Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday July 30 2018, @07:45PM   Printer-friendly
from the hackonopoly dept.

Hundreds of Idaho prison inmates have hacked jail software to "artificially" boost the amount of money in their own accounts, officials say.

The Idaho Department of Corrections said 364 inmates were "intentionally exploiting a vulnerability" to take nearly $225,000 (£171,000).

Fifty prisoners credited their accounts with more than $1,000 each while another inmate transferred $9,990.

A prisons spokesman said the "improper conduct involved no taxpayer dollars".

In a statement to BBC News, Idaho Department of Correction spokesman Jeff Ray said the inmates had hacked the JPay system.

JPay is a private firm that allows US prisoners access to portable devices which can transfer money, download music and games, and exchange communications with family members.

[...] JPay has so far recovered more than $65,000 worth of credits from the prisoners.

They have been suspended from downloading music and games until they pay the company for its losses, but they are still able to send and receive emails.

The Idaho Department of Corrections has also issued disciplinary reports to the inmates that were involved, meaning that they would lose certain privileges and be reclassified to a higher security risk level.

Wired adds:

[...] Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.

[...] As the sole provider of e-messaging and digital services within Idaho's prison system, it might stand to reason that the company's monopoly increased its risk of hacking. "If you're forced to buy from one entity, I could see the increasing motivation," says Jake Williams, a security expert and founder of Rendition Infosec. "But I don't think this [monopoly] increases vulnerabilty to hacking."

Instead, says Williams, any system offering an app over a device operates at a risk."Any time you have a mobile app—whether it's a phone or a tablet—the user has a lot of control over any data stored in the device itself," he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. "A malicious user can access that back-end data," says Williams.

It's a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, "we could change the purchase price and buy the item for whatever price we wanted," Williams recalls. "This is not an uncommon flaw with mobile apps."

For JPay or any other provider offering tablets, a person's credit balance is most likely stored on the tablet rather than being transmitted on JPay's infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by martyb on Monday July 30 2018, @08:57PM (4 children)

    by martyb (76) Subscriber Badge on Monday July 30 2018, @08:57PM (#714932) Journal

    The more things change, the more they say the same.

    Reminds me of playing a game on my computer decades ago. Did a "save game". Noticed a file appeared. Made a copy of the file. Started the game from the save file, did a few things, earned another 'life', saved game again. Did a diff between the saved games. Found out where the number of lives was stored. Loaded a hexeditor, changed it to 99 lives, and created a new save file. Load game with new save file and voila!

    Granted, I doubt these tablets come with a complete development environment (on second thought, I would not be surprised if there were a 'secret' debug/testing mode!)

    Still, gain physical access and... game over. The inmates have physical access, AND time on their hands, AND motive. It seems to me it was only a matter of time.

    --
    Wit is intellect, dancing.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Interesting=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Informative) by Anonymous Coward on Monday July 30 2018, @09:13PM (1 child)

    by Anonymous Coward on Monday July 30 2018, @09:13PM (#714942)

    +1 Plausible explanation

    JPay sound like a bunch of (dumb) crooks to me, hiding behind the corporate veil.

  • (Score: 4, Informative) by JoeMerchant on Monday July 30 2018, @09:35PM (1 child)

    by JoeMerchant (3937) on Monday July 30 2018, @09:35PM (#714952)

    They may even have been teaching them programming with the tablets...

    --
    🌻🌻 [google.com]
    • (Score: 0) by Anonymous Coward on Tuesday July 31 2018, @12:16AM

      by Anonymous Coward on Tuesday July 31 2018, @12:16AM (#714992)

      Next you will want to know if they were teaching the inmates Vi or Emacs!