With Global Tel*Link all but announcing at the recent Corrections Technology Association Annual Meeting its intention to offer mobile services in prisons, now may be the time to consider the best technology architecture for such deployments for those prison administrators who see the potential benefits of a secure prison cell phone solution.
There are essentially two ways to provision wireless personal communication devices, such as prisoner tablets, in a prison environment. In its presentation, Global Tel*Link stated that it has chosen to deploy service using WiFi to provide wireless connectivity. We think there are some significant operational challenges and, more importantly, serious security risks in this approach.
There are two main security risks, as highlighted by the recent news articles below. The first is the potential for intentional hacking of the system, either internally by tech savvy prisoners, or externally by those determined to defeat the WiFi security controls in order to gain or grant unfettered access to Global Tel*Link services, connected prison systems (commissary and trust accounts, etc.) or the unfiltered internet. A very real challenge with the decision to deploy a prison WiFi network is external hackers “wardriving” the system from outside the prison facility in order to accomplish this.
The second risk is the unintentional granting of access to the internet due to incompetence, human error and service misconfiguration.
In either case, the deployment of a local access wireless network via WiFi means that a single security breach, password hack or incompetent admin may result in unsecured and unmonitored access to internal prison systems and the outside world for all devices on the network.
In contrast, meshDETECT uses the traditional telco mobile network to provide secure voice and media services. Any breach, should it occur, is limited to a single device. If a device is hacked, a risk Global Tel*Link will also have to manage, one detainee may benefit; but no one can hack AT&T, Verizon, etc. in such a way to give all the meshDETECT mobile devices deployed in a prison unfettered access to the internet, or unmonitored calls to harass outside parties and plan crimes.
Technology choices in the deployment of a secure prison mobile access network service must focus on security, not profitability.
Now lets look at the operational challenges associated with deploying WiFi within a prison facility:
- Low powered – hand held devices maximum output is normally 0.4 Watt.
- Signal can suffer interference from other devices such as two way radios used by staff.
- Best when there is line of sight between transponders.
- Does not penetrate solid mass – concrete, brick, metal – the less porous the material the shorter the range and the slower the speed. Prison construction is high density blocks and cell doors are often clad in metal with metal surrounds.
- Tinted / reflective glass contains metal fragments resulting in drop in signal strength.
- Security fencing can act as a Faraday cage and ground the signal.
It is clear that achieving adequate WiFi signal coverage and application data throughput at a reasonable cost of installation is a challenge in this unique environment. Ongoing equipment maintenance expense as well as repair cost due to vandalism must also be considered when looking at the total cost of this approach.
In contrast, as evidenced by the high number of contraband devices and continued use of smuggled cell phones in jails and prisons globally, cellular signal strength and coverage is typically more than adequate, with no onsite equipment required. Additionally, 4G LTE cellular may be much faster than a WiFI network with an undersized or overburdened connection to the Internet (designed for coverage versus designed for capacity).
Real World Examples
Wi-Fi software security bug could leave Android, Windows, Linux open to attack
In an e-mail today to the Open Source Software Security (oss-security) mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into their memory. The flaw could allow these sorts of attacks via a malicious wireless peer-to-peer network name.
The end result is that an attacker could corrupt information in memory, causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could essentially be used as a denial-of-service attack on affected devices simply by sending out responses to Wi-Fi probe requests or P2P network Public Action messages. But it could also expose memory contents during the three-way handshake of a peer-to-peer network negotiation (the GO negotiation) or potentially allow for the attacker to execute code on the target.
Military Cuts Guantanamo Bay WiFi After Alleged Threat by Anonymous
The Guantanamo Bay detention camp is losing all access to wireless internet and social networks due to hacking threats.
U.S. military officials have blocked access to wireless internet and social networks like Facebook and Twitter at Guantanamo Bay because it fears that international hacking group Anonymous will launch an attack to disrupt services at the naval base.
Anonymous launched a global online protest to mark the 100th day of the hunger strike by Guantanamo Bay prisoners. The detainees have been protesting their living conditions and indefinite detention at the base.
The U.S. military said it has been receiving online hacking threats amid the hunger strike, which were allegedly from Anonymous.
Prisoners Accessed Internet Through Faulty Computer Kiosks
Prisoners in privately run Mt Eden Corrections Facility were able to access the internet through faulty computer kiosks a security review of public sector computer systems has found.
The security breach was one of 12 “weak points” identified in Government Chief Information Officer Colin McDonald’s review of the security of 215 publicly accessible state sector agency IT systems released this morning.
Serco, the company which operates Mt Eden said that on November 26 last year, “an administrative error made it possible to open a web browser session” on kiosks provided to prisoners to allow them to “take responsibility for organizing their day-to-day lives and helps to develop literacy and numeracy skills”.
Serco’s Director of Operations Scott McNairn said the error “allowed for limited access to the internet, policed by a web filter which blocked access to inappropriate sites”.
“No email, social media or adult sites were accessed.”
The internet access was “limited” and “at no time was it possible to access any other systems or information”.
Serco has not said how long prisoners were able to access the internet for.
Mr McNairn said the company had improved security for the kiosks and was “confident” that the likelihood of further problems was “extremely low”.
Jailed Hacker Hacks Prison Network
It’s almost comical, but an incarcerated hacker has hacked into his prison’s computer network.
According to Naked Security (Sophos), Nicholas Webber, who operated the GhostMarket.Net cybercrime website, signed-up for the prison’s IT class. Webber, who was 18 at the time of his arrest for bank frauds and identity theft scams, apparently go onto the network but was unable to access personal information files.
The prison issued a statement to the Register: “At the time of this incident in 2011 the educational computer system at HMP Isis was a closed network. No access to personal information or wider access to the internet or other prison systems would have been possible.”
The incident, which occurred in 2011, only came to light because of a wrongful termination suit by the instructor leading the class.
Like it? Share it!