[Hackmeeting] JPay: hack dall'interno di un carcere

Delete this message

Reply to this message
Autore: boyska
Data:  
To: hackmeeting
Oggetto: [Hackmeeting] JPay: hack dall'interno di un carcere
https://www.wired.com/story/how-a-group-of-imprisoned-hackers-introduced-jpay-to-the-world/

Until yesterday, unless you had a family member or friend in prison, you most likely had never heard of JPay. That’s because all of its services are directed toward inmates and their families.

Since 2002, JPay has been quietly moving into prisons across the country, first by providing quicker (though pricier) ways for family members to send money to loved ones behind bars and, since 2004, by providing limited email systems in prisons. Those systems are often touted as an innovation that keeps incarcerated people connected with support networks on the outside. In keeping up with the technological times, JPay also offers prison-specific tablets on which users can access their e-messages, buy music, and play electronic games.

But this week, Idaho prison officials announced that these tablets became the means for 363 inmates, across five state prisons, to create nearly a quarter million dollars of credits. Collectively, the prisoners created roughly $225,000 in JPay credits, which they added to their respective accounts to pay for e-messages, music, and games. In a statement to the Associated Press, Idaho Department of Correction spokesman Jeff Ray said that, of the 363 imprisoned hackers, 50 men credited their accounts in amounts exceeding $1,000 with the largest amount falling just under $10,000.

Idaho is just one of a number of states across the country offering tablets to incarcerated populations. Nearly half of all state prison systems offer some form of e-messaging, a basic form of prison email provided by a single company that controls both software and hardware. In Idaho, that company is JPay. One of the largest purveyors of prison messaging, JPay contracts as the sole provider of these services in 20 states across the country.

    Nearly half of all state prison systems offer some form of e-messaging, a basic form of prison email provided by a single company that controls both software and hardware.


And Idaho is also one of a growing number of states where prisoners have the option to purchase a JPay tablet. Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.

“The Idaho Department of Correction has nothing more to say about this matter at this time,” Ray wrote in response to WIRED. In a statement emailed to WIRED, JPay spokesperson Jade Trombetta wrote, “While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”

As the sole provider of e-messaging and digital services within Idaho’s prison system, it might stand to reason that the company’s monopoly increased its risk of hacking. “If you’re forced to buy from one entity, I could see the increasing motivation,” says Jake Williams, a security expert and founder of Rendition Infosec. “But I don’t think this [monopoly] increases vulnerabilty to hacking.”

Instead, says Williams, any system offering an app over a device operates at a risk.“Any time you have a mobile app—whether it’s a phone or a tablet—the user has a lot of control over any data stored in the device itself,” he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. “A malicious user can access that back-end data,” says Williams.

It’s a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, “we could change the purchase price and buy the item for whatever price we wanted,” Williams recalls. “This is not an uncommon flaw with mobile apps.”

For JPay or any other provider offering tablets, a person’s credit balance is most likely stored on the tablet rather than being transmitted on JPay’s infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.

Though they can still send and receive e-messages, the 363 hackers have temporarily lost their ability to download music and games until they compensate JPay for its losses, Ray told the Associated Press. They’ve also been issued disciplinary tickets, which means losing even more privileges and being labeled at a higher security risk level, a classification that could mean being moved to a more restrictive prison, being excluded from certain prison programs, and even being denied parole.

What would make a person, let alone 363 people, take that chance? In Idaho, prison wages range from 10 to 90 cents an hour. That, says Peter Wagner, director of the Prison Policy Initiative, can be a powerful motivator to figure out ways to increase one’s spending power. “JPay is a company that charges 47 cents to send an email. That’s five hours of wages,” he noted.