Legally Weird - The FindLaw Legal Curiosities Blog

How to Hack Your Prison Tablet for a Cool Quarter Mill

Ever heard of JPay? If not, consider yourself lucky. The company contracts with local, state, and federal detention centers to provide inmates with music players and tablets that allow them to do everything from access email and play games to make parole and probation payments and allow deposits into their commissary or trust accounts. And with potentially millions of dollars whizzing in and out of our nation's prisons and jails, you'd think JPay would have top-of-the-line security and encryption on their devices.

Not so much.

It turns out a relatively simple "hack" in JPay's tablets allowed a few hundred Idaho inmates to rack up almost $225,000 in total credits to their personal accounts, which they could then use to pay for e-mail, video calls, music, and other digital services. Normally, we'd frown on such (possibly) illegal behavior, but with a company as predatory and unscrupulous as JPay, it's hard not to root for the inmates in this case.

Cons and the Con

JPay charges inmates 47 cents per email. It charges them fees to use their prison earnings or commissary account remainder after their release, sometimes over 40 percent of the funds owed to them. It throws lavish parties for corrections officials to woo them into using their services, then sends kickbacks to prison operators in exchange for JPay's monopoly on prison commerce. The company is one of many profiting off of America's incarcerated population, which, including those under state supervision for parole or probation, encompasses seven million people.

Surely, a company of this magnitude can afford the engineers and programmers necessary to ensure its transactions are secure. Surely.

Maximum Insecurity

Telecommunications giant CenturyLink works with JPay to provide the tablets, and spokesperson Mark Molzen said the problem involved inmates "intentionally exploiting a software vulnerability to increase their JPay account balances." Which does kinda sound like a hack, until you hear the AP describe it: "Officials said the improper credits occurred when individuals placed products in their digital shopping carts and then removed them in a way that created a credit that was added to their total funds available." Not exactly Fort Knox.

The Idaho Department of Corrections said nearly $225,000 was credited into 364 inmates' accounts, mostly in small increments. According to spokesperson Jeff Ray, just 50 of those inmates credited their accounts in amounts exceeding $1,000, and the largest amount credited by a single inmate was just under $10,000. As of last Friday, JPay had recovered more than $65,000 of those credits, and the inmates involved have been disciplined, including having some JPay features revoked.

Here's to hoping the rest of those credits just up and vanished, much like Andy Dufresne.

Related Resources: