Researchers are now warning that vulnerabilities in the electronic infrastructures of prisons could allow hackers to release prisoners from their jail cells.
According to Wired, security consultant and engineer John Strauchs said some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country's top high-security prisons. Strauchs engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the United States.
Prisons use programmable logic controllers to control locks on cells and other facility doors and gates, explained Strauchs in a recently published report. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
“Our team has been asked: what are the countermeasures to mitigate the risk?” said Strauchs. “There are some vulnerabilities in PLCs that cannot be ‘fixed,’ rather, the most effective defense lies in the employees who interact with PLCs within part of the correctional system.”
He recommended that education and awareness of the existence of PLCs in correctional facilities, the importance of adhering to the common-sense computer usage policies and air gapping and patching/updating networks and software is necessary for implementing the correct security measures in prison infrastructures.
“As for the manufacturers of PLCs, they know of these vulnerabilities,” he said. “We are not as concerned about informing them as we are of government agencies and those who work in secure facilities with PLCs.”
Strauchs plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.