Security Flaw Could Let Hackers Help Inmates Break Out Of Prison

LAS VEGAS – Inmates have tried many ways to break out of prison: chip away at concrete, overpower guards, tie bedsheets together.

Now, they may have a new tactic: hack into the computer system that controls prison doors.

At the DefCon hacker conference in Las Vegas this weekend, researchers showed how they found a security flaw that could allow prisoners to escape if hackers breach the prison's computer system.

The issue came to light by accident a few years ago when a prison warden called security engineer John Strauchs with an alarming problem: all of the cells on death row had mysteriously opened.

The cause was a random power surge, but it got Strauchs thinking.

“If that can happen by accident, what would happen if you did it deliberately?” asked Strauchs, who has designed prison door control systems.

Then a few years later, a powerful computer worm called “Stuxnet” disabled Iran’s nuclear centrifuges. The worm, which is considered the most sophisticated cyberweapon ever made, attacked a “programmable logic controller,” which is a computer that is also used in the nation’s high-security prisons.

For about $2,500, the researchers bought one of these computers, which are manufactured by Siemens, and tested them in a laboratory.

The researchers said they have not simulated an attack on a correctional facility to test the possible flaw, but they believe it is possible to launch a cyber prison break, in large part because prison guards are not taking basic cybersecurity measures.

During a tour of one U.S. prison, the researchers found a guard in the control room checking his email on a computer that communicates with the system operating the doors. If that guard clicked on a malicious link or attachment, he could trigger a prison break, researchers said.

"If the computer had been attacked, we could open up and close the cell doors," said Tiffany Rad, president of ELCnetworks. "Any time you have a security product, the people operating it need to understand why certain operating procedures are in place."

The researchers said they briefed the federal government on the possible security flaw and received approval to give their presentation this weekend at the hacker conference.

Chris Burke, a spokesman for the Federal Bureau of Prisons, said he was unaware of the researchers' findings.

"We would take anything like that seriously and be wiling to take a look at that," Burke said.

Strauchs also noted that prison guards "don't get paid very much" and could be bribed to hack the prison computer system. But he said the security flaw could be subdued by prison officers performing basic cyber hygiene, like not using computers to check email.

"If the prisons change their security procedures, they could probably fix the problem 98 percent on their own," he said.