28C3: SCADA and PLC vulnerabilities in correctional facilities

Posted on Wednesday, February 15th, 2012 in security, talks by the machinegeek

In this full length presentation from the recent 28C3 conference in Berlin, Tiffany Rad, Teague Newman and John Strauchs describe the opportunities and challenges presented by SCADA systems used in prisons and jails.

These systems are often used in conjunction with PLCs to open and close doors. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, Newman, Rad and Strauchs have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. This talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.

UPDATE: According to the speakers, John Strauchs and his company were the inspiration for the 1990s hacker flick “Sneakers”. However, this is questionable (see comment below).

This entry was posted on Wednesday, February 15th, 2012 at 4:00 pm and is filed under security, talks. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

5 Responses to “28C3: SCADA and PLC vulnerabilities in correctional facilities”

  1. Drone says:

    I’m really getting tired of people implying or outright saying SCADA is “vulnerable”. It’s not “SCADA” that’s the problem, it is the connected systems hosting it that are vulnerable, the vast majority of which are Windows-based. If you leave your front door open and go on vacation, don’t expect things to be as you left them when you return.

    • Andy says:

      Certainly *most* of the vulnerabilities in SCADA control networks are in the control workstations. However, there are some SCADA vulnerabilities, proper, deployed in Stuxnet. You can read more at and related blog posts.

      • Drone says:

        SCADA was never designed as a “secure” protocol and has never claimed to be “secure” against attacks. Once the front door is open (Internet connected attacker enters the SCADA system via an insecure gateway), man-in-the-middle or code injection attacks are certainly possible. SCADA is not designed to thwart such attacks – nor should it be. To try and make SCADA inherently “secure” would likely render the protocol unsuitable for the original intent due to complexity and inefficiency.

        Stop blaming SCADA… If your system is so vulnerable to attack, either fix your system or don’t use something like SCADA in the first place.

  2. mudge says:

    The inspiration for the movie Sneakers, to the best of my knowledge, was Matt Bishop and Bob Abbot’s consulting company. The movie script was put together over numerous conversations with both Matt and Bob. The character names of Martin Bishop and Bernard Abbott were intentionally made close to Matt and Bob’s actual names as a tip-o-the-hat acknowledgement.

    • John Strauchs says:

      Mudge: Your comments are not incorrect but they are incomplete. Sneakers was based on an amalgum of people and companies, mine included. I began to work with Lasker and Parkes (and later with Robinson) in 1983. For example, Ian Murphy (Capt. Zap) and John Draper (Capt. Crunch) were also inspirations. And, I am in the movie credit.

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments

  • Joe Desbonnet: Ya, I can recommend the low melting point solder. I used brand 'ChipQuik' and it's amazingly easy to use.
  • Jerome: I need a new BusPirate for the Fablab ;) Many thanks!
  • Max: Seems like an unexpectedly violent way to remove the chip indeed. A hot air station should of course do the job just fine, but in...
  • jose: Part removal described here is pure butchery, the cheapest hot air station will do a fast and clean job removing the QFP, heat air to...
  • Cody: Yes please