Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Prisons May Be Vulnerable To Stuxnet-Style Attack

Researchers found easy-to-write malware could subvert prison control systems, cause spontaneous opening of all cell doors.

It's Christmas Eve in a maximum security prison, when all of the cell doors on death row simultaneously open without warning. What happened? That was the question posed by the warden of a prison in which that exact scenario occurred.

At last month's Hacker Halted Conference in Miami, the group formed to answer that question presented the results of its research into "SCADA and PLC Vulnerabilities in Correctional Facilities." In short, they discovered that there are numerous vulnerabilities in the industrial control--often referred to as supervisory control and data acquisition, aka SCADA--systems and programmable logic controllers (PLCs) used in today's modern and highly automated prisons, which could be remotely exploited to compromise such systems.

"Using the PLC's own software library, we were able to not only unlock any door in the prison system, but we could also send false status signals back to central and/or housing control reporting that the door is closed and locked," said researcher John Strauchs on his blog. "Our results were far better than we expected." Furthermore, the team said that acquiring the hardware and software required for its research cost only $2,500, although by not bothering to pay for legitimate software licenses, that cost could have been reduced to about $500.

[Concerned about shoring up your systems against Stuxnet-style attacks? Learn 5 Things To Do To Defend Against Duqu.]

The group of researchers was composed of Strauchs, a former CIA operations officer who's conducted security engineering or consulting for more than 114 justice industry design projects, including 14 federal prisons, 23 state prisons, and 27 city or county jails; Tiffany Rad, the president of ELCnetworks; and Teague Newman, a Washington-based information security consultant with experience in penetration testing.

A Federal Bureau of Prisons spokesman this week said that the agency is "aware of this research and taking it very seriously," according to The Washington Times. Likewise, the research team said it's been working with multiple manufacturers and government agencies to identify current vulnerabilities and craft workarounds.

Of course, security experts have been warning about these types of control system vulnerabilities for years. But it wasn't until Stuxnet showed up that many control system users seemed to grasp the potential risks the systems might pose, given that many control systems weren't designed to resist Internet-borne threats, or perhaps ever see patches, although many run on Windows.

Ralph Langner--the German computer security expert credited with discovering Stuxnet-- has warned that "one can use exploit code to attack PLCs without any insider knowledge at all." Unlike a highly targeted attack such as Stuxnet, which was designed to only sabotage high-frequency convertor drives used in a specified uranium enrichment facility in Iran, Langner said that script kiddies could easily create PLC attacks without understanding the target environment.

Likewise, the prison control system and PLC research team reported that all three of its members quickly learned to "put together a PLC exploit in only a few hours," according to their research paper, owing to the simplicity of the programming languages involved. But an attacker might not even have to bother with that. "There are many exploits that are publicly available and can be found online such as on exploit-db.com," they said.

Given the potential threat posed by a cyber attack against the control systems or PLCs employed in prisons, what should be done? In particular, the research team suggests eight improvements, including restricting the use of physical media (which could carry malware) in facilities, segmenting networks properly, improving patch practices, as well as using heightened security procedures in all areas that rely on PLCs. Also reevaluate current prison designs. "Many modern prisons/jails were designed 10 years ago, before these attack vectors were known," they said.

On his blog, Strauchs said that whenever possible, prison systems also shouldn't be Internet-connected. "The correctional facility security system should not have external connections, or if that can't be avoided, connections need to be safeguarded by security protocols--not security-through-obscurity--and systemic technical countermeasures," he said. In addition, "no one should ever be permitted to use workstations for personal activities like checking private email or viewing images--both of which our team saw during onsite evaluations of correctional facilities."

Thankfully, said Strauchs, fixes appear to be underway. "We believe that the manufacturers are working on what they can fix and, as a result, we are not advocating removing PLCs from facilities but, instead, addressing the vulnerabilities through awareness and education of the people working in facilities with PLCs," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...