Computer-Aided (Prison) Jailbreak?

Nobody actually escaped — but it seems one inmate was nearly assassinated. The second time in two months that all the cell doors in a maximum-security wing “mysteriously open,” and this time there’s surveillance video showing prisoners apparently executing a pre-planned assassination attempt as soon as it happens.

The logical conclusion is that someone took advantage of a vulernability that had been presented two years ago at DEFCON, basically showing that prisons use SCADA-like hardware with SCADA-like problems… and often even less computer security than the (slowly catching on) public utilities field.

Unfortunately, it’s hard to figure out exactly what happened. The control software in this case only has one error message — “Operator Error.”

“Operator Error” is the one thing prison officials are reasonably sure DIDN’T happen. After the first “accidental release,” they modified the software so that any future push of the “group release” button would ask the operator to confirm he was really sure he wanted to do that.

Now, it’s possible this really is “just a glitch.” Another prison experienced the same problem, about a month before the first incident at this prison… that first prison had two “accidental releases” happen within the space of three days.

So maybe prison computers are just starting to side with the inmates.

“a surveillance video released this week (see above) suggests that the doors may have been opened intentionally — either by a staff member or remotely by someone else inside or outside the prison who triggered a “group release” button in the computerized system. The video raises the possibility that some prisoners knew in advance that the doors were going to open.

It’s the second time in two months that all of the doors in the wing opened at once, officials say, raising questions about whether the first incident was a trial-run to see how long it would take guards to respond.[…]

the security breach only opened the doors of K-81, the maximum-security wing. Guards at the prison say they did not open the doors.[…]

According to a written account by one of the guards on duty that night, which WIRED obtained, the incident occurred around 7:04 p.m. just after a shift change. A guard who identified himself only as Officer G. Summons in the report, said he had just relieved another officer for a break at 7 p.m. when “the control panel shutdown and all cell doors opened.” At that point “all inmates came out of their cells.” Officer Summons called for backup, and at 7:07 p.m. the guard he had relieved a few minutes earlier, along with a second guard, entered the booth to assist. Other guards began corralling inmates back to their cells.

But according to the video, not all of the inmates exited their rooms, as Summons reports. As soon as the doors opened, surveillance cameras captured one prisoner in particular immediately leaving his cell, as if he had anticipated the door opening, and walking down a passageway toward another prisoner, with whom he reportedly exchanged a shank or homemade prison knife. They and two other inmates then closed-in on 27-year-old Kenneth Williams, who leapt over a second-floor balcony railing to escape his would-be assailants and suffered a broken ankle and fractured vertebrae in the fall.[…]

an initial review of the computer logs indicated that an “operator error” had occurred, but they don’t know what exactly this means.

“The software in the computer has only one kind of thing, operator error, and we don’t know what triggers that, so part of the inquiry is to find out what the software is saying,” he said.

But the correctional facility in Florida isn’t the only one to experience a problem with its electronic doors. Last April, just a month before the first Florida incident occurred, a correctional facility in Maryland had a similar problem when the locks on 500 cell doors disengaged simultaneously at around 12:20 a.m. on a Saturday morning.

A computer malfunction was also blamed for this failure. Officials at the Montgomery County Correctional Facility where it occurred said no inmates tried to escape, but about 20 police cars were called in to secure the perimeter of the facility during the hour it took to fix the glitch and secure the doors. Three days later, however, the locks on the cell doors disengaged again. It’s not clear if Black Creek’s system is also installed at that facility. Officials in Maryland did not respond to a call for comment.[…]

a trio of security researchers — John Strauchs, Teague Newman, and Tiffany Rad — say that many prison systems have vulnerabilities that can be exploited remotely by hackers or accomplices from inside or outside a prison. They have examined systems at a number of facilities and two years ago presented their findings at the DefCon hacker conference in Las Vegas.[…]

According to Strauchs, a hacker could install malware to gain control of prison computers either by getting a corrupt insider to install it via an infected USB stick — and programming the attack to kick in at 2 a.m. on someone else’s shift — or by sending it to a worker via a phishing attack aimed at tricking the staffer into clicking on a malicious attachment or link. Though control systems at prisons shouldn’t be connected to the internet, Strauchs says his team once toured a prison control room in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also computers in non-essential parts of prisons, such as in the commissaries or laundry rooms, that are sometimes connected to the networks that control critical functions, allowing someone to remotely hijack the control room system from another location in the prison.

“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers wrote in a paper they released in 2011. “Access to any part, such as a remote intercom station, might provide access to all parts.”

%d bloggers like this: