The nature of the vulnerability hasn’t been disclosed, but is said to have already been identified and fixed.
Several hundred inmates at five prisons in the northwestern US state of Idaho have exploited a software vulnerability in their “prison-specific” tablets to transfer $225,000 worth of digital credits to their virtual accounts, according to a BBC report.
Just for clarification: those are not actual money and accounts, but so-called JPay accounts. JPay is a service that gives incarcerated populations in a number of US states the option to buy tablets with enough functionality to feature virtual accounts to which inmates’ relatives can transfer funds for the benefit of their imprisoned family members. The funds are then converted into credits, which the prisoners can use to purchase items such as music, apps, or games.
The tablets also enable the inmates to stay in touch with their families via messaging, to educate themselves, or simply to while away their time in prison. Internet access isn’t part of the “deal”.
Now, back to the tale of hacker inmates. As it turns out, no fewer than 364 prisoners participated in the scheme, according to prison officials. Idaho Department of Correction spokesman Jeff Ray said that the offenders manipulated the JPay system so that it would increase the amount of funds credited to them. Most of them bumped up their balances by rather small amounts of credits, but around 50 prisoners transferred more than $1,000 worth of credits each. One inmate added nearly $10,000.
“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Ray was quoted as saying. On the flip side, there was no loss to taxpayer money.
JPay has recovered more than $65,000 worth of credits and restricted the inmates tablet privileges until they get the rest back. The offenders have also been deemed a higher security risk.
“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” JPay spokesperson Jade Trombetta was quoted as saying by the Associated Press.
written by Tomas Foltyn, ESET We Live Security