Prisons conduct online interviews with inmates and officials to prevent COVID-19 infection. Of course, the content of the conversation should not be shown to anyone outside.
However, according to security researcher Bob Diachenko, HomeWAV, a company that supplies video access systems to 12 prisons nationwide based in St.Louis, USA, has opened the system database operation screen in a state that does not even require a password from April. It turned out that thousands of phone records, including inmates and lawyers, were clearly visible.
Although the visitation record alone should not be exposed to a third party, the reason this system is more problematic is that the conversation between the prisoner and the attorney, which should not have been recorded if it was originally, was texted, stored, and disclosed.
Although many calls are recorded in US prisons, conversations between lawyers and clients are information that must be protected by nature. Moreover, the Corona 19 disaster is more likely than usual for more people to use online visits, and considering that all of these were public, I wondered if it would be safer to temporarily rent a smartphone video calling app than to introduce an expensive system. These may be.
As soon as the company received the report, it shut down the system. In addition, the reason why the system was seen from the outside was because a third-party vendor accidentally forgot the proper setting, but the name of the company was not disclosed.
A few months ago, the security expert pointed out a security issue with video and voice calling and text messaging apps for inmates called GettingOut. The app, provided by a company called TelMate, has the ability to record calls between inmates and related parties. However, this can also identify individuals, and the database including the inmate’s name, driver’s license ID, e-mail address, religion, place of imprisonment, and medication history has been exposed, which does not require a password. At this time, the system was immediately shut down after receiving a report, and Global Tel Link, the parent company of Telmate, also revealed that it was a mistake in the configuration of the vendor that delivered the system. Related information can be found here .