The release of data on the hack of a transparent prison laptop led to the removal of 1,200 such working devices from prisons

The release of data on the hack of a transparent prison laptop led to the removal of 1,200 such working devices from prisons

After promulgation in public BIOS password and Ubuntu installation instructions for a used Justice Tech Solutions Securebook 5 prison laptop with a clear case purchased on eBay, the US Department of Corrections considered this situation a security issue and removed more than 1,200 of these working inspection laptops from correctional facilities and upgrade so that their protection cannot be bypassed.

In late February 2024, Boston-based retro PC enthusiast, hardware enthusiast, and engineer Venting Zhang accidentally purchased a laptop with a clear case on eBay that turned out to be a prison model. The laptop turned out to have a BIOS password that is difficult to reset or change. The enthusiast decided together with the help of other experts and users to unlock the device and install Linux on it. As a result, he managed to do it in a few hours. A detailed technical description of this story can be read in the publication on Habra “User accidentally bought a transparent Securebook 5 laptop for use in prisons and with a BIOS password on eBay”.

A brief explanation of hacking this laptop at home (PrisonBook project):

  • it will not be possible to physically connect an external medium to the laptop, because there are no unsoldered USB ports on the case;

  • the screen saver when booting the laptop showed that AMI BIOS is used there, it was not possible to reset the BIOS password using standard methods;

  • you can’t connect an external drive to the laptop even to the internal USB ports, as the BIOS has a whitelist to block the connection of external drives;

  • as a result, experts were able to find the BIOS password: N% (dU32p.;

  • enthusiasts were able to crack the BIOS firmware and remove the block on connecting third-party drives;

  • the current BIOS version for PrisonBook S1 is listed on the Internet Archive.

After installing Linux, Zhang immediately launched the game on the laptop:

Such laptops are used in US prisons in prisoner rehabilitation programs. These are special tamper-proof laptops that contain standard Microsoft Office applications and have access to the closed training network of the US Department of Rehabilitation Programs.

In some cases, there is access to pre-approved bookmarks in a separate browser, which gives prisoners access to a limited number of Internet sites.

It is noteworthy that the manufacturer Justice Tech Solutions offers a version of this laptop with the Endless Justice OS installed. It is a derivative of the Endless Linux distribution, in which dozens of games are installed. So, apparently, there are a few inmates in the prison classroom who play solitaire like normal people do.

It wasn’t until late February 2024 that a topic involving the hacking of a used transparent prison laptop and the publication of the default password (which, it turns out, is used on virtually all laptops in prisons) went viral and also caught the attention of corrections officials in Washington, D.C., who already have been using similar devices for training prisoners for several years.

Five days after Zhang’s publication, the US Department of Corrections was tasked with promptly collecting all secured laptops from prisons and inmates across Washington state to ensure an immediate system upgrade. As a result, during the day, employees of correctional institutions collected and handed over to the manufacturer about 1,200 laptops for their protection.

A spokesman for the US Department of Corrections, Chris Wright, confirmed to the media that no inmates in Washington prisons have tried to unlock their devices since Zhang’s post. An employee of the department explained that this decision was “taken out of an abundance of caution.” It is not yet clear whether these devices and other states whose correctional facilities use the Securebook 5 laptops.

“The department recognizes how important educational programs are for inmates, and we are doing everything we can to ensure that information technology classes are not interrupted,” Wright said.

Information about this situation from prisoners

The prisoners themselves told the media that many of them are students, and with the help of these laptops they were preparing for exams, taking various training courses, including development and web design. Their classes have now been canceled until further notice. The prisoners also explained that they were not given information about when and if at all the devices would be returned. Many of them asked if they would lose access to work saved on their laptops. To download and transfer this data, you need to dock your laptop.

Several inmates at the Washington Correctional Center for Women in Gig Harbor said they were placed in solitary confinement while corrections officers came to retrieve their laptops. They were told that the laptops needed updating, but “they didn’t come, as if it was a raid to simply update the system,” one of the participants of the rehabilitation program clarified.

Additional clarification on this situation from the US Department of Corrections and related experts

Corrections officials are concerned that inmates can use the default administrative password to reboot laptops and “remove the security system,” allowing them to install new operating systems and “override all security protocols.”

“Securebooks, like most prison equipment, are programmed to only boot from the operating system installed on them,” Jessica Hicklin, CTO of Unlocked Labs (a St. Louis-based educational technology nonprofit that uses Securebooks and other Justice Tech equipment), told the media. This operating system is configured so that the user can only access certain programs and files. “Most correctional departments are concerned that inmates have full access to the administrative functions of the operating system,” says Hicklin.

Hicklin, who was also previously incarcerated, said the decision by Washington officials to seize the laptops was unnecessary given the limited potential for real harm. “As long as the network is securely protected, there is no real real security threat,” Hicklin explained.

But former corrections officers from Washington and other states said the decision was reasonable given the potential security concerns.

The head of the development team of the manufacturer of secure devices Justice Tech, Jeremy Schwartz, told the media that inside the prison, few people can do anything with a compromised Securebook. They will need to be soldered to a USB port, be able to install another operating system, and have access to a docking station. Even when devices are docked, they only have limited network access.

“Prison administrations in many other states actually felt safe when they got into the technical details of the existing security levels on our laptops,” Schwartz said, noting that the work of third-party hackers cannot be replicated in a prison environment, even though the situation itself went viral.

So how did a prison laptop end up on eBay?

The laptop Zhang bought came from a state whose Department of Corrections contracted with a Milwaukee nonprofit to dispose of old laptops. But instead of recycling the devices, the organization resold them, selling 100 copies of the Securebook on eBay. On reseller sites, you can often find personal tablets from prison technology companies. In some places, inmates pay for such gadgets and communications and are allowed to take them home after release.

But what is much more unusual is that secure laptops are hitting the Internet market. According to Schwartz, Justice Tech only sells the devices directly to correctional facilities and other organizations that work with incarcerated students, not to private individuals.

Stacey Burnett, who runs a program at research organization ITHAKA, which allows inmates to access research materials, told the media that many prison officials have done what they can to set up the technology infrastructure, but security considerations sometimes require them to turn everything off.

“In such cases, the only line of defense is to confiscate devices from inmates until the problem is diagnosed, isolated and resolved. This can take months and create significant challenges for students, colleges or professional program providers,” says Burnett.

Washington corrections officials said they are working to minimize the inconvenience to incarcerated students by expediting the delivery of new Securebook 6 laptop models to replace the Securebook 5 within several weeks, keeping incarcerated students busy. After the arrival of laptops, correctional institutions plan to increase the time of laboratory classes, as well as provide access to secure desktop computers in educational classes, so as not to interrupt the learning process for a long time.

Related posts