Attacking PLCs Controlling Prison Doors
Embedded system vulnerabilities in prisons:
Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.
Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. including eight maximum-security prisons says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
This seems like a minor risk today; Stuxnet was a military-grade effort, and beyond the reach of your typical criminal organization. But that can only change, as people study and learn from the reverse-engineered Stuxnet code and as hacking PLCs becomes more common.
As we move from mechanical, or even electro-mechanical, systems to digital systems, and as we network those digital systems, this sort of vulnerability is going to only become more common.
mdb • August 2, 2011 7:03 AM
PLCs are already everywhere. I use to install them in water and waste water facilities 15 years ago. They were ubiquitous then, even more so now. Every large building built in the 30 years has them to run their hvac systems, many homes have them now. That said, every system I installed was independent and not connected to the internet – this was purely for security reasons. Given the route the stuxnet was introduced to nuclear facility, I would have to bet that is still true today.