Slashdot Mirror
Hackers Actively Targeting Gas Pumps
An anonymous reader writes: Security researchers from Trend Micro wondered what kind of cyberattacks might target one of our most common and vital pieces of infrastructure: gas pumps. So, they set up some honeypots to find out if and how gas pumps were being attacked. The researchers ended up getting more than they bargained for. Between February and July, there were at least 23 distinct attacks on their honeypots alone (PDF). This included identifications, modifications, and DDoS attacks. "In their research, they found that a DoS or DDoS attack could disrupt inventory control and distribution, which means gas stations may not have enough supply on hand. Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa. Drivers wouldn't like that. Or changing the pump volume could result in tanks being underfilled."
You'd think we would see some actual disruption. Seems like pumps have adequate protection thus far.
what kind? most of these were designed when dial up internet was the norm and are meant to be used for decades
Don't most cars (excepting the most expensive, high-performance models) have knock sensors that tolerate regular unleaded even if they say use premium?
My car says premium is preferred, but that regular unleaded works fine but might result in slightly diminished performance. I've used both and not seen any difference in normal driving.
It'd be annoying to pay the 20-odd cent additional cost and get regular instead of premium, but I'm not sure most drivers would know the difference.
Of course diesel would be a real problem, but most stations that have diesel seem to use a completely different filler hose and I'd wager that the tanks and plumbing are physically separate between gasoline and diesel and no amount of electronic hacking could cause diesel to get into the gasoline system.
Apparently, it's no longer necessary to check the level of one's fuel tanks with the long wooden stick.
Precisely how much critical infrastructure could be disrupted by corrupting this data is open to discussion, but the real worry is how little password protection is used by many thousands of industries.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
I would have thought the obvious hack would be to grab card details or get free gas from self-service pumps. So far it just seems like mean pranks, not actual for-profit crime.
To answer both of you, I'm guessing things differ in your part of the world and you're simply not aware that things can be different. You're are both right.
To answer both of you, I'm guessing things differ in your part of the world and you're simply not aware that things can be different. You're are both right.
Not really. There's (typically) only two grades of gasoline at the station and they mix them to make the grades in between with a blend valve, no matter how many hoses there are on the pump. If they have a third tank, it's for diesel, but that always has a separate hose. So you absolutely never know that the grade of gas you're getting is the same as the one you paid for, unless you do an octane test. You can actually do a halfway decent octane test with just two devices; one which tells you the alcohol content (ugh) and one which tells you the specific gravity — a hydrometer. I have a pair of them for measuring cetane levels; you can do it with diesel fuel, too.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Audi's go into safe mode if you put the wrong gas in them. This mode retards the timing and makes the car generally drive like crap and on turbo models it severely limits the boost.
Who told you that? Audis have continuously variable timing just like all other modern cars; my 1997 A8Q has got it, as well as cylinder deactivation. If there is pinging, it just retards the timing until there isn't. That's not "safe mode", it's just retarded timing.
In the 32V Audi V8, low-grade will slightly affect performance, and mid-grade seems to not affect anything at all. If it does affect anything, it will only be in the low end; you can run more timing advance at higher RPMs even on low-grade fuel.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I used to install pump controllers and POS systems a long while back. Pump controllers would only talk to the back-end computer on a separate VLAN. The primary VLAN had the POS terminals on it. The back office PC had a dial-up VPN connection back to the Home Office. The network didn't rely on the internet but on dial-up access. To affect the station network you would have to have physical access.
It wouldn't surprise me that gas stations today have internet access for real time inventory and sales management of gas, groceries, etc. This would, as the article points out, open up the site to DDOS and other standard internet attack vectors. One way to reduce this threat is to implement ACLs, only allowing traffic back to the Home Office public IP addresses. But that only defends against basic DDOS attacks. The type of hardware/software that you would need to thoroughly protect the site is prohibitively expensive.
One defense is the fact that there are so many of them. Yes, a botnet could wreck havoc on a number of stations, but hitting them all in a region, in my opinion, would be a lot harder. Granted, maybe you only need to disrupt "enough" of them.
Why the fuck is a gas pump even in a position to be DDoS'ed? Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.
Many gas stations are owned or operated by big chains, who need to know the current status of a large number of stations without waiting for reports. Paying to have a delivery truck come out when the tank is only 1/4 empty, or not sending it out until it has been empty for hours is throwing money out the window.
Then there's leak and theft detection, where you want to find out before next day, even if it happens when the gas station is closed and no-one around to hear the alarm.
No, having gas metering equipment online is sensible. Going over the internet without having a firewall blocking all except those who need access is not so sensible.
Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.
Stop overreacting. Putting it online saves labor, lowers costs, and has caused ZERO problems. The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium (in which case 90% won't even notice because their car isn't designed to use high octane anyway). You should find something else to panic about.
Were these honeypot pumps set up in the same way real systems would be set up? In other words, how realistic was the experiment? Were hackers able to attack these systems because they were set up to be honeypots, or does the experiment really indicate that gas pumps around the world are vulnerable?
Remote read access: good idea
Remote write access: bad idea
Nobody should be able to change anything on the pump without physical access. At minimum, someone should have to flip a switch inside the pump to enable remote writes.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I would. My car would ping and knock until the sensor dialled down enough that my performance would suffer and my economy would go to crap. Seen it happen. And on my motorcycle, I would notice the other way as premium has less energy, and my low compression motorcycle runs poorly on it. Just because you wouldn't notice...
Honestly, unless your almost inhuman in disregarding your brain, you'll need to have someone fill up your car without telling you the octane, and then record your observations.
We humans are correlation engines, and it would almost be proof of brain abnormality to not find a correlation, regardless of whether it's there or not.
To do that you have to be able to write to the pump.
Only if the system is fucking ignorant. The pump should get permission to pump from a machine inside the station, under lockdown. The variables regarding pumping are set there, and there's no way to command the pump to use internal values; obviously it will need to store such values internally, but since it will be constantly polling the server for updates, you can't do anything to the pump remotely that will cause it to change its behavior for more than a fraction of a second.
Such a system is still vulnerable to MITM attacks, but only if you have physical access; I would actually put all the pumps on a private network with the station's server, and use the server as a gateway for retrieving the data, in order to minimize the attack surface. I'd also use cryptographic signatures 'twixt pump and server, as a hedge against MITM. Signatures would be stored on flash protected by a second switch, which also controlled firmware update enable. (Probably the system and the signature would be stored on the same memory device anyhow.) The first switch would simply be for enabling configuration settings.
TL;DR: No, fool, there is no need for the pump to be writable
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The pumps in my local petrol station have 4 hoses, marked Regular Unleaded, Premium Unleaded, Regular Diesel and Premium Diesel. I pick up the hose corresponding to the fuel I want. Any other method would lead to cross-contamination of the fuels.
"and has caused ZERO problems"
That you know of. Oil companies are hardly going to tell the world if someone has hacked their systems.
"The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium"
No. The worst that could happen in that instance is someone gets diesel instead of gas or vice verca which is pretty fucking serious and will destroy an engine. Shall we give them your name to come for compensation since you think its no big deal?