Schneier on Security
A blog covering security and security technology.
« Commentary on Strong Passwords |
| More SSL Woes »
November 14, 2011
Remotely Opening Prison Doors
This seems like a bad vulnerability:
Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems.
The researchers began their work after Strauchs was called in by a warden to investigate an incident in which all the cell doors on one prison's death row spontaneously opened. While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.
The weirdest part of the article was this last paragraph.
"You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner.
I guess that's a threat. But the greatest threat?
EDITED TO ADD (11/14): The original paper.
Posted on November 14, 2011 at 7:14 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The greatest threat is that the corrections officers wouldn't know that the population was running about until it was too late. Also I suppose you could remotely lock the doors and keep them that way. That would allow all kinds of bad things to happen without CERT (Correctional Emergency Response Team) being able to respond in time.
I read a different article, can't remember where, sorry, which explicitly said that the automated doors where only in the prisoner area. So a prisoner can move between cells (hence the assassination threat) but can't escape.
I suspect that by "greatest", they may mean "most likely". There's real incentive for a criminal organization to arrange something like that.
I bet they get paid per prisoner; so if someone whacks one they make less money - hence greatest threat from their perspective. Plus their costs are probably largely fixed (like an airliner), so the loss of a single prisoner has a disproportionate impact on profit.
A prison break is a prison break. An assassination is a news story.
in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.
Ah, and here we have it. Security once again takes a back seat to human nature.
It wouldn't be so much of an issue if prisons could afford their own IT staff, but then you would have a whole host of new problems, beginning with coercion of the IT department.
Which all goes to show that there are some things for which electronic technology is NOT appropriate.
The guards would be unaware of the doors being open only if they were not paying attention to their audio and video monitors ...
Why oh why do they have external links...
The point behind restraining prisoners with in prison is to keep them compleatly segregated from the rest of the world including other inmates etc. Then at all other times segregation is lifted control with considerable care the interaction of the prisoners with others.
So why simply because the systems are "automated" or "computerised" in some way does it become a major necessity to have these systems externaly connected....
I'm trying to think of something that is equally as daft, but for now words fail me...
Organized crime folk do like to kill each other, in prison and out, but going to the trouble of hacking the prison's computer system to get access so they can off someone seems like a minimal threat when either the person is already slated to die, or they can get him in the lunchline.
Seems like the most likely risk here is griefing from people who mess with it because they can mess with it, and the consequences are some dead prisoners or guards.
The greatest threat is the one that endangers the most valuable. And the most valuable is the life of a human being.
Compared to some people running free the murdering of an inmate is the greatest threat.
This type of thing usually results from a money and convenience issue. Anytime something in the system needs to be updated or tweaked you have two choices.
A. Call the automation contractor, schedule a day when their tech is available, pay travel expenses, plus $110 per hr (4 hour minimum).
B. Call the automation contractor, have them dial-in or VPN into the system. ($50, sometimes even free for trival issues) instant gratification.
In my experience most organizations eventually choose B, even when they start with A.
I wonder if these PLCs are used in other things besides prisons...
"Why oh why do they have external links"
So the guards can check their email and play facebook games, of course.
No, really. Most of these systems' documentation states that they must not be connected to the internet, but I heard about a recent audit found that 100% of them (n=500 or so) were connected anyway, and were often used as terminals. I wish I could remember the source.
The most secure technological system in the world can always be defeated by a bored and trusted insider who wants to see the dancing kittens. You always need a secure social system too or technological security is worthless.
We haven't replaced all the guards with PLCs yet.
@Andrew2: I would think the risk of bad IT management policy could be mitigated if these SCADA systems were controlled from an embedded system (perhaps Linux or even WinCE) that wasn't a general purpose desktop. There would be less temptation to connect it to the internet. Even if they did, these systems could have a default firewall configuration that blocks everything or nearly everything, in or out.This would still be miles away from a dedicated system running GreenHills Integrity, but a far cry from the facepalm inducing stupidity of Windows XP, which I am sure these systems run on.
I would have to imagine if one wanted a prisoner assassinated, there would be a very well bribed guard who would *oops* leave the wrong door open. This doesn't require any vulnerabilities in the system, other than the traditional insider. No internet connection required, and the insider has the best view of what is going on in the prison.
Of course, I could imagine some good movie theater plots coming out of this. Perhaps some organized crime element with members in prison could open the gates to incite a riot to distract the guards while the gang searches the prison for a hidden treasure. That is, until Steven Seagal shows up.
The original paper is pretty poor in my opinion. It goes like this:
1. Prisons use PLCs
2. PLCs can be exploited
3. We can conceive that an exploit could be deployed as they have external connections
There's not much concrete there - unless I am missing something?
No, you're right.
There's better research that seeks less press. There's plenty of press to come too though. Round about January I expect...
To paraphrase Alan Shepard on space flight:
"It's sobering to realise that one's safety margin was determined by the lowest bidder on a government contract."
Yes, these are in many cases, the same PLCs you'll find on any plant floor. This issue however is nothing new, it's just more acute now that the Internet is involved. It used to be there were modems tied in to these kinds of systems for remote access before the prevalence of the Internet. The smart system managers would have the modem switched off until they knew an authorized service person was going to call in to do work, but a lot of places just left the modems on for convenience.
I haven't read the paper yet, but from every system I've ever seen once you have system access, you can control every door that has an electrical (or pneumatic in some cases) lock in the facility. They are generally designed in a hierarchical way so that one master control can take full control of the entire facility in the event of some problem. And because that same system is responsible for showing status, you could make it look like everything is fine when in fact it is not. Just like what Stuxnet did.
If you want to really put on the foil hat, you could envision a worm that gains control of a whole lot of these systems and allows some malicious attacker access to a large number of facilities.
There would be less potential for these things to be inadvertently connecting to the outside world if SCADA systems didn't use standard ethernet jacks and if the monitoring software periodically attempted to ping outside sites and threw up very obvious warnings to the operator as well as phoning home when it occurred.
With some subtlety you could over a period of time control prisoners movements. Nobody is allowed out of the yard or 30 guys in one cell etc.
"Why oh why do they have external links..."
Same motivation as the guys controlling (pun intended) the XP-equipped drones: playing Mafia Wars on Facebook.
But seriously. However bad/stupid it is to have these external links, there may always be some valid practical reason to grant remote access. The problem is not so much in the external link but in the policy implementation, enforcement and audit thereof. Some technician may require remote access by VPN or other means, but there is exactly no reason whatsoever for him to have that 24/7 or for that system to be permanently connected to the outside world.
Yes, that probably is the greatest realistic threat.
Hacking SCADA systems in prisons isn't really the sort of thing your average script kiddie is likely to be able to accomplish and even if someone did pull this kind of hack from their basement it would be a one off incident not substantially more harmful than a prison riot.
The sort of effort and expertise to do more than cause mischief and perhaps a few random deaths by opening doors in one facility could easily be put to greater effectiveness elsewhere. Screwing with emergency services or other vulnerable systems would offer a far greater reward/risk ratio if the goal is mere terrorism or social unrest.
The sort of thing that would justify this kind of hack is large monetary rewards or silencing informants. Killing rival drug cartel leaders (who are often in prisons) could be worth millions and silencing a captured enemy agent or (state sponsored) terrorist who had started to talk could be risking thousands or millions of lives.
Realistically expect these to be partial inside jobs with someone in the vendor company bribed or threatened to give access to this back door so rival criminal leaders or potential snitches are taken out.
Ohh and notice that a guard who accepts a bribe to let a cartel boss be killed will be identifiable and have signed their own death warrant and possibly put their family at danger. Guards may be easy to bribe to bring in cell phones and drugs when detection risk is low and severe retaliation unlikely but the high value targets will often be in the most secured locked down areas of the prison and have their own bribed guards not to mention fellow prisoners watching their back making it more than an easy matter of bribing one guard.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.