Industry News

Prison inmates hacked tablets to earn $225,000 in credits

364 inmates in five of Idaho’s state prisons have exploited vulnerabilities in the JPay tablets they use to read email and access video games in order to boost their credit balances.

But what is a JPay tablet? And why would you want one if you are locked up in prison?

Well, if you find yourself in the unpleasant predicament of being incarcerated in prison, one of the many undesirable consequences is that you may well feel disconnected from the outside world.

But panic not, because correctional facilities across the United States are equipped with JPay video phone kiosks and email terminals that allow inmates to keep in touch with loved ones (at a price). The only challenge, aside from the cost of earning credits for low paid prisoners, is that the devices can be popular and there can be long queues.

To get around that problem inmates can purchase a prison-issued JPay tablet, manufactured by technology firm Securus who also make the kiosks, through which they can access their messages, listen to music, and play videogames.

As Wired explains, these tablets aren’t themselves connected to the internet, but they can help avoid the lengthy queues at kiosks to read and write messages.

But what about the cost of sending messages? In Idaho, a single message costs just under 50 cents to send (you have to pay double if you want to attach a file). If you want to download a music file that may set you back $3.50.

It soon mounts up, especially when your prison wage may only be bringing in between 10 and 90 cents an hour.

And that was the incentive for 364 inmates to exploit a vulnerability in their JPay tablets to collectively accrue almost a quarter of a million dollars in their accounts.

Details of the flaw have not been made public by JPay, but a spokesperson for the Idaho Department of Correction said that the fraud could not be described as accidental:

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.”

The spokesperson confirmed that of the 364 prisoners involved, 50 had successfully credited their accounts by over $1,000. The largest amount credited to any single inmate was just under $10,000.

JPay has recovered over $65,000 worth of credits, and inmates have been suspended from downloading music and games until the company has been compensated for its losses. The prisoners are, however, still able to send and receive emails in the meantime, although some of their privileges could be lost.

Lets just hope that the emails they’re sending aren’t “Letter from Idaho”-type scams designed to generate some urgent income to pay back the company they defrauded.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.