SoylentNews

Arthur T Knackerbracket has found the following story:

Hundreds of Idaho prison inmates have hacked jail software to "artificially" boost the amount of money in their own accounts, officials say.

The Idaho Department of Corrections said 364 inmates were "intentionally exploiting a vulnerability" to take nearly $225,000 (£171,000).

Fifty prisoners credited their accounts with more than $1,000 each while another inmate transferred $9,990.

A prisons spokesman said the "improper conduct involved no taxpayer dollars".

In a statement to BBC News, Idaho Department of Correction spokesman Jeff Ray said the inmates had hacked the JPay system.

JPay is a private firm that allows US prisoners access to portable devices which can transfer money, download music and games, and exchange communications with family members.

[...] JPay has so far recovered more than $65,000 worth of credits from the prisoners.

They have been suspended from downloading music and games until they pay the company for its losses, but they are still able to send and receive emails.

The Idaho Department of Corrections has also issued disciplinary reports to the inmates that were involved, meaning that they would lose certain privileges and be reclassified to a higher security risk level.

Wired adds:

[...] Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.

[...] As the sole provider of e-messaging and digital services within Idaho's prison system, it might stand to reason that the company's monopoly increased its risk of hacking. "If you're forced to buy from one entity, I could see the increasing motivation," says Jake Williams, a security expert and founder of Rendition Infosec. "But I don't think this [monopoly] increases vulnerabilty to hacking."

Instead, says Williams, any system offering an app over a device operates at a risk."Any time you have a mobile app—whether it's a phone or a tablet—the user has a lot of control over any data stored in the device itself," he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. "A malicious user can access that back-end data," says Williams.

It's a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, "we could change the purchase price and buy the item for whatever price we wanted," Williams recalls. "This is not an uncommon flaw with mobile apps."

For JPay or any other provider offering tablets, a person's credit balance is most likely stored on the tablet rather than being transmitted on JPay's infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.

Original Submission