Archive

Posts Tagged ‘cyber’

Researchers Say Vulnerabilities Could Let Hackers Spring Prisoners From Cells

By Kim Zetter

Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers.

Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.

Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.

“Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it,” says Strauchs. “How many people know they’re built with the same kind of PLC used in centrifuges?”

PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities.

Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.

Strauchs, who lists a stint as a former CIA operations officer on his bio, became interested in testing PLCs after hearing about the systems Stuxnet targeted and realizing that he had installed similar systems in prisons years ago. He, along with his daughter Tiffany Rad, president of ELCnetworks, and independent researcher Teague Newman, purchased a Siemens PLC to examine it for vulnerabilities, then worked with another researcher, who prefers to remain anonymous and goes by the handle “Dora the SCADA explorer,” who wrote three exploits for vulnerabilities they found.

“Within three hours we had written a program to exploit the [Siemens] PLC we were testing,” said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.

“We acquired the product legally; we have a license for it. But it’s easy to get it off [eBay] for $500,” she said. “Anyone can do it if they have the desire.”

They recently met with the FBI and other federal agencies they won’t name to discuss the vulnerabilities and their upcoming demonstration.

“They agreed we should address it,” Strauchs said. “They weren’t happy, but they said it’s probably a good thing what you’re doing.”

Strauchs says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.

“The vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many,” Rad said. “Upon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC.”

A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldn’t be, but sometimes are, connected to networks that control critical functions.

“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers write in a paper they’ve released (.pdf) on the topic. “Access to any part, such as a remote intercom station, might provide access to all parts.”

Strauchs adds that “once we take control of the PLC we can do anything. Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.”

Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.

An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.

While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, Newman says prison facilities also need to update and enforce acceptable-use policies on their computers so that workers don’t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.

“We’re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,” he said.

Advertisements

Virtual war a real threat

The U.S. is vulnerable to a cyber attack, with its electrical grids, pipelines, chemical plants and other infrastructure designed without security in mind. Some say not enough is being done to protect the country.

When a large Southern California water system wanted to probe the vulnerabilities of its computer networks, it hired Los Angeles-based hacker Marc Maiffret to test them. His team seized control of the equipment that added chemical treatments to drinking water — in one day.

The weak link: County employees had been logging into the network through their home computers, leaving a gaping security hole. Officials of the urban water system told Maiffret that with a few mouse clicks, he could have rendered the water undrinkable for millions of homes.

“There’s always a way in,” said Maiffret, who declined to identify the water system for its own protection.

The weaknesses that he found in California exist in crucial facilities nationwide, U.S. officials and private experts say.

The same industrial control systems Maiffret’s team was able to commandeer also run electrical grids, pipelines, chemical plants and other infrastructure. Those systems, many designed without security in mind, are vulnerable to cyber attacks that have the potential to blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.

Terrorist groups such as Al Qaeda don’t yet have the capability to mount such attacks, experts say, but potential adversaries such as China and Russia do, as do organized crime and hacker groups that could sell their services to rogue states or terrorists.

U.S. officials say China already has laced the U.S. power grid and other systems with hidden malware that could be activated to devastating effect.

“If a sector of the country’s power grid were taken down, it’s not only going to be damaging to our economy, but people are going to die,” said Rep. Jim Langevin (D-R.I.), who has played a lead role on cyber security as a member of the House Intelligence Committee.

Some experts suspect that the U.S. and its allies also have been busy developing offensive cyber capabilities. Last year, Stuxnet, a computer worm some believe was created by the U.S. or Israel, is thought to have damaged many of Iran’s uranium centrifuges by causing them to spin at irregular speeds.

In the face of the growing threats, the Obama administration’s response has received mixed reviews.

President Obama declared in a 2009 speech that protecting computer network infrastructure “will be a national security priority.” But the follow-through has been scant.

Obama created the position of federal cyber-security “czar,” and then took seven months to fill a job that lacks much real authority. Several cyber-security proposals are pending in Congress, but the administration hasn’t said publicly what it supports.

“I give the administration high marks for doing some things, but clearly not enough,” Langevin said.

The basic roadblocks are that the government lacks the authority to force industry to secure its networks and industry doesn’t have the incentive to do so on its own.

Meanwhile, evidence mounts on the damage a cyber attack could inflict. In a 2006 U.S. government experiment, hackers were able to remotely destroy a 27-ton, $1-million electric generator similar to the kind commonly used on the nation’s power grid. A video shows it spinning out of control until it shuts down.

In 2008, U.S. military officials discovered that classified networks at the U.S. Central Command, which oversees military operations in the Middle East and Central Asia, had been penetrated by a foreign intelligence service using malware spread through thumb drives.

That attack led to the creation in 2009 of U.S. Cyber Command, a group of 1,000 spies and hackers charged with preventing such intrusions. They also are responsible for mounting offensive cyber operations, about which the government will say next to nothing.

The head of Cyber Command, Gen. Keith Alexander, also leads the National Security Agency, the massive Ft. Meade, Md.-based spy agency in charge of listening to communications and penetrating foreign computer networks.

Together, the NSA and Cyber Command have the world’s most advanced capabilities, analysts say, and could wreak havoc on the networks of any country that attacked the U.S. — if they could be sure who was responsible.

It’s easy to hide the source of a cyber attack by sending the malware on circuitous routes through computers and servers in third countries. So deterrence of the sort relied upon to prevent nuclear war — the threat of massive retaliation — is not an effective strategy to prevent a cyber attack.

Asked in a recent interview whether the U.S. could win a cyber war, Alexander responded, “I believe that we would suffer tremendously if a cyber war were conducted today, as would our adversaries.”

Alexander also is quick to point out that his cyber warriors and experts are legally authorized to protect only military networks. The Department of Homeland Security is charged with helping secure crucial civilian infrastructure, but in practice, the job mostly falls to the companies themselves.

That would’ve been akin to telling the head of U.S. Steel in the 1950s to develop his own air defenses against Soviet bombers, writes Richard Clarke, who was President George W. Bush’s cyber-security advisor, in his 2010 book, “Cyber War: The Next Threat to National Security and What to Do About It.”

The comparison underscores the extent to which the U.S. lacks the laws, strategies and policies needed to secure its cyber infrastructure, experts say.

“If we don’t get our act together, the consequences could be dire,” said Scott Borg, who heads the U.S. Cyber Consequences Unit, which analyzes the potential damage from various scenarios.

The problem, though, is “there’s nothing that everyone agrees on,” said James Lewis, cyber-security expert at the Center for Strategic and International Studies in Washington.

For example, Lewis and other experts believe the government should mandate cyber-security standards for water systems, electric utilities and other crucial infrastructure. Some contend that major U.S. Internet service providers should be required to monitor patterns in Internet traffic and stop malware as it transits their servers.

But both ideas are viewed with suspicion by a technology industry that wants the government out of its business, and by an Internet culture that sees such moves as undermining privacy.

“There are a whole lot of things that can’t be legislated,” said Bob Dix, vice president of government affairs for Sunnyvale, Calif.-based Juniper Networks Inc., which makes routers and switches.

Yet Washington may be reaching a moment when the seriousness of the threat trumps political resistance. Sources familiar with the negotiations say the White House has promised Senate leaders that it will offer its own cyber-security legislation in a month. But any proposal that calls for far-reaching regulations would face an uphill battle.

CIA Director Leon E. Panetta told Congress recently that he worried about a cyber Pearl Harbor. Yet many who follow the issue believe that’s what it will take to force Americans to awaken to the threat.

“The odds are we’ll wait for a catastrophic event,” said Mike McConnell, former director of National Intelligence and cyber-security specialist, “and then overreact.”

ken.dilanian@latimes.com