Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Actively Targeting Gas Pumps

Posted by Soulskill on from the time-to-stop-visiting-those-pumps-equipped-with-self-destruct-buttons dept.

An anonymous reader writes: Security researchers from Trend Micro wondered what kind of cyberattacks might target one of our most common and vital pieces of infrastructure: gas pumps. So, they set up some honeypots to find out if and how gas pumps were being attacked. The researchers ended up getting more than they bargained for. Between February and July, there were at least 23 distinct attacks on their honeypots alone (PDF). This included identifications, modifications, and DDoS attacks. "In their research, they found that a DoS or DDoS attack could disrupt inventory control and distribution, which means gas stations may not have enough supply on hand. Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa. Drivers wouldn't like that. Or changing the pump volume could result in tanks being underfilled."

123 comments

  1. With all these attacks, by Mr+D+from+63 · · Score: 4, Insightful

    You'd think we would see some actual disruption. Seems like pumps have adequate protection thus far.

    1. Re:With all these attacks, by TheCarp · · Score: 3, Insightful

      With the fact that they are talking about....connecting directly to the internet.... Seems they could have done this with a sniffer.

      Just read some logs, there are all manner of automated attacker out there searching for prey. Run sshd, you will begin getting root login attempts pretty quickly, and the party don't stop.

      Yes, looking for attacks coming down the inter-tube is like looking for bacteria in a pond. Yah, its there, lots and lots of it. That is hardly a newsworthy result.

      --
      "I opened my eyes, and everything went dark again"
    2. Re:With all these attacks, by drinkypoo · · Score: 4, Insightful

      Funny how we're so worried about supply lines being disrupted while our wallets starve the most.

      Funny how we're so worried about our wallets while we're raping mother earth with a rusty pick-ax.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:With all these attacks, by currently_awake · · Score: 2

      We need an "off the shelf" vpn/firewall for the internet of things. You plug your stuff into that to keep the bad men away.

    4. Re:With all these attacks, by houstonbofh · · Score: 2

      You mean like http://www.smallwall.org/ on any one of a half dozen other m0n0wall derived firewalls?
      Or DD-WRT? Of course since many of these people could not even be bothered to change the password, I think a firewall is pretty fucking unlikely.

    5. Re:With all these attacks, by Anonymous Coward · · Score: 0

      Just think about how many times you've ran up to a gas pump only to find that it either won't take your credit card or won't give you a receipt. Either could be caused by a DoS, because the pump can't communicate.

    6. Re:With all these attacks, by phantomfive · · Score: 1

      Strange thing about that, but here's a comparison.

      With all the vulnerabilities we've seen with desktop computers, you'd expect there would have been a major virus that would wipe everyone's hard drive. So far, we haven't seen that, though. Why not? Just because something is possible doesn't mean someone will do it.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:With all these attacks, by Mr+D+from+63 · · Score: 1

      But, we have seen plenty of disruption on PCs in a smaller scale, but essentially zero on gas pumps, and there are a hell of a lot of them out there.

    8. Re:With all these attacks, by bmo · · Score: 2

      With all the vulnerabilities we've seen with desktop computers, you'd expect there would have been a major virus that would wipe everyone's hard drive. So far, we haven't seen that, though. Why not?

      Because there's no money in it and malware writers are no longer the pimply-faced-youth (PFY) looking to just break things.

      No, it's organized crime now. Instead of wiping computers, it's about creating armies of botted computers. It's about bot-herding, and renting out botted computers at literally a nickle a piece (for a limited time only!) for various nefarious tasks. Wiping hard disks is just decapitating the sheep instead of shearing them on a regular basis.

      And then there are the drive-encryptors/ransomware that for a fee (in bitcoins, naturally) you can get the other half of the RSA key that encrypted your data when you ran "happy99.exe" or browsed a website with the wrong ad network whilst having a flash vulnerability. Police departments have even run afoul of this.

      Attacking gas pumps is useless if you just do denial of service or fuck with volumes randomly with no purpose. However, you'd have to be a complete moron to not see that you can extract money from gas pumps if you can compromise them.

      --
      BMO

    9. Re:With all these attacks, by phantomfive · · Score: 1

      There are still plenty of people who hack for fun. For an example, see the recent hack on Donald Trump's website.

      --
      "First they came for the slanderers and i said nothing."
    10. Re:With all these attacks, by jedrek · · Score: 1

      And subsidising the pick axe with taxpayer money.

    11. Re:With all these attacks, by Anonymous Coward · · Score: 0

      And complain about said rape while using the products thereof.

    12. Re: With all these attacks, by Anonymous Coward · · Score: 0

      And trying to discredit anyone who brings the rape to our attention.

    13. Re:With all these attacks, by Pikoro · · Score: 1

      Try getting gas anywhere else in the world where the government isn't subsidizing gas prices. In Japan just a couple of years ago, we were paying about $8/gal. Typical is around $6/gal.

      --
      "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
    14. Re: With all these attacks, by Anonymous Coward · · Score: 0

      You left out credit / debit card capture.

    15. Re:With all these attacks, by nobodie · · Score: 1

      which is actually a reasonably low price considering that they have no domestic source for oil.

      We should be paying for the cost of lost resources, lost to inefficiencies all through the system. Wise up mericans, we are letting our children and grandchildren get raped by the oil companies while we sit in our SUVs and pickups and blow fumes in the faces of our neighbors "harharhar!!!"

      --
      Subversion of spatial scale luxury decoration ideas.
  2. Seriously ? by invictusvoyd · · Score: 1

    Many of these systemsâ"earlier this year, Rapid7 identified about 5,800 of them worldwideâ"are connected to the Internet without a password

    Isn't anyone held responsible for this kind of gross negligence ?

    1. Re:Seriously ? by Anonymous Coward · · Score: 0

      Let's expand on this.

      Why the fuck is a gas pump even in a position to be DDoS'ed? Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.

    2. Re:Seriously ? by known_coward_69 · · Score: 2

      what kind? most of these were designed when dial up internet was the norm and are meant to be used for decades

    3. Re: Seriously ? by Anonymous Coward · · Score: 1

      The companies that have Internet accessible systems are the companies that use contracted maintenance, ie the smaller companies. They save money by contracting out the maintenance, rather than paying for a full time technician. So internet access is necessary for the contractors to be able to view work orders remotely. Most of these are franchises and only have whatever security joe franchise owner decided to set up. The larger companies find it cheaper to hire their own technicians than to have contractors on the clock all day everyday. Hence no need for Internet accessible systems. The company I work for has their own intranet across 7 or 8 states that is not accessible to any machine not physically connected and allowed by our IT department. This includes tank monitors, cash registers, etc. Much more secure. Moral of the story? Shop at QT. My retirement fund needs your money.

    4. Re:Seriously ? by Anonymous Coward · · Score: 2, Insightful

      Why the fuck is a gas pump even in a position to be DDoS'ed? Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.

      Many gas stations are owned or operated by big chains, who need to know the current status of a large number of stations without waiting for reports. Paying to have a delivery truck come out when the tank is only 1/4 empty, or not sending it out until it has been empty for hours is throwing money out the window.
      Then there's leak and theft detection, where you want to find out before next day, even if it happens when the gas station is closed and no-one around to hear the alarm.

      No, having gas metering equipment online is sensible. Going over the internet without having a firewall blocking all except those who need access is not so sensible.

    5. Re:Seriously ? by ShanghaiBill · · Score: 4, Insightful

      Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.

      Stop overreacting. Putting it online saves labor, lowers costs, and has caused ZERO problems. The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium (in which case 90% won't even notice because their car isn't designed to use high octane anyway). You should find something else to panic about.

    6. Re:Seriously ? by drinkypoo · · Score: 3, Insightful

      Remote read access: good idea
      Remote write access: bad idea

      Nobody should be able to change anything on the pump without physical access. At minimum, someone should have to flip a switch inside the pump to enable remote writes.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Seriously ? by Anonymous Coward · · Score: 0

      How do you think self service gas stations work? I'll clue you in. If you don't have a credit/debit card you have to go in and pay the clerk for your gas. You give them $14 and they program the pump to deliver $14 worth of gas. That's done over a network. To do that you have to be able to write to the pump.

    8. Re:Seriously ? by drinkypoo · · Score: 2

      To do that you have to be able to write to the pump.

      Only if the system is fucking ignorant. The pump should get permission to pump from a machine inside the station, under lockdown. The variables regarding pumping are set there, and there's no way to command the pump to use internal values; obviously it will need to store such values internally, but since it will be constantly polling the server for updates, you can't do anything to the pump remotely that will cause it to change its behavior for more than a fraction of a second.

      Such a system is still vulnerable to MITM attacks, but only if you have physical access; I would actually put all the pumps on a private network with the station's server, and use the server as a gateway for retrieving the data, in order to minimize the attack surface. I'd also use cryptographic signatures 'twixt pump and server, as a hedge against MITM. Signatures would be stored on flash protected by a second switch, which also controlled firmware update enable. (Probably the system and the signature would be stored on the same memory device anyhow.) The first switch would simply be for enabling configuration settings.

      TL;DR: No, fool, there is no need for the pump to be writable

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:Seriously ? by tompaulco · · Score: 1

      How do you think self service gas stations work? I'll clue you in. If you don't have a credit/debit card you have to go in and pay the clerk for your gas. You give them $14 and they program the pump to deliver $14 worth of gas. That's done over a network. To do that you have to be able to write to the pump.

      There is no reason that has to be done over the internet, over wireless, or even over TCP/IP. There is no reason that this shouldn't be absolutely secure from any attack other than someone having direct access to the machine communicating with the pump.

      --
      If you are not allowed to question your government then the government has answered your question.
    10. Re:Seriously ? by Nikker · · Score: 1

      Why is it that "Putting it online" is a thing? Putting something important like this over the Internet is really just negligence. The kind of data these companies need would sit beautifully over a dial up connection over POTS(not VOIP of course). This would save a large amount of troubleshooting when it goes down and avoids the Internet all together.

      So actually sending the data via telephone lines save labor, lowers costs and will cause zero problems (if of course postulating over the internet could confirm this Zero problem hypothesis).

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
    11. Re:Seriously ? by Viol8 · · Score: 2

      "and has caused ZERO problems"

      That you know of. Oil companies are hardly going to tell the world if someone has hacked their systems.

      "The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium"

      No. The worst that could happen in that instance is someone gets diesel instead of gas or vice verca which is pretty fucking serious and will destroy an engine. Shall we give them your name to come for compensation since you think its no big deal?

    12. Re: Seriously ? by Anonymous Coward · · Score: 0

      If I put unleaded in my highly tuned air cooled motorcycle, kiss that engine goodbye in short order. Some machines out there are not smart enough to avoid damage.

    13. Re:Seriously ? by Anonymous Coward · · Score: 0

      No. The worst that could happen in that instance is someone gets diesel instead of gas or vice verca which is pretty fucking serious and will destroy an engine.

      No, many worse things could happen, including a delivery overfilling a misreporting tank, causing flooding and potentially a fire. Bada-boom. Big bada-boom.

    14. Re:Seriously ? by pixelpusher220 · · Score: 1

      having gas metering equipment online is sensible

      Having it *accessible* on a private network is quite reasonable. Having it on the public internet, firewall or not, is simply asking for it to be hacked and misused.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    15. Re: Seriously ? by pixelpusher220 · · Score: 1

      contractor or not is irrelevant to how the systems are accessed. It does *not* have to be over the open internet. A private network connects the machines and you run that to the managing company and then the contractors remote into *that* system if you don't want to put the private connections out to the contractors.

      Moral of the story, it's only cheaper to contract out if you aren't doing the full security required for the job.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    16. Re:Seriously ? by imboboage0 · · Score: 1

      Why waste a phone line with so much fiber around?

      --
      Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.
    17. Re:Seriously ? by imboboage0 · · Score: 1

      Not terribly likely, as they're always isolated systems. Diesel nozzles are larger as well IIRC. I don't believe they fit - not that it stops anyone from doing it to their land rover anyway.

      --
      Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.
    18. Re:Seriously ? by ShanghaiBill · · Score: 1

      No, many worse things could happen, including a delivery overfilling a misreporting tank, causing flooding and potentially a fire. Bada-boom. Big bada-boom.

      Nonsense. The check valve on the delivery truck is a mechanical device, that has no software at all.

    19. Re:Seriously ? by ShanghaiBill · · Score: 1

      Putting something important like this over the Internet is really just negligence.

      Since when did the tank level at a gas station become "something important"?

    20. Re: Seriously ? by Anonymous Coward · · Score: 0

      Highly tuned air cooled motorcycle is an oxymoron.

    21. Re:Seriously ? by ebvwfbw · · Score: 1

      How about when you pump more fuel into your car than it has capacity. That happened to me. 16 gallon tank and it pumped 20 gallons. I expected to pump around 12 gallons. They didn't care of course, pay up sucker! Maybe this is what happened. This was back when it was real expensive.

  3. Regular vs Premium by Anonymous Coward · · Score: 0

    "Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa. Drivers wouldn't like that."

    This would actually be an interesting social experiment, just to see if anyone actually noticed.

    1. Re:Regular vs Premium by known_coward_69 · · Score: 0

      i usually buy regular 87 octane but once in a while i used to buy 93 and i've noticed. mostly less drag when going from stop to go

    2. Re:Regular vs Premium by Anonymous Coward · · Score: 0

      People with cars that spec premium gas would certainly notice.

    3. Re:Regular vs Premium by houstonbofh · · Score: 2

      I would. My car would ping and knock until the sensor dialled down enough that my performance would suffer and my economy would go to crap. Seen it happen. And on my motorcycle, I would notice the other way as premium has less energy, and my low compression motorcycle runs poorly on it. Just because you wouldn't notice...

    4. Re:Regular vs Premium by west · · Score: 3, Insightful

      Honestly, unless your almost inhuman in disregarding your brain, you'll need to have someone fill up your car without telling you the octane, and then record your observations.

      We humans are correlation engines, and it would almost be proof of brain abnormality to not find a correlation, regardless of whether it's there or not.

    5. Re:Regular vs Premium by pixelpusher220 · · Score: 1

      I could tell the difference between 'good' 87 octane and bad. Back when Amoco still existed, I had an older car that was starting to knock on regular 87. Amoco's always fixed that issue. When ever I got anything else the car knocked. It really was 'better' gas as this was over multiple years of observation.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    6. Re:Regular vs Premium by west · · Score: 1

      Knocking *is* directly related to octane levels, so it's no surprise to find observable correlations there. Also, knocking is not a subtle problem liable to selection bias.

      The question is whether *higher* octane gas than required for an engine (engines can be tuned for high octane gas) improves performance. And the gas manufacturers themselves don't claim that. (In their ads, the benefits are all quite nebulous: "better for your engine")

      But it's a pretty widespread belief that high octane gasoline has "subtle" improvements (my in-laws swear they get substantially better mileage, including for the month that I was buying regular gas for their car :-)) or better acceleration, etc.. As I said, the gasoline manufacturers don't make that or other measurable claims.

      Yet, because of the general association, it's almost impossible *not* to notice the car performance being better when we think there's "better" fuel in the tank, which is what I was trying to point out.

    7. Re:Regular vs Premium by mspohr · · Score: 1

      Most modern cars have knock sensors and retard the timing when knocking is detected so you won't notice knocking. You will get fewer miles to the gallon since this is less efficient.

      --
      I don't read your sig. Why are you reading mine?
    8. Re:Regular vs Premium by russotto · · Score: 1

      The question is whether *higher* octane gas than required for an engine (engines can be tuned for high octane gas) improves performance.

      It can. If your car has a knock sensor, it works by retarding the timing when knocking is detected (usually before you can detect it by ear while sitting in the drivers seat); this reduces performance. If your spark plugs are dirty or there's other problems with the ignition system, you might get more knock with regular than premium, so you could have a loss of power that is "fixed" by moving to premium.

      A properly operating engine tuned for regular won't show increased performance with premium. It won't "see" the premium and advance the timing.

    9. Re:Regular vs Premium by Anonymous Coward · · Score: 0

      High octane is necessary for small engines. Your weed wacker and leaf blower are going to hate you if you give them the cheap shit. Knocking does a real number on them real fast, plus the vibrations make your hands numb. Get the good stuff for your small motors, they sip anyway no point in being cheap. Ethanol free if you can find it.

    10. Re:Regular vs Premium by pixelpusher220 · · Score: 1

      This was a 92 Infiniti so I'm assuming it was not exactly a 'modern' car in the sense you're describing

      --
      People in cars cause accidents....accidents in cars cause people :-D
  4. I suspect this been going on for awhile by Anonymous Coward · · Score: 1

    I used a very infrequently used credit card at a gas station way out in the middle of nowhere on I-10 in Florida going to Panama Beach. I check my account balances frequently, and luckily caught 25+ Xbox Live subscriptions that were opened on that card a day or two after using it at that gas station. I hadn't used that card for anything else in probably several months before those charges, so I really think my CC details got skimmed at that pump.

    You would think those types of charges would trigger some type of fraud detection scheme, but no. And MS wouldn't do anything about the charges, at all. CC company reversed the charges though.

    Captcha: Charge. For real.

    1. Re:I suspect this been going on for awhile by rmdingler · · Score: 2
      Data skimmers (combined with cameras to pickup passcodes) would appear to be the more widespread problem, but here they're talking about unprotected online data such as underground tank fuel levels and humidity.

      Apparently, it's no longer necessary to check the level of one's fuel tanks with the long wooden stick.

      Precisely how much critical infrastructure could be disrupted by corrupting this data is open to discussion, but the real worry is how little password protection is used by many thousands of industries.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:I suspect this been going on for awhile by Anonymous Coward · · Score: 0

      My experience was just the opposite. I used a card I never use on a cross country trip in a podunk gas station and several weeks later my credit card company called to say it had detected suspicious gas purchases near this rural county. Don't know if I was skimmed or the clerk duped my car information when I bought snacks at the station store, but American Express caught it within 15 minutes of the charge and was on the phone with me to check. Had a new card the next day.

  5. Diesel v ordinary - THAT would be nasty by Bruce66423 · · Score: 1

    Though this might provide a useful defence for the idiot who did it by mistake...

    1. Re:Diesel v ordinary - THAT would be nasty by swb · · Score: 2

      Don't most cars (excepting the most expensive, high-performance models) have knock sensors that tolerate regular unleaded even if they say use premium?

      My car says premium is preferred, but that regular unleaded works fine but might result in slightly diminished performance. I've used both and not seen any difference in normal driving.

      It'd be annoying to pay the 20-odd cent additional cost and get regular instead of premium, but I'm not sure most drivers would know the difference.

      Of course diesel would be a real problem, but most stations that have diesel seem to use a completely different filler hose and I'd wager that the tanks and plumbing are physically separate between gasoline and diesel and no amount of electronic hacking could cause diesel to get into the gasoline system.

    2. Re:Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Of course diesel would be a real problem, but most stations that have diesel seem to use a completely different filler hose and I'd wager that the tanks and plumbing are physically separate between gasoline and diesel and no amount of electronic hacking could cause diesel to get into the gasoline system.

      Are you implying that you're pumping regular and premium through the same pipe? In civilized parts of the world, even those are physically separate systems.

    3. Re: Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Except in the case that the delivery guy is directed to the wrong tank number. Here in Aus only difference is the colour coded ring on the inlet (black for diesel).
      Also interesting, a lot of tanks still require regular measuring with the dip stick and manual entry into the system for the logistical side of the operation, so you just enter tank number and the volume which if compromised would be bad

    4. Re:Diesel v ordinary - THAT would be nasty by cciechad · · Score: 1

      Audi's go into safe mode if you put the wrong gas in them. This mode retards the timing and makes the car generally drive like crap and on turbo models it severely limits the boost.

      --
      https://www.fsf.org/associate/support_freedom
    5. Re:Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      So the single hose dispensers magically replace themselves, in their entirety, with a completely separate dispenser every time you select a different grade of gasoline? There is some amount of shared pipe, even if only to the pump unit the hose connects to. So, how the hell are you to say that a pump with only one hose is actually giving you the correct grade?

    6. Re: Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Are you sure its only the color of the ring? In the USA and Canada the nozzle is also shaped differently so that you cannot, without more force than you should use, stick one of the other into your gas tank.

    7. Re:Diesel v ordinary - THAT would be nasty by U2xhc2hkb3QgU3Vja3M · · Score: 3, Interesting

      To answer both of you, I'm guessing things differ in your part of the world and you're simply not aware that things can be different. You're are both right.

    8. Re:Diesel v ordinary - THAT would be nasty by drinkypoo · · Score: 4, Interesting

      To answer both of you, I'm guessing things differ in your part of the world and you're simply not aware that things can be different. You're are both right.

      Not really. There's (typically) only two grades of gasoline at the station and they mix them to make the grades in between with a blend valve, no matter how many hoses there are on the pump. If they have a third tank, it's for diesel, but that always has a separate hose. So you absolutely never know that the grade of gas you're getting is the same as the one you paid for, unless you do an octane test. You can actually do a halfway decent octane test with just two devices; one which tells you the alcohol content (ugh) and one which tells you the specific gravity — a hydrometer. I have a pair of them for measuring cetane levels; you can do it with diesel fuel, too.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:Diesel v ordinary - THAT would be nasty by drinkypoo · · Score: 2

      Audi's go into safe mode if you put the wrong gas in them. This mode retards the timing and makes the car generally drive like crap and on turbo models it severely limits the boost.

      Who told you that? Audis have continuously variable timing just like all other modern cars; my 1997 A8Q has got it, as well as cylinder deactivation. If there is pinging, it just retards the timing until there isn't. That's not "safe mode", it's just retarded timing.

      In the 32V Audi V8, low-grade will slightly affect performance, and mid-grade seems to not affect anything at all. If it does affect anything, it will only be in the low end; you can run more timing advance at higher RPMs even on low-grade fuel.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Diesel v ordinary - THAT would be nasty by jafac · · Score: 1

      Yes, but if you ask a BMW owner, they will tell you that in no uncertain terms: running Regular unleaded through a BMW motor destroys the engine.

      (in fact, you'll probably throw a few codes as the knock sensor tells the DME to retard timing to compensate for the lower octane; which will cause the owner to take it to the dealer, who will charge them $1000 to read the harmless codes and reset them).

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
    11. Re: Diesel v ordinary - THAT would be nasty by arth1 · · Score: 1

      He's talking about the delivery to the underground tank, not the car fueling.

    12. Re:Diesel v ordinary - THAT would be nasty by U2xhc2hkb3QgU3Vja3M · · Score: 1

      My "You're are" typo aside, I was only addressing the "number of dispensers on a pump" dispute between the two of them. How it works internally, I have no idea.

    13. Re:Diesel v ordinary - THAT would be nasty by drinkypoo · · Score: 1

      My "You're are" typo aside, I was only addressing the "number of dispensers on a pump" dispute between the two of them.

      The thread is about whether multiple grades of gasoline go through the same pipe , not the same hose. So in fact, only one of them is right, and it's the person who didn't misinterpret "pipe" for "hose".

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re: Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Kinda like how driving a BMW tells the world in no uncertain terms that you are an asshole...

    15. Re: Diesel v ordinary - THAT would be nasty by cciechad · · Score: 1

      In my old a4 3.2 it definitely went into safe mode on bad gas. In my newer s5 4.2 I haven't seen this but I suspect bad gas would do it. The dealership said this was a protective mechanism when I asked. So possibly just in the more modern cars running at higher compression ratios.

      --
      https://www.fsf.org/associate/support_freedom
    16. Re:Diesel v ordinary - THAT would be nasty by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Well sorry for not being raised in english.

    17. Re:Diesel v ordinary - THAT would be nasty by drinkypoo · · Score: 1

      Well sorry for not being raised in english.

      If I thought you had to be sorry, you'd know. I'm just explaining, for your benefit. HTH, HAND.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    18. Re: Diesel v ordinary - THAT would be nasty by drinkypoo · · Score: 1

      In my old a4 3.2 it definitely went into safe mode on bad gas.

      If you get too many faults too quickly, it's possible for it to throw a code. But that would take more than just 87 octane. It would take some really crap gas, and you would have to stick your foot into it without consideration for the fact that you put a lesser fuel into it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    19. Re:Diesel v ordinary - THAT would be nasty by jonbryce · · Score: 2

      The pumps in my local petrol station have 4 hoses, marked Regular Unleaded, Premium Unleaded, Regular Diesel and Premium Diesel. I pick up the hose corresponding to the fuel I want. Any other method would lead to cross-contamination of the fuels.

    20. Re:Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 1

      And in Europe you have separate tanks for all the grades of gas and the diesel. And yes, you get separate hoses. And they still let you pump first and pay later.

    21. Re:Diesel v ordinary - THAT would be nasty by kuzb · · Score: 1

      That isn't a problem limited to BMW owners - most car owners have no idea what octane is, or what it does. A lot of people will use 94 octane in their car because they think it makes their car "run better".

      People like you who seem to think everyone is defined by the car they drive are just idiots who like to try to seem superior. In reality, you're exactly the kind of douchebag the road doesn't need.

      --
      BeauHD. Worst editor since kdawson.
    22. Re: Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Most cars made in the last 5-10 years are built to take use higher compression for increased efficiency, and can take advantage of higher octane fuel. My Jeep which is 13 years old, for instance, is built to run fine on regular. Premium allows for advanced timing, and nets a 40 horsey increase.

    23. Re:Diesel v ordinary - THAT would be nasty by mspohr · · Score: 1

      My electric car doesn't care about the rating of the electrons. It will take anything from crappy 120v AC electrons all the way up to highly refined 400v DC electrons. It doesn't care about the quality of the wire, either. I can plug in any old extension cord and as long as the electrons can find their way to the car, it's good.

      --
      I don't read your sig. Why are you reading mine?
    24. Re: Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Running low octane on any of the VW or Audi powerplants does not cause the computer to throw fault codes.

    25. Re:Diesel v ordinary - THAT would be nasty by KGIII · · Score: 1

      No, my BMW adjusts because it has a knock sensor. I have been to gas up and found no premium available and had to put in some regular. It just changes the timing a little and is fine. I have owned a bunch of BMWs (and I get my new one delivered in six days). Not one of them have died due to putting regular gasoline in it. I prefer 97 octane when available. My calculations indicate that is where I get the best mileage.

      --
      "So long and thanks for all the fish."
    26. Re:Diesel v ordinary - THAT would be nasty by KGIII · · Score: 1

      How about browning out and dirty power? No, I am not being an ass (hopefully) but am really curious.

      --
      "So long and thanks for all the fish."
    27. Re:Diesel v ordinary - THAT would be nasty by mspohr · · Score: 1

      Appropriate question. The AC charger is high efficiency and very smart. It will tolerate a wide variety of voltages from 120 to 240 and isn't upset by dirty power. If it is drawing too much current and the voltage drops (due to undersized wire, etc) it will cut back on the current it is drawing until the voltage comes back up.

      --
      I don't read your sig. Why are you reading mine?
    28. Re:Diesel v ordinary - THAT would be nasty by KGIII · · Score: 1

      That makes sense, to some extent. I will have to give it some thought. And it deals with spikes with the traditional fused method? I am going to get an EV. I am not sure which. I may wait and get the hybrid i8 or I may just get a Tesla. I make enough trips to the close town where I can justify it and I have a passion for automobiles so an EV is something I certainly should own. I can move up the i8 list as I am a "preferred buyer" at BMW - in fact I am awaiting my 640li eagerly as it comes in next week. I ordered it quite a while ago, I have never ordered a "bespoke" BMW before this one.

      --
      "So long and thanks for all the fish."
    29. Re:Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      The thread is about whether multiple grades of gasoline go through the same pipe , not the same hose. So in fact, only one of them is right, and it's the person who didn't misinterpret "pipe" for "hose".

      No. A normal reading of pipe in this use is not the literal cylinder but the way of getting gasoline from the station tank to the car tank. The hose is part of that figurative pipe. So gas stations that use the same hose for all grades of gasoline can't prevent mixing because it will get mixed in the hose. Pumps that have distinct hoses could avoid this but may not.

      And it may be so that they just mix the different grades of gasoline together now so that the intermediate grade is just a blend of regular and premium. That certainly wasn't true when I worked at a gas station in the early 1990s. We had separate tanks for each. Of course, it might have been true for other gas stations -- I didn't work at those and have no idea how their tanks worked.

    30. Re: Diesel v ordinary - THAT would be nasty by mspohr · · Score: 1

      I highly recommend you take a test drive in a Tesla. The performance and handling are better than any car I have ever driven. You have to drive it to experience it. Lust is the best way to describe it.

      --
      I don't read your sig. Why are you reading mine?
    31. Re: Diesel v ordinary - THAT would be nasty by KGIII · · Score: 1

      I have driven a friend's and it was quite fun but the handling characteristics are a little off. I was a professional driver, including security training. I can do what is known as a "J-turn" in a bus full of prisoners or drive a sedan like a professional stunt driver. (My MOS was 3505 which put me in the motor pool but driving an HMMWV was not all that we did in there.) My friend told me to drive it like I stole it, he actually came all the way up from Boston with it - it took him quite a while and some planning, and I did - in fact I started off with said J-turn.

      It handles like a mid-engined car but it felt like the center of gravity was a bit lower than most. It took a minute to get used to it but I do agree - it is nice that it handles as well as it does and even more surprising is the weight. It handles very well for its weight. I am a fan of large sport sedans and this really seems to suit me.

      But, and this is a big but, have you seen the i8? The Tesla's nice and all but, really... The i8 is absurdly sexy. It is so sexy that I may do vile things to it in the middle of the night. I could be passionate with it though our love could never be true as it could not love me in return and, well, I could not fuck it. Well, I suppose I could probably find a way but I am only a little bit of a freak. It is absolutely beautifully sexy.

      --
      "So long and thanks for all the fish."
    32. Re: Diesel v ordinary - THAT would be nasty by mspohr · · Score: 1

      I have seen the i8 and it is seriously sexy (unlike the i3 which is seriously ugly). I am not a professional driver so don't have your experience. I don't think the i8 is available for test drives yet so don't know how it handles. However, I'm not really interested in cars with fossil fuel engines even if they have a limited range battery.
      The Tesla does have a very low center of gravity due to the battery pack location under the center of the car. This also gives it a perfect 50-50 front rear weight distribution (at least in the 4WD "D" versions). This gives it incredible handling. It really sticks to the road (even on snow and ice). It's a big, heavy car but the electric motors give it "insane" (or "ludicrous") acceleration.

      --
      I don't read your sig. Why are you reading mine?
    33. Re: Diesel v ordinary - THAT would be nasty by kuzb · · Score: 1

      Most cars don't give a shit what you feed them. Use the octane specified on your gas cap for best results.

      --
      BeauHD. Worst editor since kdawson.
    34. Re:Diesel v ordinary - THAT would be nasty by Anonymous Coward · · Score: 0

      Hipster detected. Just slit your own throat now so we don't have to hear you talk like a cunt all day.

    35. Re:Diesel v ordinary - THAT would be nasty by kuzb · · Score: 1

      The problem with people who try to sound smart is often they aren't.

      Gas powered cars don't care what kind of gas you use in them either (provided you're not using gas in a diesel or vice versa). It's just that if you're using high octane gas in an engine not designed for it there will be no benefit.

      --
      BeauHD. Worst editor since kdawson.
  6. Do you mean by Ol+Olsoc · · Score: 1
    That something attached to the intertoobz might be disrupted by mean people? It thought that stuff was all secure and perfectly safe.

    Who knew?...

    This is why we can't have anything nice.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  7. A while?! by Anonymous Coward · · Score: 1

    Try over a decade! But the banking and credit card industry had no incentive to change - until recently withe huge attacks against Target and other retailers.

    And still tet're moving at a snails pace.

    Even now, when something happens, it's the consumer's burden. That's why I have ONE credit card and NO debit card. And no, having one credit card has no detrimental affect on your credit score.

  8. They call a liquid 'gas'. by Anonymous Coward · · Score: 0

    I thought you were talking about natural gas pumping stations. Jeremy Clarkson on American English.

    1. Re: They call a liquid 'gas'. by Anonymous Coward · · Score: 0

      You mean like how the Brits gasoline an oil (petrol = "rock oil"), when it is not one? Or how the Italians call it benzene, which is a completely different compound?

    2. Re:They call a liquid 'gas'. by tompaulco · · Score: 1

      I thought you were talking about natural gas pumping stations. Jeremy Clarkson on American English.

      Actually, we call it gasoline. We can't help it if people choose to use an abbreviated version that happens to overlap with a scientific state of matter.
      Also note that gasoline is dispensed as a liquid (with vapor (gas) capturing devices), but is burned as a gas.

      --
      If you are not allowed to question your government then the government has answered your question.
    3. Re:They call a liquid 'gas'. by Anonymous Coward · · Score: 0

      We already know Jeremy Clarkson is a pompous ass. There's no need to confirm it.

  9. I believe it by Anonymous Coward · · Score: 1

    I worked at an unnamed gas pump producer for a while. Their concern with security was laughable. Security was the minimum amount of effort they needed to pass certification. In some cases, the passwords were stored on the server in a clear text file. Very poorly managed company. These places mainly see themselves as hardware companies that have software bonus. They haven't realized how crucial software is to their business, so they treat it with that level of respect.

    1. Re:I believe it by Anonymous Coward · · Score: 0

      You obviously saved a few of those clear text files, yes?

  10. 24/7 by sys64764 · · Score: 0

    24/7 online like a porn site just waiting for someone to start pumping?
    Who the fuck had that bright idea?

  11. Wot, no free gas? by Hagaric · · Score: 2

    I would have thought the obvious hack would be to grab card details or get free gas from self-service pumps. So far it just seems like mean pranks, not actual for-profit crime.

  12. Hackers my ass! by Ivan+Stepaniuk · · Score: 0

    First they started associating computer hackers with crime. Now they call 'hacker' somebody that steals from a gas pump? Soon we will be reading that a bunch of humans have been hacked by actively attacking their skin, with lead bullets.

    Also, Slashdot, you were cool.

    --
    My other signature is a car
  13. Come again? by Anonymous Coward · · Score: 0

    Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa.

    As things the average driver would care about, that falls way down the list, as long as they don't pay for it, they'd never notice, as most vehicles would adjust just fine. Only a few rare gearheads would even claim to be able to notice, and few of them I suspect.

    Now if it were possible to mix up diesel, or there were places selling leaded gasoline, that might be an issue, but unless you're getting your gas from an airport(or apparently, Algeria), the latter isn't a problem, and the former shouldn't be since they wouldn't have any reason to connect them, and would have several reasons not to do so.

  14. It must be the drugs by Anonymous Coward · · Score: 0

    The hacked inventory shows full when the rest of the contents of the pump are in fact small drug pellets delivered using a remote controlled filter mechanism of some sort.

  15. Retail Network Design by David_Hart · · Score: 2

    I used to install pump controllers and POS systems a long while back. Pump controllers would only talk to the back-end computer on a separate VLAN. The primary VLAN had the POS terminals on it. The back office PC had a dial-up VPN connection back to the Home Office. The network didn't rely on the internet but on dial-up access. To affect the station network you would have to have physical access.

    It wouldn't surprise me that gas stations today have internet access for real time inventory and sales management of gas, groceries, etc. This would, as the article points out, open up the site to DDOS and other standard internet attack vectors. One way to reduce this threat is to implement ACLs, only allowing traffic back to the Home Office public IP addresses. But that only defends against basic DDOS attacks. The type of hardware/software that you would need to thoroughly protect the site is prohibitively expensive.

    One defense is the fact that there are so many of them. Yes, a botnet could wreck havoc on a number of stations, but hitting them all in a region, in my opinion, would be a lot harder. Granted, maybe you only need to disrupt "enough" of them.

    1. Re:Retail Network Design by Megane · · Score: 1

      And as someone who wrote code to talk to gas pumps back in the late '90s, and had to hang around unattended sites after installs and upgrades, the worst that can happen by attacking tank monitoring is that the site runs dry. At which point the pumps simply stop pumping. The only loss is in missed sales.

      If they use blender pumps and regular runs dry, only premium will work, which means only the least popular of three (or more) grades works, plus diesel if they sell that. That happened once when I was at a site, and at first I was worried that it was a bug. Ten minutes later I made a call to the site's maintenance number telling them to send a truck, and left.

      Which is basically what I said seven months ago when the article that this is a dupe of was posted.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:Retail Network Design by houstonbofh · · Score: 2

      One way to reduce this threat is to implement ACLs, only allowing traffic back to the Home Office public IP addresses. But that only defends against basic DDOS attacks. The type of hardware/software that you would need to thoroughly protect the site is prohibitively expensive.

      http://www.mitxpc.com/products...

      Starting at $250 and supports IPsec tunnels back to the home office with nothing accessible to the outside. Not expensive at all. But neither is change a password and they did not even do that.

  16. DUPE by Megane · · Score: 1

    http://it.slashdot.org/story/15/01/23/1856201/us-gas-stations-vulnerable-to-internet-attacks

    Give 'em a break, it's only been seven months since this was last posted.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  17. How similar to real gas pumps? by Tony+Isaac · · Score: 2

    Were these honeypot pumps set up in the same way real systems would be set up? In other words, how realistic was the experiment? Were hackers able to attack these systems because they were set up to be honeypots, or does the experiment really indicate that gas pumps around the world are vulnerable?

  18. Posting has loaded comment to scare you. by Anonymous Coward · · Score: 0

    FTA: "..Or changing the pump volume could result in tanks being underfilled"

    Yeah, because Hackers would never do the opposite.

    1. Re:Posting has loaded comment to scare you. by tompaulco · · Score: 1

      FTA: "..Or changing the pump volume could result in tanks being underfilled"

      Yeah, because Hackers would never do the opposite.

      What is a pump volume? Do they mean the rate of flow through the pump? Or do they mean the volume of the tank from which the pump gets the gasoline?

      --
      If you are not allowed to question your government then the government has answered your question.
    2. Re:Posting has loaded comment to scare you. by plover · · Score: 1

      Maybe they meant the hackers 'pump up the volume', where they play Country-Rap crossover music so loud that you drive away before your tank is completely full.

      --
      John
  19. What OS do these Gas Pumps run on? by nickweller · · Score: 1

    "Security researchers from Trend Micro wondered what kind of cyberattacks might target one of our most common and vital pieces of infrastructure: gas pumps" ref

  20. Bikes by Anonymous Coward · · Score: 0

    FTW. Again.

  21. Re:What OS do these Gas Pumps run on? by Megane · · Score: 1

    For what it's worth, the pumps themselves (the part that delivers fuel) are likely to be barely changed from the late '90s, when they were a simple embedded system with no operating system other than "while (1) dostuff();" The displays were just beginning to change then, though. Gilbarco's new LCD display ran on Linux, and you could see all the boot messages out of a diagnostic port. But there was no TCP/IP stack, just the same RS-485 link to control the display.

    The stuff referred to in TFA is about the back-office stuff that runs on "real" PCs. So someone messes up the inventory management stuff that calls for a refill truck? So what? Gas pumps are still (AFAIK) pretty stupid, and customers won't stick around if no fuel comes out, so it doesn't really matter if sucking dry is bad for the pumps. Whoop-de-doo, people will have to go down the block to the next station. Hardly the apocalypse that was these guys premise before they even started.

    The only real concern is when people get gas for free. And the pump has to be told by the site controller equipment to turn on for each and every sale. Even then, there's a mechanical flow counter on the pump that can be checked to see if the pump is giving away free gas due to some sort of shenanigans on the site controller side.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  22. the newly minted millionaires init script by Anonymous Coward · · Score: 0

    Congratulations you actually got somewhere in this pile of paperwork welcome
    heres the card first gas pump, now your accounts on E we either send the bunny ears (might get a pole smoking)
    or they send the bunny suits (ex intel engineer turned poker player on his own chips)
    Welcome to motherfucking life, please enjoy your stay.

  23. Wut? by kuzb · · Score: 1

    "such as putting Unleaded inside Premium"

    I hate to be the one to break it to you, but premium IS unleaded gas. Gas hasn't contained lead for a very long time now.

    --
    BeauHD. Worst editor since kdawson.
    1. Re:Wut? by plover · · Score: 1

      'Unleaded' is the common name given to the lowest octane gasoline a station sells. Most stations in this country sell gas labeled 'Unleaded', 'Mid-Grade', or 'Premium', corresponding to 87, 91, and 93 octane (using the (R+M)/2 method), and none of which contain lead. A station has a storage tank of 87 octane and another tank of 93, and they sell 91 octane by pumping a 50:50 mix down the same hose.

      Decades ago during the phase out of lead, stations simply called the low octane 'unleaded' to distinguish it from 'regular' gas, which was the commonly offered low-octane leaded gas. The name 'unleaded' has been in common use ever since.

      "Putting unleaded in premium" in this context refers to the customer selecting premium at the pump, but tricking the software inside the pump to internally draw from from the 87 octane tank.

      So chill out. The text makes perfect sense.

      --
      John
    2. Re:Wut? by Anonymous Coward · · Score: 0

      'Unleaded' is the common name given to the lowest octane gasoline a station sells.

      No it isn't, it is called Regular. And the most widely used octane numbers in the United States are 87 (Regular), 89 (Plus), and 91/93 (Premium).

    3. Re:Wut? by kuzb · · Score: 1

      Then you should pay more attention at the pumps, because you're dead wrong and so is the article.

      --
      BeauHD. Worst editor since kdawson.
  24. Only 23? by houghi · · Score: 1

    23 on their honeypot? Are they sure it is not just another the NSA? And I assume we talk about http://www.trendmicro.co.uk/ who sell online security.

    Sounds like a standard 'buy stuff from us' marketing campaign to me.

    --
    Don't fight for your country, if your country does not fight for you.
  25. You don't hear about because it isn't talked about by Anonymous Coward · · Score: 1

    One of my first tech jobs was working for a large oil company. Roughly once a week we had a franchise we busted and shut down for hacking their own pumps. Never buy gas from a designed franchise!

    That was about two decades ago. Reason to do so was to reduce the amount sold to rip off two parties - the customer and the oil company. By slightly reducing the amount delivered to the customer they could cut the royalties paid to the oil companies.

    The thieves that sold the chips knew that state inspectors used 5 and 10 gallon tanks so they would always correctly deliver those amounts (if in doubt pump that amount). The oil companies knew this as well so they set up their inspection cars to use tanks with odd sizes (12 gallons etc.).

    They run their own inspections and when they got a hit they would run follow up inspections to confirm. That was where I came in, they needed to work with a tech to arrange the technical end of the inspection for back end sales systems.

    They would get evidence of skimming and then come back with a tanker truck, electrician and a sign company truck. They would then literally de-sign the store where they pumped the gas out of the tanks and took the sign off the franchise on the spot. When the owner would protest they would be reminded that if they chose to challenge in court that they risked going to prison for a very long time. From what I was told no station owner ever challenged the process. We were pretty thorough about evidence and corruption was rampant.

    I would imagine that oil companies and other franchises continue this type of practice of quietly shutting down thieving franchisees to this day. They really, really don't want their franchisees ripping of the public, it's bad for the entire brand.

  26. Re:What OS do these Gas Pumps run on? by Anonymous Coward · · Score: 0

    Modern pumps with color displays, and high security run a stripped down embedded version of debian (gilbarco pumps anyway)

    From the sounds of the article, they pumps were'nt the devices exposed to the internet anyway. It is the ATG (Automatic tank gauge) which is responsible for monitoring tank inventory, and leak sensors. as well as sending alerts via fax, or email when there is a an alarm ie: low product, fuel where there shouldn't be fuel, or water in the tank etc.

    Granted due to the ATG having control of pumps you could shut them down, albeit for a short time. But re-labeling tanks on the ATG doesn't make a bit of difference where the driver who delivers fuel is going to put it in the ground. As all of the fill points are very clearly labeled as to what should go where (By Law)

    This is old news and of minimal risk.

    ref: Im a petroleum tech

  27. Re:What OS do these Gas Pumps run on? by ebvwfbw · · Score: 1

    Safeway uses windows 95 at a lot of their stations. Yes, windows 95. No, really windows 95. Surprised the crap out of me too. I don't use Safeway anymore.

  28. The is a lot by MrKaos · · Score: 1

    of gas in this discussion

    --
    My ism, it's full of beliefs.