Hackers Actively Targeting Gas Pumps

An anonymous reader writes: Security researchers from Trend Micro wondered what kind of cyberattacks might target one of our most common and vital pieces of infrastructure: gas pumps. So, they set up some honeypots to find out if and how gas pumps were being attacked. The researchers ended up getting more than they bargained for. Between February and July, there were at least 23 distinct attacks on their honeypots alone (PDF). This included identifications, modifications, and DDoS attacks. "In their research, they found that a DoS or DDoS attack could disrupt inventory control and distribution, which means gas stations may not have enough supply on hand. Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa. Drivers wouldn't like that. Or changing the pump volume could result in tanks being underfilled."

With all these attacks,

[Mr+D+from+63]

You'd think we would see some actual disruption. Seems like pumps have adequate protection thus far.

Re:With all these attacks,

[TheCarp]

With the fact that they are talking about....connecting directly to the internet.... Seems they could have done this with a sniffer.

Just read some logs, there are all manner of automated attacker out there searching for prey. Run sshd, you will begin getting root login attempts pretty quickly, and the party don't stop.

Yes, looking for attacks coming down the inter-tube is like looking for bacteria in a pond. Yah, its there, lots and lots of it. That is hardly a newsworthy result.

Re:With all these attacks,

[drinkypoo]

Funny how we're so worried about supply lines being disrupted while our wallets starve the most.

Funny how we're so worried about our wallets while we're raping mother earth with a rusty pick-ax.

Re:Seriously ?

Why the fuck is a gas pump even in a position to be DDoS'ed? Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.

Many gas stations are owned or operated by big chains, who need to know the current status of a large number of stations without waiting for reports. Paying to have a delivery truck come out when the tank is only 1/4 empty, or not sending it out until it has been empty for hours is throwing money out the window.
Then there's leak and theft detection, where you want to find out before next day, even if it happens when the gas station is closed and no-one around to hear the alarm.

No, having gas metering equipment online is sensible. Going over the internet without having a firewall blocking all except those who need access is not so sensible.

Re:Seriously ?

[ShanghaiBill]

Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.

Stop overreacting. Putting it online saves labor, lowers costs, and has caused ZERO problems. The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium (in which case 90% won't even notice because their car isn't designed to use high octane anyway). You should find something else to panic about.

Re:Seriously ?

[drinkypoo]

Remote read access: good idea
Remote write access: bad idea

Nobody should be able to change anything on the pump without physical access. At minimum, someone should have to flip a switch inside the pump to enable remote writes.

Re:Regular vs Premium

[west]

Honestly, unless your almost inhuman in disregarding your brain, you'll need to have someone fill up your car without telling you the octane, and then record your observations.

We humans are correlation engines, and it would almost be proof of brain abnormality to not find a correlation, regardless of whether it's there or not.