Prison has the mission to rehabilitate the person who had
committed the crime which warranted the stay in the prison. The prisoners, while being rehabilitated, are able to contact their families, play games, learn a trade, work, receive therapy, and other activities. One option for the incarcerated person is to use tablets for a few of these functions. These pieces of equipment have become more popular with the inmates.
JPay This option for the prisoners involves basic technology. The inmates have the option to, towards this end, use JPay tablets. JPay has been working with the prison system to provide these since 2002 across 35 states. These are supplied to the prison system and prisoners by CenturyLink and JPay. The inmate’s family or friends purchase these for the inmates. In limited instances, JPay has given these to the inmates. JPay did this for 53k inmates in the New York State prison system recently. The others have had to pay for this.
The tablets function to allow prisoners to email their families and friends, video chat with these persons, watch videos of an educational nature, and download and play games and music, which had been purchased. The inmates could also use this for ebooks and news. The prisoner’s family and friends are able to put their funds, to pay for the non-free items, on the JPay account for the inmate. As an example, the inmate may send one page of an email for 50 cents. This is very useful for the inmates.
Vulnerability Exploited Seemingly, the process for using the technology should have worked rather smoothly, which it did for years. Recently, however, the inmates using these detected a vulnerability and exploited this to the extreme. The exploitation was detected by the Idaho Department of Corrections on July 2, 2018. The inmates were able to add $225k in credits to their accounts while the families and friends had actually not added the funds to their accounts. This involved 364 inmates.
Remediation The vulnerability has been resolved. Unfortunately, the specific steps for the exploit or the point of the vulnerability has not been published. This is due to JPay claiming this is proprietary information. This also does not allow others to learn from their errors or oversights. The inmates involved with this issue may still use the email on their tablets. They are however not able to download games or music until the respective inmates repay what was stolen. Of the $225k, $65k has been recovered. The involved inmates did receive disciplinary offense reports.
Lessons This current incident emphasizes the need for SecDevOps, or adding cybersecurity into the development cycle. Without the sufficiently trained and experienced staff, there will continue to be issues. The people will continue to look for different methods to break the hardware and software.
Resources And one, D. (2018, July 27). Idaho prisoners hacked tablets and gave themselves $225,000 in credit. Retrieved from https://www.cnn.com/2018/07/27/us/idaho-inmates-hack-tablets/index.html Digital Trends. (n.d.). Idaho prisoners hack $225,000 in credits from jpay computer tablets. Retrieved from https://www.digitaltrends.com/mobile/inmates-hacks-jpay-tablets/ Fortin, J. (2018, July 27). Idaho inmates hacked prison service for $225,000 in credit. Retrieved from https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html
Fussell, S. (2018, July). Inmates ‘hack’ prison issued tablets, swiping $225,000 in app bucks for music and games.
Hatmaker, T. (2018, July 27). Idaho inmates hacked prison-issued tablets for $225,000 in credits. Retrieved from https://techcrunch.com/2018/07/27/inmates-idaho-jpay-hack/ KTVB. (2018). After tablet hack-or glitch?-many rooting for Idaho inmates. Retrieved from https://www.ktvb.com/articles/news/local/idaho/after-tablet-hack-or-glitch-many-rooting-for-idaho-inmates/277-578135801
Law, V. (2018, July 27). How a group of imprisoned hackers introduced jpay to the world. Retrieved from https://www.wired.com/story/how-a-group-of-imprisoned-hackers-introduced-jpay-to-the-world/
McDermid, B. (2018, July 27). Idaho inmates hacked prison tablets and stole $225,000. Retrieved from https://www.engadget.com/2018/07/27/inmates-jpay-tablet-hack-email-music-games-idaho/
Statt, N. (2018, July 26). Idaho prison inmates exploited tablet vulnerability to steal $225,000 in credits. Retrieved from https://www.theverge.com/2018/07/26/17619972/idaho-prison-inmates-tablet-hacks-jpay-stolen-credits-250-thousand
Vaas, L. (2018, July 30). Prisoners exploit tablet vulnerability to steal nearly $225k. Retrieved from https://nakedsecurity.sophos.com/2018/07/30/prisoners-exploit-tablet-vulnerability-tosteal-nearly-225k/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!