Hundreds of Idaho prison inmates have hacked jail software to "artificially" boost the amount of money in their own accounts, officials say.
The Idaho Department of Corrections said 364 inmates were "intentionally exploiting a vulnerability" to take nearly $225,000 (£171,000).
Fifty prisoners credited their accounts with more than $1,000 each while another inmate transferred $9,990.
A prisons spokesman said the "improper conduct involved no taxpayer dollars".
In a statement to BBC News, Idaho Department of Correction spokesman Jeff Ray said the inmates had hacked the JPay system.
JPay is a private firm that allows US prisoners access to portable devices which can transfer money, download music and games, and exchange communications with family members.
[...] JPay has so far recovered more than $65,000 worth of credits from the prisoners.
They have been suspended from downloading music and games until they pay the company for its losses, but they are still able to send and receive emails.
The Idaho Department of Corrections has also issued disciplinary reports to the inmates that were involved, meaning that they would lose certain privileges and be reclassified to a higher security risk level.
[...] Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.
[...] As the sole provider of e-messaging and digital services within Idaho's prison system, it might stand to reason that the company's monopoly increased its risk of hacking. "If you're forced to buy from one entity, I could see the increasing motivation," says Jake Williams, a security expert and founder of Rendition Infosec. "But I don't think this [monopoly] increases vulnerabilty to hacking."
Instead, says Williams, any system offering an app over a device operates at a risk."Any time you have a mobile app—whether it's a phone or a tablet—the user has a lot of control over any data stored in the device itself," he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. "A malicious user can access that back-end data," says Williams.
It's a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, "we could change the purchase price and buy the item for whatever price we wanted," Williams recalls. "This is not an uncommon flaw with mobile apps."
For JPay or any other provider offering tablets, a person's credit balance is most likely stored on the tablet rather than being transmitted on JPay's infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.
(Score: 5, Insightful) by martyb on Monday July 30 2018, @08:57PM (4 children)
The more things change, the more they say the same.
Reminds me of playing a game on my computer decades ago. Did a "save game". Noticed a file appeared. Made a copy of the file. Started the game from the save file, did a few things, earned another 'life', saved game again. Did a diff between the saved games. Found out where the number of lives was stored. Loaded a hexeditor, changed it to 99 lives, and created a new save file. Load game with new save file and voila!
Granted, I doubt these tablets come with a complete development environment (on second thought, I would not be surprised if there were a 'secret' debug/testing mode!)
Still, gain physical access and... game over. The inmates have physical access, AND time on their hands, AND motive. It seems to me it was only a matter of time.
Wit is intellect, dancing.
(Score: 3, Informative) by Anonymous Coward on Monday July 30 2018, @09:13PM (1 child)
+1 Plausible explanation
JPay sound like a bunch of (dumb) crooks to me, hiding behind the corporate veil.
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @12:35AM
When I was in California's Atascadero State Hospital, the only way to use the phone was to call collect, for which the other party paid a minimum of $25.00.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Informative) by JoeMerchant on Monday July 30 2018, @09:35PM (1 child)
They may even have been teaching them programming with the tablets...
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @12:16AM
Next you will want to know if they were teaching the inmates Vi or Emacs!