Skip to content
Naked Security Naked Security

Prisoners exploit tablet vulnerability to steal nearly $225K

364 of them hacked the JPay tablets they use for email, music and games and transferred money into their own accounts.

Idaho prison officials said on Thursday that 364 inmates in five of the state’s prisons exploited vulnerable software in the JPay tablets they use for email, music and games in order to pump up the cash balances of their accounts.
The inmates transferred nearly $225K into their JPay accounts, according to the Associated Press.
The handheld tablets are used in prisons across the country, where inmates use them to stay in touch with the outside world via money transfers, emailing families and friends, buying and listening to music, video visitation, parole and probation payments, and downloading and playing games. The devices are made available through a contract between JPay and CenturyLink. Inmates can pay for entertainment, games and additional services with JPay credits.
Idaho Department of Correction spokesman Jeff Ray said on Thursday that no taxpayer money was involved in the fraud. The tablets operate over a secure network and don’t offer access to the wider internet.
The transfer scam was discovered earlier in the month by a special investigations unit, Ray said.
Mark Molzen, a spokesman for CenturyLink, told the AP that the problem involved inmates “intentionally exploiting a software vulnerability to increase their JPay account balances.” The company declined to give details, considering any such to be proprietary information. Molzen did say that the vulnerability has since been fixed, however.


According to Ray, the largest amount swindled by a single inmate was a little under $10,000. Fifty of the inmates transferred amounts exceeding $1,000 into their accounts.
This was no accident, Ray said:

It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.

Ray said that JPay has managed to claw back more than $65,000 worth of credits. The guilty inmates have been shut out of much of the tablets’ functions: they won’t be able to download games or play music until they pay back what they owe to the company, he said. They’ll still be allowed to read and send emails, though.
The Idaho Department of Correction has issued disciplinary reports to the involved inmates. That could lead to loss of privileges and a possibly reclassification to a higher security risk level.


8 Comments

This headline on this article is misleading. There is a difference between stealing 225k and crediting a good account with the same amount of items. Then the article uses the phrase “claw back” money to make it sound like credits in this closed system are somehow stolen before they are spent. Unless they were actually transferring out the money some way there is no “claw back” you just wipe the credits from their accounts.
This whole system sounds like a low ball bid system to milk prisoners of what little they are allowed to make. Then “news” stories like this basically re-type up a press release so that the story has whatever spin the company want. Do your readers a favor, if you aren’t going to do journalism at least don’t be a mouthpiece for someone else’s agenda.

If prisoners are underpaid, maybe they could’ve considered that aspect of “internal living” before earning their sabbaticals from public life.
Cheating is still theft irrespective of whether the chance to benefit thereof actually occurs.** Recidivism yields to continuity if criminal behavior never even abates; IMO guys not actively developing their “second-chance” plan for rehabilitation are making a solid argument for “four walls and a bucket.”
The rest of us follow the rules and pay a boatload of taxes so we can take a walk anytime we like.
** While “claw back” may be interpreted as struggling to recover what’s already gone, I read it as an arduous and lengthy audit: once the exploit is discovered, the full scope of the loss must be assessed: how many stolen credits *have* already been spent. Caffeine and toothpicks–it’s gonna be a long night.

Well, I do agree that they can wipe the credits that are still in their JPay accounts, but if they already spent it on stuff than they basically stole that stuff. So I guess they have to repay whatever they bought with the stolen credits.

That would be true if it was only game credits. Howwever, the software does allow ‘money transfers’ so it’s quite possible that the downloaded credits were transferred out.

What happened is that prisoners stole products from the commissary by doing what they do best. Stealing is stealing no matter how anyone tries to justify it and hopefully they will be prosecuted for abusing a privilege, for giving the prison system an excellent excuse to take the tablets away from other prisoners, and for committing a new felony. .

Incidentally, I was wrong about commissary. A JPay spokesperson said that inmates were placing a product, like music or a game, in their cart and removing it in a way that didn’t subtract credit, but instead resulted in more credit in their accounts.
JPay said the inmates “weren’t stealing money so much as acquiring digital content without paying for it.”

Sooo, in prison you can email, get music, games, along with free rent, utilities, medical and so on. And make a living hacking? Mom, I’m moving out of the basement! There is that weird thing if you say it slow though I-da-ho, not sure I like that part.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?