Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday July 30 2018, @07:45PM   Printer-friendly
from the hackonopoly dept.

Hundreds of Idaho prison inmates have hacked jail software to "artificially" boost the amount of money in their own accounts, officials say.

The Idaho Department of Corrections said 364 inmates were "intentionally exploiting a vulnerability" to take nearly $225,000 (£171,000).

Fifty prisoners credited their accounts with more than $1,000 each while another inmate transferred $9,990.

A prisons spokesman said the "improper conduct involved no taxpayer dollars".

In a statement to BBC News, Idaho Department of Correction spokesman Jeff Ray said the inmates had hacked the JPay system.

JPay is a private firm that allows US prisoners access to portable devices which can transfer money, download music and games, and exchange communications with family members.

[...] JPay has so far recovered more than $65,000 worth of credits from the prisoners.

They have been suspended from downloading music and games until they pay the company for its losses, but they are still able to send and receive emails.

The Idaho Department of Corrections has also issued disciplinary reports to the inmates that were involved, meaning that they would lose certain privileges and be reclassified to a higher security risk level.

Wired adds:

[...] Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.

[...] As the sole provider of e-messaging and digital services within Idaho's prison system, it might stand to reason that the company's monopoly increased its risk of hacking. "If you're forced to buy from one entity, I could see the increasing motivation," says Jake Williams, a security expert and founder of Rendition Infosec. "But I don't think this [monopoly] increases vulnerabilty to hacking."

Instead, says Williams, any system offering an app over a device operates at a risk."Any time you have a mobile app—whether it's a phone or a tablet—the user has a lot of control over any data stored in the device itself," he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. "A malicious user can access that back-end data," says Williams.

It's a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, "we could change the purchase price and buy the item for whatever price we wanted," Williams recalls. "This is not an uncommon flaw with mobile apps."

For JPay or any other provider offering tablets, a person's credit balance is most likely stored on the tablet rather than being transmitted on JPay's infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Troll) by realDonaldTrump on Monday July 30 2018, @08:45PM (6 children)

    by realDonaldTrump (6614) on Monday July 30 2018, @08:45PM (#714928) Homepage Journal

    364 guys, that's a lot of hackers. Can we say those guys, they're not ready to get out of prison? Believe me, if it were up to me, those guys would be getting extra time. And maybe a little torture, right? But the ones that didn't do the violations and crimes -- and crimes they are -- maybe think about letting those guys out. Very easy for them to steal, they didn't steal. And maybe a guy is in there for rape or something, at least he's not a thief.

    Starting Score:    1  point
    Moderation   0  
       Troll=2, Redundant=1, Interesting=1, Funny=1, Underrated=1, Total=6
    Extra 'Troll' Modifier   0  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Monday July 30 2018, @08:47PM (3 children)

    by Anonymous Coward on Monday July 30 2018, @08:47PM (#714929)

    Speaking of rape, do you have any plans to decriminalize pussy grabbing?

    • (Score: 0) by Anonymous Coward on Monday July 30 2018, @09:09PM

      by Anonymous Coward on Monday July 30 2018, @09:09PM (#714938)

      Pussy grabbing and rape are quite different crimes. Rape requires some kind of penetration, which may or may not involve a penis. Pussy grabbing is, at worst, a sexual assault. At best, pussy grabbing can be considered foreplay. If, however, a finger happens to penetrate during grabbing, then you MIGHT be found guilty of rape. All of that depends on the attitudes and the relationship of the grabber and the grabee.

    • (Score: -1, Troll) by Anonymous Coward on Monday July 30 2018, @10:25PM (1 child)

      by Anonymous Coward on Monday July 30 2018, @10:25PM (#714969)

      Pussy grabbing isn't illegal because it's a victimless crime.

      • (Score: 2) by mendax on Tuesday July 31 2018, @06:32AM

        by mendax (2840) on Tuesday July 31 2018, @06:32AM (#715093)

        Indeed, I grab my pussy all the time and she enjoys it. She even purrs.

        --
        It's really quite a simple choice: Life, Death, or Los Angeles.
  • (Score: 0) by Anonymous Coward on Monday July 30 2018, @09:23PM

    by Anonymous Coward on Monday July 30 2018, @09:23PM (#714946)

    Guess you do know a bit about gaming the system and stealing...takes one to know one.

  • (Score: 4, Funny) by Mykl on Monday July 30 2018, @11:46PM

    by Mykl (1112) on Monday July 30 2018, @11:46PM (#714984)

    It's these little gems that make RDT's posts worthwhile. Giving us that little insight into what he _really_ feels rather than just the same repeated phrases on other media sites.

    I'm glad that SoylentNews has been able to become your "safe space" RDT - now that Fox has turned against you with that fake news about the Putin meeting.