have access. This is just a momentary thing where "joe average industrial maint electrician" could theoretically screw stuff up.

Re:BS (3, Informative)

drinkypoo (153816) | more than 3 years ago | (#36938630)

If you could activate all the doors at once you could possibly overload the system. You're not going to blow out all the electronics, but you may well disable a critical path system. And if you opened all the doors and then opened them all some more simultaneously, that might well get them stuck open to the point where a human would have to manually close and lock each cell.

Re:BS (2)

vlm (69642) | more than 3 years ago | (#36938952)

If you could activate all the doors at once you could possibly overload the system.

I would disagree as "instant-lockdown" is probably one of the main features of the system. Any time they see a fight, to stop it from turning into a (bigger) riot, slap the big red switch to isolate the inmates. The opposite is the "fire switch" so you can instantly let all the inmates out of their cells; I suppose it depends on the security level of the inmates and local policies; some prisons might let them fry in their cells if there's a fire.

And if you opened all the doors and then opened them all some more simultaneously, that might well get them stuck open to the point where a human would have to manually close and lock each cell.

Now we're getting somewhere, cycle half open half closed until they all jam... assuming they are not inherently mechanically designed not to do that. It might be more expensive to design one that jams... Depending on contracts and corruption, a more expensive door that is capable of jamming might have been "required" so that expensive fixes can be applied.. But that's not the PLCs fault.

Re:BS (1)

drinkypoo (153816) | more than 3 years ago | (#36939310)

I would be totally unsurprised if you didn't have to at least account for motor start delay, especially when the prison is being built by the lowest bidder.

Re:BS (1)

DarkOx (621550) | more than 3 years ago | (#36938636)

The things is your typical "PLC" these days is pretty much a ruggedized PC running Windows, and a likely buggy stack of control software packages on top of that; which do not get along with the security patches for Windows, so Windows does not get patched. This is pretty serious problem when these machines are not properly isolated.

What if... (1)

SwedishChef (69313) | more than 3 years ago | (#36938930)

You got control of the PLCs, started the emergency generator, set it to run at 75Hz, and forced it to connect to the mains? I'm thinking that might blow up a few bits and pieces of electronics.

Remember that Stuxnet was designed to use the PLCs to vary the frequency of the equipment.

Re:What if... (1)

leucadiadude (68989) | more than 3 years ago | (#36939008)

Clearly you don't know much about how backup emergency diesel speed control systems are set up. Most of em are physically unable (as in a mechanical limiter) raise speed above 63 hz. And most if not all have automatic tripping if speed drops to or below 57 hz while loaded. I can see sitting there at 57 hz for a long time, that might cause high current draw from your loads, eventually leading long time delay current trips. Can't see much chance of long term damage. Might be a PITA to restart in manual though.

Re:BS (0)

Anonymous Coward | more than 3 years ago | (#36938954)

PLCs [wikipedia.org] are specialized hardware designed for real time control of several hardware interfaces. They're certainly not running Windows. What you're thinking of are the central control systems which run the SCADA [wikipedia.org] software.

Re:BS (0)

Anonymous Coward | more than 3 years ago | (#36939566)

Typical PLCs do not run Windows. The majority of PLCs use a manufacturer's customized real-time OS - certainly all the major brands (Rockwell, Siemens, Mitsubishi, Omron, Schneider, etc) do. However the operator supervisory interface (the "SCADA" bit) does run often on Windows, and small local operator interfaces often run on Windows CE also.

Re:BS (1)

Anonymous Coward | more than 3 years ago | (#36938740)

When safety conditions are only enforced by software, modified software can violate these safety conditions and cause physical damage. A simplistic example: A microcontroller has IO ports which can source a certain amount of combined current. If your software makes sure that no combination of individual ports which results in excessive current is ever switched on, the whole thing works fine. If the software is modified to enable all ports at the same time, the microcontroller dies. There are lots of other ways by which software can damage hardware: Programmable voltage controllers can fry the hardware, software-controlled limit switches can be disabled to destroy machinery, duty cycles can be modified to burn out motors, LEDs and other actors. Can you imagine what seeking would do to a hard disk if it isn't spinning? Those are all software controlled functions.

The only reason why people still think they can mess with software any way they want and not risk damaging their hardware doing so is that they stay clear of the low level stuff, partly because the operating system won't let them near it and partly because they don't even know it's there. Deep inside modern machinery controlled by universal PLCs, software is increasingly often the only thing ensuring safety.

Re:BS (0)

Anonymous Coward | more than 3 years ago | (#36939030)

A typical laptop has software in it (afaik it's commonly an 8080 inside the "keyboard bios" which does these things) which makes sure not to keep charging the Li-Ion battery. It can be overruled and when you do that, the battery will eventually start smoking and catch fire.

Thus, software is saving my life almost daily.

Re:BS (0)

Anonymous Coward | more than 3 years ago | (#36939606)

Laptop batteries include their own safety circuit, so the laptop actually can't overcharge the battery. It has recently been shown that laptop batteries can be rendered useless by reprogramming their controller. I think there's still some analog overcharge protection circuit in there, so making it useless is the worst you can do for now.

Re:BS (2)

Thad Zurich (1376269) | more than 3 years ago | (#36938806)

If you root the PLC, then you can probably do something like cycle the locks until the solenoids burn out. Given the inherent conflict between safety and security, I wouldn't care to bet whether they'd fail in lockdown or free-for-all mode, or 50/50 either way. Any countermeasure implemented in PLC code instead of hardware (or a semi-autonomous downstream PLC) would be vulnerable to alteration. A well-designed PLC implementation will have only *monitoring* outputs accessible to Internet-connected PCs, while the actual control inputs remain locked up tight in multiple ways.

Reactions from officials (0)

Anonymous Coward | more than 3 years ago | (#36938570)

I bet reactions from officials will include:
1) This wouldn't happen, because it's illegal!
2) We have to increase sentences for these kind of acts!
3) We have to create new laws to punish people who do this!
4) Let's sue whoever found the vulnerabillities!

You can be sure they won't include:
1) Admission that anything is wrong or any mistakes were made.
2) Removal of vulnerabilities.
3) Realisation that "pays for politician-in-charge's yacht and summer home" is not a criterium for competence.

Common sense? (2)

Severus Snape (2376318) | more than 3 years ago | (#36938590)

The problem being the majority of these systems were designed at a time when malware and hacking were not as big an issue as today, common sense can stop most threats easily but, no internet access, restrict physical media. Sorted. On a bigger scale but, it really worries me, cyber warfare is here and nobody is prepared. Things are going to get messy, fun fun times are ahead. :)

wow (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#36938598)

That right there is some over the top scaremongering oh no the hackers could let out the evil convicts!

Wow.... That's some major league bullshit spin. I gotta hand it to whatever powers that be came up with the idea that all of america now need to be afraid of the evil nasty internet hackers... Seriously. You outdid yourselves on this one. Way to reach for the stars. Go have a money fight or whatever you fucks do... That's some grade A fear trolling.

I'm impressed.. I wonder how many millions were spent on this little slice of fear to control people. That's... wow.

Why is the Coward above labeled Flamebait? (3, Insightful)

denzacar (181829) | more than 3 years ago | (#36939196)

This IS scaremongering.

'Once we take control of the PLC we can do anything (PDF). Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.'

Right there.
Your average reader now doesn't visualize a circuit-board somewhere fizzing out and releasing some of that mythical white smoke.
He sees **BUM!***BUM!***EXPLOSIONS!!!***BADA-BUM!!*** instead.
Followed by rapists and serial killers and cannibals being armed with rocket launchers and AIDS and set loose onto a kindergarten city somewhere.
You know... a city made entirely out of kindergartens. And diaper factories.

Too bad Numb3rs was canceled...
Or there would now surely be an episode in the making about just such an escape attempt.
Fortunately, CSI: Miami is still on the air.
We may yet see 2 million convicts across USA blowing up prisons with internet viruses and then rampaging across the land... no... wait...

QUICK! Someone get me Michael Bay and Jerry Bruckheimer - I've got their next blockbuster right here!

This article is Shite (4, Informative)

ControlsGeek (156589) | more than 3 years ago | (#36938658)

In the first place the prison control network is likeley not Ethernet. If it uses Allen Bradley PLCs in North America it is probably ControlNet a Token Passing bus topology. If it uses Gould/Modicon/SquareD/ Schneider it is probably Modbus Plus also a Token passing Bus Network. The PLC's will be executing Ladder Logic.
The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.It would usually only be reconnected for Maintenance reasons. The control of the unlocking or locking of cell doors is likeley by push button in the Guard control room and done through the PLC I/O.

The network is not going to be connected to the internet as that would be stupid.

Re:This article is Shite (2, Informative)

Anonymous Coward | more than 3 years ago | (#36938778)

The problem is that this is not the case as is detailed in the paper.

Re:This article is Shite (0)

Anonymous Coward | more than 3 years ago | (#36938988)

The paper says no such thing. There is NO detail in the paper.

Which Prison ?
What PLC is used model or vendor not specified.

The Authors obtained a Siemens PLC unlikely to be used in NA because that particular model was what the Stuxnet virus was designed to attack as it was used in an Iranian Nuclear fuel facility. This German PLC uses PL7 as the control software to develop code in one of several languages see IEC61131.
These languages are vendor specific and not commonly used in North America. LD the IEC1131 LaDder language is not the same language as Allen Bradley Ladder Logic or Square D ladder logic.

The paper is typical academic vague BS

Re:This article is Shite (1)

Jaktar (975138) | more than 3 years ago | (#36939012)

++mod

I agree and would like to add that when you say "likeley not Ethernet" also means that there are some that are. We've recently started using Directlogic PLC's. Some do have ethernet (like the DL205).
http://support.automationdirect.com/docs/plc_selection_considerations.html [automationdirect.com]

You could run all of your PLC's through a router so you could have all your PLC's programmable from a remote location. We've never done that, but then again we also don't have a prison population and access controls to deal with.

Re:This article is Shite (3, Interesting)

OzPeter (195038) | more than 3 years ago | (#36939212)

You could run all of your PLC's through a router so you could have all your PLC's programmable from a remote location. We've never done that, but then again we also don't have a prison population and access controls to deal with.

I've done things like this and it works well. Had multiple remote sites connected to the home base via a VPN over the Internet. Not that I recommend programming from a remote location, but being able to ensure you have central backups, and do a centralized version control is a boon. The alternative was to have contract cowboys in each region with their own private copy of what they think the PLC program should be. So now the contractor arrives at site, checks out the PLC code from the central repository, modifies the PLC and then checks the code back in.

Re:This article //Remote programming access. (1)

ControlsGeek (156589) | more than 3 years ago | (#36939216)

Yes You could have this done over Ethernet TCP/IP. You could bridge the local Control Net to the internet and this is done in some cases. You could program from a central location in the facility. There are many reasons that you may want to do that but the safety consideration of someone accidentally remotely turning on or off a valve or causing a robot to swing into a new position means it is not commonly done in the most automated of factories. Of course each system is custom engineered for an application so anything is possible.

I would imagine in a Prison there may be a reason to program from a remote (safe) location. But I see no need to do that from outside the prison walls.

Re:This article is Shite (2)

PPH (736903) | more than 3 years ago | (#36939250)

The Control Computer that the article talks about is only used to modify or create code for the PLC's and thereafter disconnected.

Unless the control computer is running an HMI (Human Machine Interface) to monitor and/or control lock and alarm status. Then that's the attack vector. Think you can keep that system off the Internet? Good luck with that.

From TFA:

He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet.

Back when I worked for Boeing, we (engineering) supported some shop floor ATE (automated test equipment). Over our objections and warnings, management instituted a program to port all the ATE equipment over to Windows specifically so that shop floor personnel could use the system to handle their Outlook e-mail. In spite of warnings that this could jeopardize equipment certification and put their FAA manufacturing certificate at risk, the program proceeded. Management felt it was more important to give employees immediate access to inter-company communications than to build airplanes safely. Problems did crop up, including an incident where one mechanic decided that he wanted the wallpaper on his ATE controller to be a snapshot from the infamous Pamela Anderson/Tommy Lee honeymoon video. And in spite of our having used Windows NT, there was no way to lock the configuration of the system down to prevent him from putting the picture back several times (until we fired his ass). I don't care what all the CS graduates say, if a simple rivet driver can override a (supposedly) secure system, its just not securable.

Re:This article is Shite (1)

ControlsGeek (156589) | more than 3 years ago | (#36939392)

Yes I have seen those same issues in some of my work in Automated factories. The typical way to bridge Control Networks over to HMI networks is done haphazardly in many instances. The proper way would be through a Firewall router that would block ports used for PLC commands. I once commissioned a custom configured Eprom in a bridge for this purpose that allowed READ but not WRITE access to Modicon PLC's from SCADA system (operated by IT/ CS guys) to PLC's in the factory (that are the Domain of the Engineering and Maintenance people). There are PORTS that can easily be blocked in a firewall that would allow Web Email on port 80 but not allow PLC access on it's port. Also TCP/IP protocol stack may be on a different Ethernet card for Control HMI. Bridging between the cards should be disabled.

Re:This article is Shite (1)

codegen (103601) | more than 3 years ago | (#36939548)

I don't know what CS graduates you are talking too, but none of our CS grads would consider Windows a securable system.

Re:This article is Shite (0)

Anonymous Coward | more than 3 years ago | (#36939304)

Not necessarily. Most of the newer controllers I have seen out there are using TCP/IP modbus. Especially the ones that have 50+ input outputs on them.

The older stuff is either 485 or 232 runs. Then if you want to build some sort of 'runs it all system' automation you put a computer into the mix and run some sort of SCADA system. Which is usually head ended by a PC. Which tada has ethernet built in.

Also many of the newer AB controllers have TCP built in. Least the ones I have been seeing. Sure the older ones dont. But ethernet has many of the same capabilities as 485 of run length. But is also much nicer to wire up and you can buy off the shelf routers (cheaper) for things.

Serial bus controllers will be around for a long time. As the systems they built with them will be around for a long time. But newer stuff is almost all going TCP. Or at least the option to do it.

Let me put it to you this way. My customers do not ask for serial bus anymore...

Re:This article is Shite (1)

ControlsGeek (156589) | more than 3 years ago | (#36939582)

You are correct the newer controllers can come with Ethernet although TCP/IP Modbus isn't the same protocol stack as Rockwells TCP. Regardless if you are going to do this I recommend that you keep the network cards seperate at least. An ethernet card is less than $50 these days. Then load different protocol stack on each card and disable bridging. Load the driver for the PLC and bind it to one card while the Other card can be used for internet. Disable bridging betwwen the two network interfaces. Use the firewall SW and block the ports. You may consider MAC Address filtering as well.

No no no no..... (4, Funny)

RevWaldo (1186281) | more than 3 years ago | (#36938692)

This is you do it. You just break into the warden's office, find his PC, go to a command line and enter:

UNLOCK ALL INMATE DOORS
DEACTIVATE SECURITY SYSTEM

Then you smash the screen with a hammer so that no one can override the commands. It's simple.

What?

.

Re:No no no no..... (1)

OzPeter (195038) | more than 3 years ago | (#36938870)

This is you do it. You just break into the warden's office, find his PC, go to a command line and enter: UNLOCK ALL INMATE DOORS DEACTIVATE SECURITY SYSTEM Then you smash the screen with a hammer so that no one can override the commands. It's simple. What? .

Totally wrong. Wrong I tell you. You have to Deactivate the alarm system first, then open the doors. That way you you don't announce to the rest of the world that you have engineered the breakout. Just make sure not to overlook the hidden alarm that the was secretly put in by the super crime fighter to let him know when his nemesis has escaped.

Unless of course you engineered the breakout to cover for the fact that you are committing a crime in another part of the city. In which case you only open some of the outside doors in order to prolong the escape and provide the longest coverage for you plans - which might include luring your nemesis to the escape location in order to punish/frame him.

Did I just write a hollywood movie? Or a series of movies????

Re:No no no no..... (1)

zippthorne (748122) | more than 3 years ago | (#36938904)

Did I just write a hollywood movie? Or a series of movies????

Depends.. Isn't that the plot of Batman Begins?

Re:No no no no..... (1)

OzPeter (195038) | more than 3 years ago | (#36938924)

Did I just write a hollywood movie? Or a series of movies????

Depends.. Isn't that the plot of Batman Begins?

You know, it probably was .. but I didn't have that movie in mind when I wrote my comments as I had totally forgotten about it - not to mention that I never saw it either

Re:No no no no..... (4, Funny)

Clueless Moron (548336) | more than 3 years ago | (#36938994)

This is you do it. You just break into the warden's office, find his PC, go to a command line and enter: UNLOCK ALL INMATE DOORS DEACTIVATE SECURITY SYSTEM .

You left out a critical step. The computer will respond with ACCESS DENIED, at which point you type OVERRIDE

Stuxnet super worm .. (1)

AHuxley (892839) | more than 3 years ago | (#36938700)

Recall all the Stuxnet comments on how it was so unique and targeted it was.
The perfect safe digital weapon with layers of unique code to seek out a sub set of industrial units.
Now cost cutting Microsoft based programmable logic controllers are at risk in other areas...
Why are so many expensive unique projects connected to low end Windows code?

Re:Stuxnet super worm .. (1)

Thad Zurich (1376269) | more than 3 years ago | (#36938818)

...because Microsoft already has all of our software money.

Re:Stuxnet super worm .. (1)

ControlsGeek (156589) | more than 3 years ago | (#36939238)

The Microsoft Windows code referenced refers to the PL7 Compiler which typically runs on a laptop and is used to download code to the serial port on the PLC.
The Windows laptop is used because it is ubiqutous and cheaper than the predecessor a customized PLC programming terminal.

Blog (0)

azuan (2425714) | more than 3 years ago | (#36938702)

My blog also been hacked..

Bare the Bear in mind!!!! (1)

Quick Reply (688867) | more than 3 years ago | (#36938828)

It must be traumatic to feel like there is a Bear in your mind (Assuming it is the grizzly kind, not the furry friendly kind), I wonder how the author can bare it?

Re:Bare the Bear in mind!!!! (1)

Quick Reply (688867) | more than 3 years ago | (#36938864)

It must be traumatic to feel like there is a Bear in your mind (Assuming it is the grizzly kind, not the furry friendly kind), I wonder how the author can bare it?

OK my mistake, I am actually wrong about this [google.com] . My apologies to the author.

Lots of scary buzz words (5, Informative)

OzPeter (195038) | more than 3 years ago | (#36939082)

TFA has lots of security related buzzwords, but for me the meat in TFA is buried down in

Custom exploits are not hard to create for PLCs due to the ease of programming them by simplistic programming languages like Ladder Logic. For example, everyone on this research team was able to put together a PLC exploit in only a few hours. While we created the exploits for research purposes, there are many exploits that are publicly available and can be found online such as on Exploit-DB.com.

There are multiple attack vectors that could lead to a compromise of the PLCs. If the machine controlling, monitoring, or programming is misused by personnel and connected to the internet, then the usual client side attack vectors are in scope. When it is connected to the Internet, it is also subject to conventional attacks such as, man-in- the-middle, network based attacks exploits, and forced updates – perhaps some with improper SSL certificates as was the case with Stuxnet

So there are lots of scary buzzwords all over the place, but when it comes to saying what they actually achieved in their "research" they are extremely light on details. Sure don't tell the world what techniques you actually employed, but do tell us that you remotely snuck into a network and managed to flip some I/O signals etc. If anything the biggest joke in the paper is

By accessing the loaded libraries of the software that control, monitor, or program the PLCs, we believe we have found an attack vector that is not vendor-specific.

Thats like saying that hacking into the ECU of a car is a vulnerability that is present across all car manufactures. Yep it sure is, but then you need to step back and admit that every car manufacturer has a bespoke implementation of their control units and the real world is not like Independence Day.

I have been using PLCs for longer that some /.'s have been alive and one thing I can say is that the only thing each manufacture's PLC has in common with each other is that they run off electrical power. And given the way PLC code is typically written, every prison control system is going to be a custom job, so there is not going to be any implementation consistency across the board. Stuxnet only worked through a sophisticated and well researched plan to directly target Iran's nuclear program. Regardless of who you blame as the originator, you have to admit that it was not the job of a script kiddy, but someone with immense resources behind them. If you think that someone is going to direct an equal amount of resources towards unlocking a prison, then you have more issues to consider than a bunch of dope dealers running around free.

Finally the biggest laugh for me in TFA was

The communications port is typically 9-pin RS-232 or EIA-485;

That shows that the authors have no idea about how a modern PLC system is put together. Serial comms may be the rage for shoebox PLCs (and given that they spent only $2500 on hardware/software, they were NOT dealing with a big name PLC manufacturer, or anything larger than a "toy" PLC), but on a modern mid sized PC system we have upgraded to Ethernet, Proifbus and even fibre for comms. A colleague recently had a "small" PLC system on his desk - two PLC racks in a redundant setup and just the CPU and system cards, with no I/O racks. The list price of this hardware was $100,000 and it was nothing special. (Claims of Apple being over priced are nothing compared to PLC manufacturers).

Re:Lots of scary buzz words (1)

tfigment (2425764) | more than 3 years ago | (#36939518)

While I don't disagree that PLCs are way over priced. $100,000 sounds a bit too high for a PLC even if its a safety PLC with redundancy. We should be talking $5000 per PLC and then $1000-2000 per IO module (1 IO = 4-8 analog, 16 digital, 6 Thermocouples, ...) before vendor discounts. We instrumented a some sophisticated stuff for $50000 with Rockwell DeviceNet and that was at least a full panel (like 8 racks full of IO). When we switched to custom embedded controllers the cost was something like $3000 for the equivalent hardware. Admittedly their software has a lower barrier of entry and far less development cost but is useful for prototyping before going into full scale production.

Re:Lots of scary buzz words (1)

OzPeter (195038) | more than 3 years ago | (#36939634)

While I don't disagree that PLCs are way over priced. $100,000 sounds a bit too high for a PLC even if its a safety PLC with redundancy

I was surprised at the cost as well. This was the latest bleeding edge (less than 6 month old) AB system, 2 racks, 2 cpu's per rack, 2 Ethernet cards and 2 Fibre cards and a couple of other cards. So you are down in the $10K+ per card on average - which is not that unreasonable. So your cards are not that far off. I used to think that GE stuff was pricey too - until I did some jobs with Toshiba PLCs.

Guns (0)

Anonymous Coward | more than 3 years ago | (#36939202)

That's why the guards on the towers carry guns.

Cheat with display (0)

Anonymous Coward | more than 3 years ago | (#36939340)

Stuxnet managed to cheat everybody by having the display show nothing was wrong, while in fact spinning the uranium faster.

Therefore, something similar need to display that the doors are in fact closed, when they really are open.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>