Florida prison officials say a computer "glitch" may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons.
But a surveillance video released this week (see above) suggests that the doors may have been opened intentionally - either by a staff member or remotely by someone else inside or outside the prison who triggered a "group release" button in the computerized system. The video raises the possibility that some prisoners knew in advance that the doors were going to open.
It's the second time in two months that all of the doors in the wing opened at once, officials say, raising questions about whether the first incident was a trial-run to see how long it would take guards to respond.
The most recent incident occurred on the night of June 13 at the maximum security wing of Turner Guilford Knight Correctional Center in Miami, Florida, but surveillance footage only became available this week after the Miami Herald filed a public records request. The Center holds about 1,300 prisoners - male and female - but the security breach only opened the doors of K-81, the maximum-security wing. Guards at the prison say they did not open the doors.
According to a written account by one of the guards on duty that night, which WIRED obtained, the incident occurred around 7:04 p.m. just after a shift change. A guard who identified himself only as Officer G. Summons in the report, said he had just relieved another officer for a break at 7 p.m. when "the control panel shutdown and all cell doors opened." At that point "all inmates came out of their cells." Officer Summons called for backup, and at 7:07 p.m. the guard he had relieved a few minutes earlier, along with a second guard, entered the booth to assist. Other guards began corralling inmates back to their cells.
But according to the video, not all of the inmates exited their rooms, as Summons reports. As soon as the doors opened, surveillance cameras captured one prisoner in particular immediately leaving his cell, as if he had anticipated the door opening, and walking down a passageway toward another prisoner, with whom he reportedly exchanged a shank or homemade prison knife. They and two other inmates then closed-in on 27-year-old Kenneth Williams, who leapt over a second-floor balcony railing to escape his would-be assailants and suffered a broken ankle and fractured vertebrae in the fall.
Within minutes after the doors opened, guards report that they were in the hallway yelling at other inmates to remain in their rooms as they attempted to secure the area and lock the doors.
The assailants were reportedly rival gang members of Williams. He and a twin brother allegedly lead a violent drug gang and are believed to have ordered a hit against a rival in December 2008 that resulted in a 10-month-old boy being killed in the spray of gunfire. Two teenagers were convicted of the boy's murder, and Williams and his brother were arrested for allegedly threatening one of the key witnesses in the case. Williams is scheduled to go to trial next week on the witness tampering charge.
In his own account of the prison incident, quoted here verbatim, Williams writes: "I was seting in my cell room 9111 when the door's open and I seen 4 inmate come in 2 my room with something in there hands at the sometime I had something to but I jump off the 2th floor becuz I was scary for my life. I want 2 know why the door's keep open."
The surveillance video doesn't show the inmates entering his room but appears to show them encountering him in the hallway after he left the room. The other prisoners involved in the incident have been identified as Junior Pascal, Jay Stubbs, Quincy Taylor, and Richard Holt, who are all in their twenties. Guards confiscated several shanks during and after the incident, including one later found in a shower stall where the inmates were taken after the incident.
Miami-Dade Corrections Director Tim Ryan acknowledged to the Herald that the circumstances around the door-release were "suspicious," and said officials were investigating whether any staff members were responsible for opening the doors or if a problem lay with the computerized system that controls the doors. The latter system is reportedly part of a $1.4 million security upgrade installed at the prison by a company in Alabama named Black Creek Integrated Systems.
A touch-screen monitor that allows prisons using the Black Creek system to use a single display screen to control the locks on cell doors, surveillance cameras, water and electricity, and other systems at the facility.
The control panel for the system generally features a group-release button that allows guards in minimum-security facilities to release inmates simultaneously for a head count, the Herald reports. But it's generally not used in maximum-security settings, since inmates are kept one-to-a-cell and aren't allowed to interact with one another in common areas.
It's not the first time that an apparent glitch with the release occurred. A month earlier on May 20, the group-release feature also got mysteriously activated. Officers said at that time, as well, that they had not pressed the release button, which raised the possibility that one of them might have activated it accidentally. Unfortunately, no surveillance camera was installed in the control room to determine if that occurred. So as a precaution, technicians added a security feature that was supposed to prevent accidental activation. Any time a guard touches the release feature now, a prompt is supposed to appear onscreen asking the guard to confirm the intention to open all of the cell doors.
But this didn't appear to help a month later when the problem with the doors recurred.
Ryan told WIRED that the incident is being investigated by the Miami-Dade police department, but a report isn't expected to be completed for a month or two. He said that an initial review of the computer logs indicated that an "operator error" had occurred, but they don't know what exactly this means.
"The software in the computer has only one kind of thing, operator error, and we don't know what triggers that, so part of the inquiry is to find out what the software is saying," he said.
But the correctional facility in Florida isn't the only one to experience a problem with its electronic doors. Last April, just a month before the first Florida incident occurred, a correctional facility in Maryland had a similar problem when the locks on 500 cell doors disengaged simultaneously at around 12:20 a.m. on a Saturday morning.
A computer malfunction was also blamed for this failure. Officials at the Montgomery County Correctional Facility where it occurred said no inmates tried to escape, but about 20 police cars were called in to secure the perimeter of the facility during the hour it took to fix the glitch and secure the doors. Three days later, however, the locks on the cell doors disengaged again. It's not clear if Black Creek's system is also installed at that facility. Officials in Maryland did not respond to a call for comment.
J.C. Dugue, Williams's attorney, told WIRED that it's hard to imagine the doors in Florida opened without an assist from guards or some other accomplice on the inside.
But a trio of security researchers - John Strauchs, Teague Newman, and Tiffany Rad - say that many prison systems have vulnerabilities that can be exploited remotely by hackers or accomplices from inside or outside a prison. They have examined systems at a number of facilities and two years ago presented their findings at the DefCon hacker conference in Las Vegas.
Some of the vulnerabilities exist in the architecture and configuration of the systems, causing them to be accessible via the internet. Other vulnerabilities exist in the programmable logic controllers that are used to control not only prison doors, but surveillance cameras and other prison systems. Many PLCs use Ladder Logic programming and a communications protocol that have no security protections built into them. There are also vulnerabilities in the Windows-based desktop machines that are used to monitor and program the PLCs. Anyone who gains access to these computers can control the PLCs and the operations they monitor, the researchers say.
According to Strauchs, a hacker could install malware to gain control of prison computers either by getting a corrupt insider to install it via an infected USB stick - and programming the attack to kick in at 2 a.m. on someone else's shift - or by sending it to a worker via a phishing attack aimed at tricking the staffer into clicking on a malicious attachment or link. Though control systems at prisons shouldn't be connected to the internet, Strauchs says his team once toured a prison control room in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also computers in non-essential parts of prisons, such as in the commissaries or laundry rooms, that are sometimes connected to the networks that control critical functions, allowing someone to remotely hijack the control room system from another location in the prison.
"Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth," the researchers wrote in a paper they released in 2011. "Access to any part, such as a remote intercom station, might provide access to all parts."
Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. But a hacker could design an attack to override the cascade release to open all of the doors at once and overload the system.
The researchers say they can't tell from the information available about the incident in Florida whether it involved operator error or an insider or outsider attack. Judging from what is available, they say the company that installed the system seems to have done some things right while failing to do other things it could have done to secure the system better.
According to the web site for Black Creek Integrated Systems, the company responsible for installing the digital management system at the Florida prison, its sole customers are corrections facilities. It has installed systems in "jails, prisons, courthouses and government facilities across the nation."
In addition to the door security systems, it sells and installs video surveillance systems and RFID prisoner-tracking systems, as well as an IP-based video visitation system that allows inmates to visit with their families remotely via computer. It's not clear how securely those systems are built.
Diagram published on Black Creek's web site showing the general network architecture of its system.
A video posted on the company's web site shows how its management system can be integrated to control any electronic or electric device at a prison - including door locks, card readers, water and electricity, intercoms, surveillance cameras, and inmate phones - all from a single touchscreen monitor. The so-called Super Display system "utilizes a highly secure, gigabit security LAN which provides high bandwidth utilizing standard TCP/IP communication between all system major components," according to the company.
A diagram posted on the company's site showing the system architecture (.pdf) lists PLC's, wireless access points and remote access as some of its features, which could potentially be vulnerable, depending on their configuration.
Newman told WIRED that the diagram seems to indicate that control systems for doors are properly segmented and are not immediately accessible from the internet. The wireless access points and remote access workstation also appear to be connected only to internal networks. But he says there is still a potential for vulnerabilities, depending on how the system is actually configured at each facility and whether the software installed on them is secure. After all, it's not only hackers from outside the prison that are a danger, but anyone with access to a computer on the internal network.
Strauchs says he's surprised that Black Creek only installed a prompt on the system to prevent an accidental activation of doors after there was already a problem. He has installed systems at prisons himself and says that any time he did, he made sure the all-release function for opening doors could only be activated with a key that the senior officer on a shift possessed - a solution that is much more secure than a prompt.
"Every design I did, it was impossible to enable the all-release button unless you activated the key so that it was a consciously positive action," he says. "Without the key, that button wouldn't work. I can't believe Black Creek wouldn't have had that safeguard. Just a prompt makes no sense to me."
Black Creek refused to answer any questions from WIRED about its systems, including the number of prisons in the country that use them.
Ryan told WIRED he had never considered the possibility that the system might have been hacked - either from an insider or an outsider - but said investigators would now look into that.